Summary
Most crypto users don’t get hacked through complex exploits, rather, they get hacked by clicking, signing, or trusting the wrong thing. This report breaks down how those everyday failures happen.
From phishing kits and wallet drainers to malware and fake support scams, the majority of attacks target users directly, not protocols, making the common thread human context, not code.
This report outlines the 101 of crypto exploits as it pertains to individual users, covering a list of common exploits, as well as real-life examples and what to watch out for.
1. Need to Know: You Are the Attack Surface
Crypto is self-custodial by design. That’s the feature. But this foundational attribute, which is core to the values of the industry, can often make you the user a single point of failure. In many cases of individuals losing their funds in crypto, it’s not a bug in the protocol: it’s a click. A DM. An approval. A moment of trust or carelessness performing a seemingly non-consequential everyday task that can alter the course of one’s crypto experiences.
This report is not a technical whitepaper or a review of smart contract logic but rather a threat model for individuals. A breakdown of how users get exploited in practice, and what to do about it. The report will focus on personal-level exploits: phishing, wallet approvals, social engineering, malware. It will also briefly cover protocol-level risks at the end to give a layout of the spectrum of exploits that happen in crypto.
2. The Complete Exploit Playbook (Kind Of)
The permanent and irreversible nature of transactions that happen in permissionless settings, often without the say of intermediaries, combined with the fact that individual users are responsible for interacting with anonymous counterparties on the same devices and browsers that hold financial assets, makes crypto a unique hunting ground for hackers and other criminals. Below is an extensive list of the types of exploits individuals can face, but readers should be aware that while this list covers the majority of exploits, it is non-exhaustive. The list may be overwhelming to those not familiar with crypto, but a good portion of these are “regular” exploits that have happened for quite some time in the internet age and are not unique to this industry. §3 will cover a few key exploit methods in detail.
2.1 Social Engineering Attacks
Attacks relying on psychological manipulation to deceive individuals into compromising their security.
Phishing: Fake emails, messages, or sites mimic real platforms to steal credentials or seed phrases (more in §3).
Impersonation Scams: Attackers pose as influencers, project leaders, or customer support to gain trust and extract funds or sensitive information.
Seed Phrase Scams: Users are tricked into revealing recovery phrases via fake recovery tools or giveaways.
Fake Airdrops: Entice users with free tokens to prompt unsafe wallet interactions or private key sharing.
Fake Job Offers: Disguised as employment opportunities but aimed at installing malware or harvesting sensitive data.
Pump-and-Dump Schemes: Socially coordinated efforts to hype and dump tokens on unsuspecting retail participants.
Figure 1: The consequences of social engineering can be very severe
Source: Cointelegraph
2.2 Telecom & Account Takeover
Exploiting telecom infrastructure or account-level weaknesses to bypass authentication.
SIM Swapping: Attackers hijack a victim’s mobile number to intercept 2FA codes and reset account credentials (more in §3).
Credential Stuffing: Reusing leaked credentials from breaches to access wallets or exchange accounts.
2FA Bypass: Exploiting weak or SMS-based authentication to gain unauthorised access.
Session Hijacking: Stealing browser sessions via malware or unsecured networks to take over logged-in accounts.
Figure 2: A fake Tweet from the SEC via a SIM swap
Source: Twitter
2.3 Malware & Device Exploits
Compromising the user's device to extract wallet access or tamper with transactions (more in §3).
Keyloggers: Record keystrokes to steal passwords, PINs, and seed phrases.
Clipboard Hijackers: Replace pasted wallet addresses with attacker-controlled ones.
Remote Access Trojans (RATs): Allow attackers full control of a victim’s machine, including wallets.
Malicious Browser Extensions: Compromised or fake extensions steal data or manipulate transactions.
Fake Wallets or Apps: Counterfeit apps (mobile or browser) that drain funds upon use.
Man-in-the-Middle (MITM) Attacks: Intercept and modify communication between the user and service, especially on insecure networks.
Unsecured Wi-Fi Attacks: Public or compromised Wi-Fi enables interception of sensitive data during logins or transfers.
Figure 3: Fake wallets are a common scam targeting beginner crypto users
Source: cryptorank
2.4 Wallet-Level Exploits
Attacks targeting how users manage or interact with wallets and signing interfaces.
Approval Drains: Malicious smart contracts exploit prior token approvals to drain tokens.
Blind Signing Attacks: Users sign obscure payloads that result in fund loss (e.g. from hardware wallets).
Seed Phrase Theft: Exfiltration of recovery phrases via malware, phishing, or poor storage hygiene.
Compromised Private Keys: Insecure storage (e.g. on cloud drives or plain-text notes) leading to key leakage.
Compromised Hardware Wallets: Tampered or counterfeit devices leak private keys to attackers.
2.5 Smart Contract & Protocol-Level Risks
Risks stemming from interactions with malicious or vulnerable on-chain code.
Rogue Smart Contracts: Hidden malicious logic that drains funds when interacted with.
Flash Loan Attacks: Exploits using uncollateralised loans to manipulate prices or protocol logic.
Oracle Manipulation: Attacker skews price feeds to exploit protocols relying on faulty data.
Exit Liquidity Scams: Creators design tokens/pools where only they can withdraw value, leaving users trapped.
Sybil Attacks: Fake identities distort decentralised systems, particularly governance or airdrop eligibility.
Figure 4: A flash loan was responsible for one of DeFi’s largest exploits
Source: Elliptic
2.6. Project & Market Manipulation Scams
Scams tied to the structure of tokens, DeFi projects, or NFT collections.
Rug Pulls: Project founders disappear after raising capital, leaving worthless tokens behind.
Fake Projects: Bogus collections lure users into minting scams or signing harmful transactions.
Dust Attacks: Minuscule token transfers used to deanonymise wallets and identify targets for phishing or scams.
2.7. Web & Infrastructure Attacks
Exploiting the front-end or DNS-level infrastructure users rely on.
Front-End Hijacks / DNS Spoofing: Attackers redirect users to malicious interfaces to steal credentials or prompt unsafe transactions.
Bridge Exploits: Hacks of cross-chain bridges that compromise user funds mid-transfer.
2.8. Physical Threats
Real-world risks involving coercion, theft, or surveillance.
$5 Wrench Attack: Victims are physically coerced into transferring funds or revealing seed phrases.
Physical Theft: Devices or backups (e.g. hardware wallets, notebooks) are stolen to gain access.
Shoulder Surfing: Observing or filming users inputting sensitive data in public or private settings.
Figure 5: Unfortunately, physical threats have been common
Source: The New York Times
3. Key Exploits to Watch Out For
Some exploits happen more than others. Here are three exploits individuals holding or interacting with crypto should know about, including how to prevent them. An aggregation of prevention techniques and key attributes to watch out for will be listed at the end of the section as there are overlaps amongst the various exploit methods.
3.1 Phishing (Including Fake Wallets & Airdrops)
Phishing predates crypto by decades and the term emerged in the 1990s to describe attackers "fishing" for sensitive information, usually login credentials, via fake emails and websites. As crypto emerged as a parallel financial system, phishing naturally evolved to target seed phrases, private keys, and wallet authorisations i.e., the crypto equivalents of “full control.”
Crypto phishing is especially dangerous because there’s no recourse: no chargebacks, no fraud protection, and no customer support that can reverse a transaction. Once your key is stolen, your funds are as good as gone. It is also important to remember that phishing is sometimes just the first step in a broader exploit, making the real risk not the initial loss, but the long tail of compromises that follow e.g., compromised credentials can allow an attacker to impersonate the victim and scam others.
How does phishing work?
At its core, phishing exploits human trust by presenting a fake version of a trusted interface, or by posing as someone authoritative, to trick users into voluntarily handing over sensitive information or approving malicious actions. There are several primary delivery vectors:
Phishing Websites
Fake versions of wallets (e.g., MetaMask, Phantom), exchanges (e.g., Binance), or dApps.
Often promoted through Google ads or shared via Discord/Twitter groups, designed to look pixel-for-pixel identical to the real site.
Users may be prompted to "import a wallet" or "recover funds", harvesting their seed phrase or private key.
Phishing Emails & Messages
Look like official communication (e.g., “urgent security update” or “account compromised”).
Include links to fake login portals or direct you to interact with malicious tokens or smart contracts.
Common on Telegram, Discord, Twitter DMs, and even SMS.
Fake Wallets or Browser Extensions
Available on app stores or as Chrome extensions.
Functionally mimic real wallets, but forward your private key or transaction data to attackers.
Some even let you transfer in funds only to be drained minutes later.
Airdrop Scams
Fake token drops sent to wallets (especially on EVM chains).
Clicking on the token or trying to trade it prompts a malicious contract interaction.
Can stealthily request unlimited token approvals or steal your native token via a signed payload.
Figure 6: Always be cautious when you see “free” in crypto
Source: Presto Research
Examples of phishing
The Atomic Wallet hack of June 2023, attributed to North Korea’s Lazarus Group, stands as one of the most destructive pure phishing attacks in crypto history. It led to the theft of over $100 million in cryptocurrency by compromising more than 5,500 non-custodial wallets without requiring users to sign any malicious transactions or interact with smart contracts. This attack focused solely on seed phrase and private key extraction through deceptive interfaces and malware - a textbook example of phishing-based credential theft.
Atomic Wallet is a multi-chain, non-custodial wallet supporting over 500 cryptocurrencies. In this incident, attackers launched a coordinated phishing campaign that exploited the trust users placed in the wallet’s support infrastructure, update processes, and brand identity. Victims were lured through emails, fake websites, and trojanised software updates, all designed to mimic legitimate communications from Atomic Wallet.
The phishing vectors included:
Fake Emails posing as Atomic Wallet support or security alerts, urging urgent action.
Spoofed websites (e.g. `atomic-wallet[.]co`) that mimicked the wallet’s recovery or reward claim interface.
Malicious updates distributed through Discord, email, and compromised forums, which either directed users to phishing pages or extracted credentials via local malware.
Once users entered their 12- or 24-word seed phrases or private keys into these fraudulent interfaces, attackers gained full access to their wallets. This exploit involved no on-chain interaction from the victim: no wallet connection, no signature requests, and no smart contract involvement. Instead, it relied entirely on social engineering and the user's willingness to restore or verify their wallet on what appeared to be a trusted platform.
3.2 Wallet Drainers & Malicious Approvals
A wallet drainer is a type of malicious smart contract or dApp designed to extract assets from your wallet, not by stealing your private key, but by tricking you into authorising token access or signing dangerous transactions. Unlike phishing, which seeks your credentials, drainers exploit permissions - the elemental mechanism of trust that powers Web3.
As DeFi and Web3 apps became mainstream, wallets like MetaMask and Phantom popularised the idea of “connecting” to dApps. This brought convenience but also a massive attack surface. In 2021–2023, approval drainers exploded in popularity through NFT mints, fake airdrops, and rug-pulled dApps began embedding malicious contracts into otherwise familiar UIs. Users, often excited or distracted, would connect their wallet and click “Approve” without realising what they were authorising.
How is this different from phishing?
Phishing involves tricking someone into voluntarily revealing sensitive credentials, such as a seed phrase, password, or private key. Connecting your wallet doesn’t reveal your keys or phrases as you’re not handing over secrets, you’re signing transactions or granting permissions. These exploits occur through smart contract logic, not theft of your credentials, making them mechanically different from phishing. You’re authorising the drain, often without realising it, which is more like a “consent trap” than credential theft.
You can think of phishing as CREDENTIALS-BASED and wallet drainers / malicious approvals as PERMISSION-BASED.
The mechanics of the attack
Malicious approvals exploit the permission systems in blockchain standards like ERC-20 (tokens) and ERC-721/ERC-1155 (NFTs). They trick users into granting attackers ongoing access to their assets.
Token approval basics:
ERC-20 Tokens: The
approve(address spender, uint256 amount)function allows a “spender” (e.g., a DApp or attacker) to transfer a specified amount of tokens from the user’s wallet.NFTs: The
setApprovalForAll(address operator, bool approved)function grants an “operator” permission to transfer all NFTs in a collection.These approvals are standard for DApps (e.g., Uniswap needs approval to swap tokens), but attackers exploit them maliciously.
How attackers gain approval:
Deceptive prompts: A phishing site or compromised DApp prompts the user to sign a transaction labeled as “wallet connection,” “token swap,” or “NFT claim.” The transaction actually calls
approveorsetApprovalForAllfor the attacker’s address.Unlimited approvals: Attackers often request unlimited token allowances (e.g.,
uint256.max) orsetApprovalForAll(true), giving them full control over the user’s tokens or NFTs.Blind Signing: Some DApps require signing opaque data, making it hard to spot malicious approvals. Even with hardware wallets like Ledger, the displayed details may seem benign (e.g., “Approve Token”) but hide the attacker’s intent.
Exploitation:
Immediate theft: The attacker uses the approval to transfer tokens/NFTs to their wallet right after the transaction.
Delayed theft: The attacker waits (sometimes weeks or months) to drain assets, reducing suspicion. For example, an attacker with
setApprovalForAllcan transfer NFTs whenever they want.Sweeping attacks: Drainers like Angel Drainer scan for approvals across multiple wallets and drain them in bulk during market pumps or high-value NFT drops.
Examples of wallet drainers / malicious approvals
The Monkey Drainer scam, active primarily in 2022 and early-2023, was a notorious “drainer-as-a-service” phishing toolkit responsible for stealing millions in crypto (including NFTs) through deceptive websites and malicious smart contracts. Unlike traditional phishing, which relies on harvesting user seed phrases or passwords, Monkey Drainer operated through malicious transaction signatures and smart contract abuse, enabling attackers to extract tokens and NFTs without direct credential compromise. By tricking users into signing dangerous on-chain approvals, Monkey Drainer enabled over $4.3 million in theft across hundreds of wallets before its shutdown in early-2023.
Figure 7: Famous on-chain detective ZachXBT uncovers Monkey Drainer scams
Source: Twitter (@zachxbt)
The kit was popular among low-skill attackers and heavily marketed in underground Telegram and dark web communities. It allowed affiliates to clone fake mint sites, impersonate real projects, and configure the backend to forward signed transactions to a centralised draining contract. These contracts were engineered to exploit token permissions, relying on users to unwittingly sign messages that granted the attacker’s address access to assets via functions like setApprovalForAll() (NFTs) or permit() (ERC-20 tokens).
Notably, the interaction flow avoided direct phishing: victims were not asked for their private keys or seed phrases. Instead, they engaged with seemingly legitimate dApps, often on minting pages with countdowns or hyped branding. Once connected, users would be prompted to sign a transaction they didn’t fully understand, often masked by generic approval language or wallet UI obfuscation. These signatures did not transfer funds directly, but authorised the attacker to do so at any time. With permissions granted, the drainer contract could execute batch withdrawals in a single block.
A hallmark of the Monkey Drainer method was its delayed execution: stolen assets were often drained hours or days later, to avoid suspicion and maximise yield. This made it particularly effective against users with large wallets or active trading activity, whose approvals blended into normal usage patterns. High-profile victims included NFT collectors who lost assets from projects like CloneX, Bored Apes, and Azuki.
Although Monkey Drainer ceased operations in 2023, presumably to “lay low” the era of wallet drainers continues to evolve, posing a persistent threat to users who misunderstand or underestimate the power of an on-chain approval.
3.3 Malware & Device Exploits
Finally, ‘malware and device exploits’ refer to a broad, versatile range of attacks that encompass various delivery vectors which all aim to compromise a user’s computer, phone, or browser, typically through malicious software installed via deception. The goal is usually to steal sensitive information (e.g. seed phrases, private keys), intercept wallet interactions, or give the attacker remote control of the victim’s device. In crypto, these attacks often begin with social engineering, such as a fake job offer, a bogus app update, or a file sent via Discord, but quickly escalate into full-scale system compromise.
Malware has existed since the early days of personal computing. In traditional contexts, it was used to steal credit card info, harvest logins, or hijack systems for spam or ransomware. As crypto gained traction, attackers pivoted: instead of targeting credentials for online banking (which can be reversed), they now aim to steal irreversible crypto assets.
How These Attacks Start… The Social Engineering Angle
Most malware doesn’t spread randomly: it requires the victim to be deceived into executing it. This is where social engineering comes in.
Common Delivery Methods:
Fake Job Offers: Victim applies to a fake Web3 job, receives a “technical test” or “interview link” containing malware.
Discord or Telegram Links: Sent as “giveaway tools”, “screenshots”, or fake support files.
Email Attachments: Resume, whitepaper, or invoice formats (PDF, .docx, .exe) that contain malicious code.
Fake Updates: Pop-ups or spoofed sites offering “latest MetaMask/Phantom version”.
Drive-by Downloads: Simply visiting a site can trigger a background payload, especially on outdated browsers.
The common thread: The attacker creates a believable context that convinces the user to click, download, or open something dangerous.
Types of Malware Common in Crypto Exploits
Keyloggers: Record every keystroke typed, including seed phrases, passwords, and PINs. Especially dangerous if the user types their seed phrase into a text editor, exchange login, or wallet recovery field.
Clipboard Hijackers: Monitor copied wallet addresses and replace them with the attacker’s address when pasting them. Victims often don’t notice and they send funds, thinking they pasted their own address, but it’s already been swapped.
Remote Access Trojans (RATs): Give the attacker full control over the victim’s device. This includes reading files, watching screens, capturing browser sessions, and even exporting seed phrases directly from wallet apps like Exodus or browser-based wallets.
Fake Wallets or Apps: Look like legitimate wallets but are preloaded with malicious code. Common on Android APK sites or Chrome extension stores. Some appear functional until you send funds or restore a seed, at which point the funds are exfiltrated.
Malicious Browser Extensions: Compromise or mimic real crypto extensions to monitor activity, inject malicious payloads, or prompt fake signing requests. They often ask for extensive permissions under the guise of “wallet integration”.
Man-in-the-Middle (MITM) Infrastructure: The malware sets up a proxy or DNS hijack to intercept and manipulate traffic between you and the web including swapping addresses or rerouting signed transactions.
Example: The 2022 Axie Infinity Job Scam
The Axie Infinity job scam of 2022, which led to the massive Ronin Bridge hack, is a prime example of a malware and device exploit in the crypto space, driven by sophisticated social engineering. This attack, attributed to the North Korean state-sponsored Lazarus Group, resulted in the theft of approximately $620 million in cryptocurrency, making it one of the largest decentralised finance (DeFi) hacks to date.
Figure 8: The Axie Infinity exploit made it to TradFi media
Source: Bloomberg TV
The hack was a multi-stage operation combining social engineering, malware deployment, and exploitation of blockchain infrastructure vulnerabilities.
The hackers, posing as recruiters from a fictitious company, targeted Sky Mavis employees through LinkedIn: Sky Mavis is the company behind the Ronin Network, an Ethereum-linked sidechain powering Axie Infinity, a popular play-to-earn blockchain game. At the time, Ronin and Axis Infinity had respective market caps of around $300 million and $4 billion.
Multiple employees were approached, but a senior engineer became the primary target who the attackers conducted multiple rounds of fake job interviews with to build trust, offering an extremely generous compensation package to lure the engineer. The attackers sent a PDF document, disguised as a formal job offer, to the engineer. The engineer, believing it was part of the hiring process, downloaded and opened the file on a company computer. The PDF contained a RAT which infected the engineer’s system upon opening, granting hackers access to Sky Mavis’ internal systems, likely through privilege escalation or lateral movement within the network. This compromise provided a foothold to target the Ronin Network’s infrastructure.
The mechanics of the hack which continued to exploit the Ronin bridge and the Axie DAO is beyond the scope of this research article, however, this exploit resulted in a $620 million theft (173,600 ETH and 25.5MM USDC) with only $30 million recovered.
4. How To Protect Yourself
Exploit attempts are increasingly sophisticated, but still rely on telltale signs. Red flags include:
"Import your wallet to claim X": No legitimate service will ever ask for your seed phrase.
Unsolicited DMs: Especially offering support, money, or help with an issue you didn’t ask about.
Slightly misspelled domains: E.g., metamask.io vs metarnask.io.
Google Ads: Phishing links frequently appear above the real link in search results.
Too-good-to-be-true offers: Like “claim 5 ETH” or “double your coins” promotions.
Urgency or scare tactics: “Your account has been locked”, “Claim now or lose funds”.
Unlimited Token Approvals: Users should set token amounts themselves.
Blind Signing Requests: Hex payloads with no readable explanation.
Unverified or obscure contracts: If a token or dApp is new, check what you’re approving.
Urgent UI Prompts: Classic pressure tactics like “You must sign this now or miss out”.
MetaMask Signing Pop-ups: Especially with unclear payloads, gasless transactions, or a mix of function calls you don’t understand.
Further OpSec (operational security) rules:
Golden Rules
Never share your seed phrase, with anyone, for any reason.
Bookmark official sites: Always navigate directly. Never use search engines for wallets or exchanges.
Don’t click random airdrop tokens: Especially if you didn’t opt in.
Avoid unsolicited DMs: Legit projects RARELY DM first… (Except when they do)
Use hardware wallets: They reduce the risk of blind signing and prevent key exposure.
Enable phishing protection tools: Use extensions like PhishFort, Revoke.cash, and ad blockers.
Use read-only explorers: Tools like Etherscan Token Approvals or Revoke.cash show what permissions your wallet has.
Use burner wallets: Create a fresh wallet with zero~little funds to test mints or links first. This will minimise any losses.
Segment your assets: Don’t have all your assets in one locations.
Advanced Practices For The Seasoned Crypto User
Use a dedicated device or browser profile for crypto activity - additionally, you can have a dedicated device for opening links and DMs.
Check Etherscan’s token warning labels: Many scam tokens are flagged.
Cross-reference contract addresses with official project announcements.
Inspect URLs carefully: Especially in emails and chats, subtle misspellings are common. A lot of messaging applications and of course websites allow fof hyperlinking - this allows for someone to do this: www.google.com (it’s ok, you can click the link).
Watch what you sign: Always decode transactions (e.g. via MetaMask, Rabby, or a simulator) before confirming.
5. Final Word
Most users think of exploits in crypto as something technical and unavoidable, particularly those new to the industry. While that may be true for complex attack methods, oftentimes the initial step targets the individual in non-technical ways, making the rest of the exploit preventable.
The vast majority of personal losses in this space don’t come from some novel zero-day or obscure protocol bug but rather from people signing things they didn’t read or importing wallets into fake apps, or trusting a DM that feels just plausible enough. The tools might be new, but the tactics are as old as time: deception, urgency, misdirection.
People come to crypto for the self-custody and the permissionless nature, but users need to remember that here the stakes are higher; in traditional finance, you get scammed and you call the bank. In crypto, you get scammed and that’s the end of the story.
