The $340M Social Engineering Crisis in Web3: What Went Wrong?


In the first half of 2025, the crypto ecosystem witnessed staggering losses of over $2.24 billion due to hacks and exploits. One of the most overlooked yet devastating attack vectors? Social engineerin, responsible for over $340 million lost across Bitcoin, Ethereum and Solana.
Unlike technical hacks, social engineering attacks exploit human trust. These attacks often bypass even the most secure smart contracts by targeting developers, signers and everyday users through deception.
The Rise of Human-Targeted Exploits
These attacks don’t rely on bugs in code but rather lapses in human judgment. From phishing sites to deepfake Zoom calls, attackers are finding new ways to manipulate victims. Some of the common tactics include:
Phishing: Fake dApps and wallet interfaces trick users into revealing seed phrases or signing malicious transactions.
Malicious GitHub repos: Developers unknowingly run infected code that compromises wallets.
Zoom scams: Attackers share malware during fake investment or hiring calls, sometimes using deepfakes of real founders.
Fake Ledger devices: Some users received tampered hardware wallets, falling for sophisticated impersonation tricks.
These aren’t isolated cases. One notable Bitcoin user lost over 3520 BTC (~$300M), and Coinbase recently dealt with a data breach tied to insider collusion, leaking user information to scammers. Attackers are evolving — and so should our defenses.
It’s Not Just Tech, It’s OpSec
Even with the most secure code, poor operational security (OpSec) leaves users exposed. Most successful social engineering attacks stem from avoidable trust-based errors: clicking unknown links, downloading unofficial tools, or signing suspicious transactions.
For founders, developers, and DAO participants, this calls for more than audits, it demands vigilance, education and security hygiene. Tools and habits like hardware wallets, verifying URLs, and double-checking counterparties are no longer optional.
Wanna dive deeper into how these scams actually work?
*We’ve covered real-world examples, deepfake cases, and malware tactics in our full blog: 👉 [**How Social Engineering Drained Over $340M*](https://www.quillaudits.com/blog/web3-security/social-engineering-drained-over-340M)
It’s Just the Tip of the Iceberg
These social engineering cases account for just three of over 120 incidents we tracked in our H1 2025 Crypto Hacks Report, showing how deeply DeFi and Web3 infrastructure have been compromised. And as these scams grow more personal and believable, the line between technical and social exploits continues to blur.
Subscribe to my newsletter
Read articles from Rahul Ravi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
