Phishing + Social Engineering
Phishing and social engineering attacks dwarf every other crypto loss vector combined. They work because they bypass technical security entirely — they exploit your impulses, your trust, and your tiredness.
The most common patterns
Fake support PM. Someone messages you claiming to be from a wallet, exchange, or the forum staff. They ask for verification information that lets them take over your account.
Urgency manipulation. "Your account will be frozen in 24 hours unless…" The clock is fake; the panic isn't.
Trusted-context impersonation. A clone account of someone you know PMs you with a "great opportunity" or "small favor."
Drainer link. An ad, a forum post, or a PM links to a website that looks legitimate but is designed to drain wallets that connect to it.
Helpful-stranger. Someone offers free help with a wallet issue, then walks you through a "recovery" that funnels your seed to them.
Why they work
You're not stupid. You're human. The attacker times the message for when you're tired, distracted, or already stressed. The script is refined by thousands of prior victims. The fake site is pixel-perfect.
The defense isn't being smart. It's having pre-committed rules that don't bend under pressure.
Pre-committed rules
Do
- +Never type your seed phrase into anything except the wallet device itself
- +Always navigate to wallet/exchange sites by typing the URL, never by clicking
- +Treat every PM as untrusted until proven otherwise
- +When something feels urgent, the right move is to slow down
Don't
- −Click links in PMs from accounts you don't already trust
- −Run any 'recovery tool' someone walks you through in PM
- −Verify your account by entering credentials into a 'staff' link
- −Trust an opportunity that pressures you to act in <24h
Specific attack: drainer signature on Discord/Twitter
The pattern: you click a link to "claim airdrop" or "verify wallet." A signature prompt appears asking you to sign what looks like a benign message. The signed message is actually a setApprovalForAll permission that lets the attacker drain your tokens.
Defense:
- Read every signature prompt slowly
- If it mentions "approve", "permission", "operator", or "spender" — abort
- Use a separate "burner" wallet for any new dApp interactions
Bitcoin-specific phishing
Bitcoin doesn't have the same approval-drain vector as Ethereum. But:
- Clipboard hijackers — malware swaps the BTC address in your clipboard for the attacker's
- Fake wallet apps — counterfeit installers in unofficial download portals
- PSBT manipulation — fake "use this PSBT" workflow that sends to attacker
Defense: cross-check the recipient address character-by-character. Always.
After a near-miss
If you almost fell for one:
- Take a screenshot of the attack for your records
- Report it (forum's report system, exchange support, Twitter report)
- Tell others — warning a peer is high-leverage harm reduction
- Reflect on what almost worked so you spot the next iteration