One Phone Call — Minus 783 BTC. Social Engineering Defeats "Hardware"
Password, PIN, one-time code — all turned out to be useless...
Password, PIN, one-time code — all turned out to be useless...
A major cryptocurrency theft has shown how vulnerable users remain to social engineering attacks. On August 19, an unknown bitcoin owner lost 783 BTC—approximately $89 million—after scammers impersonated support staff from a crypto exchange and a hardware wallet manufacturer.
According to blockchain researcher ZachXBT, the criminals meticulously covered their tracks: the stolen funds were transferred to a Wasabi wallet, which obscures transaction history. At the time of publication, the specified address was empty. Notably, the incident coincided with the anniversary of another high-profile theft—in August 2024, attackers stole $243 million from Genesis creditors. This time, as ZachXBT noted, it is not the work of North Korean hackers.
Such attacks are made possible largely due to the vast amount of personal data that has ended up in the public domain after leaks from various online services. A phone number, email address, or user details allow criminals to convincingly masquerade as company representatives. In an environment where artificial intelligence helps create increasingly plausible fakes, distinguishing a real call or email from a fake one has become extremely difficult.
In the spring of 2025, scammers already used a similar tactic, sending emails posing as the company Ledger. These emails claimed a mandatory wallet check was required following a "critical security update." Victims were prompted to follow instructions that led to their devices being compromised. Similarly, fake campaigns now target the entire crypto market: not only are hardware wallet manufacturers being impersonated, but also exchanges, storage services, and any company working with digital assets.
The FBI, in its recommendations, reminds everyone: you must not respond to calls, emails, or messages that ask for a password, PIN code, or a one-time confirmation code from SMS or email. It is also dangerous to publish personal data like a mobile number, home address, or other identifying information in the public domain.
The story of the theft of nearly $90 million underscores that in a world where data privacy is regularly violated, the only viable strategy is a fundamental principle: every communication should be treated as a potential attempt at deception.
