SlowMist: Phishing attacks were the leading cause of cryptocurrency loss to fraud in Q2
According to analysts, attackers are improving their social engineering techniques
02.07.2025 - 14:05
380
5 min
0
What’s new? Analysts at the IS company SlowMist have released a report on the results of the study of crypto fraud in Q2. They noted that attackers have not modernized their approaches from a technical point of view, but have begun to resort more often to psychological pressure and manipulation. It is noted that phishing became the most popular method of stealing crypto assets among fraudsters in the reporting period.
What else is known? According to the report, there is a new phishing technique involving an exploit of an Ethereum blockchain feature introduced as a result of an enhancement proposal numbered EIP-7702.
A user is known to have been attacked by the Inferno Drainer group while interacting with the EIP-7702 authorization, resulting in a loss of over $140 000.
Safe cryptocurrency storage in 2025: a complete guide for the beginner
We tell you how to store bitcoin and ether properly, how to protect your wallet, and not to make mistakes that can lead to loss of funds
The attacker’s method was not technically complex, but creative, the report authors write. In this case, the user’s address was not replaced with an EIP-7702 contract address using traditional phishing. In fact, the fraudster’s address represented a legitimate contract that had been in existence for several days.
By abusing the EIP-7702 Delegator mechanism in the MetaMask wallet, the attacker performed mass approval operations to send tokens from the victim’s address.
EIP-7702 allows the user’s address to follow the behavior of the contract after delegating control. If a user delegates their address to a malicious contract, this creates obvious risks. However, even if the contract itself is legitimate, it can still be used to steal assets.
DPRK hackers stole $1,6 billion worth of cryptocurrencies in 2025
The total amount of losses in the reporting period amounted to a record $2,1 billion
Analysts have also identified a new attack vector — browser extensions masquerading as security plug-ins. One such Chrome extension called Osiris allegedly detects phishing links and suspicious websites.
Attackers usually promoted this extension on social platforms. Once installed, it intercepts downloads of .exe, .dmg, .zip, and some other files, replacing them with malware.
Moreover, attackers direct users to well-known websites such as Notion or Zoom. When the user downloads software from these official sites, the files have been replaced with malicious ones, with the browser displaying the download as coming from a trusted source.
North Korean hackers hacked the creator of the Pepe meme. How it happened
The attackers released an unlimited number of Replicandy, Peplicator, Hedz, and Zogz NFT game projects
Such malware collects sensitive information from the victim’s computer, including local Chrome browser data and macOS Keychain credentials, and uploads it to the attacker’s server.
This allows them to extract seed phrases, private keys, or login credentials and then steal crypto assets and hijack accounts on crypto exchanges, social networks, and messengers.
Compromising social media data also gives fraudsters an opportunity to steal assets. In Q2, SlowMist received numerous reports from users whose WeChat accounts had been hacked.
After gaining control of the account, attackers impersonate the owner and offer people on their contact list to buy USDT stablecoins at discounted prices, which also results in financial losses.
Hacker tried to access Ledger users’ seed phrases through a Discord server
On behalf of a moderator, he published fake news about the company’s security hack
Cases of victims buying cold hardware crypto wallets with malicious firmware, including on marketplaces, have also been recorded. One victim lost $6,5 million in this way.
Such wallets are also distributed by fraudsters via social networks on behalf of real manufacturing companies, claiming to victims that they have allegedly won the device in a raffle.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Telegram
Twitter