Live
Loading prices…
The CoinHub Today · coinhubtoday.com
They're Not Hacking Your Code. They're Hacking You. | CoinHub Today
Security

They're Not Hacking Your Code. They're Hacking You.

Over $3.4 billion stolen in 2025 through social engineering and physical coercion. Wrench attacks up 75%. The most sophisticated adversaries in crypto aren't writing exploit code — they're making phone calls, sending job offers, and showing up at doors.

Security Social Engineering OPSEC · CoinHub Today Research Desk · May 13, 2026 · 6 min read
TARGET Phishing impersonation Fake jobs DPRK vector SIM swap bypasses 2FA Wrench physical coercion Insider bribery $3.4B STOLEN VIA SOCIAL ENGINEERING — 2025 60%+ OF 2025 INCIDENTS — HUMAN ATTACK VECTOR 75% surge in physical wrench attacks 2024→2025 BYBIT — FEB 2025 $1.5B No code exploit. Social engineering compromised signing UI developer. LARGEST SINGLE CRYPTO THEFT IN HISTORY DPRK — FAKE JOB VECTOR Posing as recruiters, infiltrating teams Long-horizon attacks: months to execute BYBIT + MULTIPLE EXCHANGE HACKS

The human attack surface in 2025: five primary vectors converging on one target — the person with signing authority. No code exploit required. Sources: Chainalysis, CertiK, Jameson Lopp's Physical Attack Tracker.

What This Article Covers

Social engineering — manipulating people rather than exploiting code — was responsible for more than 60% of all crypto security incidents in 2025, resulting in over $3.4 billion in losses according to Chainalysis and CertiK data. Physical coercion attacks ("wrench attacks") surged 75% to at least 65 recorded incidents. The February 2025 Bybit hack — the largest single crypto theft in history at $1.5 billion — was executed not through a smart contract exploit but through social engineering of a developer at Safe{Wallet}. This article maps the five attack vectors driving losses, the emerging physical threat landscape, and the layered defensive controls — including pre-signature behavioral simulation — that remain effective even when a human has been compromised.

In February 2025, Bybit — one of the world's largest crypto exchanges — lost $1.5 billion in what became the single largest crypto theft in history. The attackers didn't find a zero-day in the smart contracts. They used social engineering to compromise a developer at Safe{Wallet}, Bybit's multi-sig infrastructure provider — with forensic analysis by Verichains later confirming that a malicious JavaScript payload was injected into Safe{Wallet}'s AWS S3 or CloudFront infrastructure on February 19, 2025, two days before the theft, via a compromised API key. The payload modified transaction data in the signing interface while displaying a completely normal UI to the signers. Every approval looked legitimate. Every step was authorized by a human. Every dollar was gone within minutes. The FBI officially attributed the attack to TraderTraitor (also known as Jade Sleet and Slow Pisces), a DPRK threat cluster operating under the Lazarus Group umbrella.

$3.4BStolen via social engineering
& fraud in 2025
60%+Of 2025 incidents fueled
by social engineering
75%Surge in physical wrench
attacks vs. 2024
65Recorded physical attacks
on holders in 2025

The Bybit attack crystallized a threat that the crypto industry has been reluctant to fully reckon with: the most dangerous attack surface in the space is not the code. It's the people who interact with it. Social engineering fueled more than 60% of all crypto security incidents in 2025. And increasingly, attackers aren't stopping at digital manipulation.

When the Threat Gets Physical

Parallel to the surge in digital social engineering, a more visceral threat category has been escalating: physical attacks on crypto holders and operators. Known as "wrench attacks" in security circles — a reference to the idea that physical coercion can defeat any digital security — these incidents jumped 75% in 2025, with at least 65 recorded cases according to Jameson Lopp's physical attack tracker. The previous record, set during the 2021 bull market peak, was 36. Chainalysis notes a clear correlation between wrench attack frequency and Bitcoin price movements, noting that personal wallet compromises now represent 23.35% of all crypto theft activity in 2025 — suggesting opportunistic targeting intensifies during high-value periods, with 2025 on track to have potentially twice as many physical attacks as any prior year on record.

The targets are no longer exclusively retail holders who publicly broadcast their crypto wealth. Threat actors are increasingly mapping the organizational charts of exchanges, custodians, and DeFi protocol teams — identifying keyholders, signers, and infrastructure administrators. A compromised human with signing authority is often more valuable than any contract exploit.

The Organizational Chart Is the Attack Surface

Sophisticated threat actors — including DPRK-linked groups — don't scan codebases for vulnerabilities. They research LinkedIn, GitHub profiles, and conference speaker lists to identify who holds signing keys and administrative access. Once a high-value target is identified, the attack can take weeks or months to execute. By the time it materializes, the entry point looks completely legitimate from every monitoring system in place.

"Attackers aren't breaking in — they're being invited in. The majority of hacks don't start with malicious code; they begin with a conversation."

— Nick Percoco, CSO, Kraken

The Attack Vectors Driving the Losses

Phishing and impersonation are the dominant entry points, but the vector landscape has diversified significantly. North Korean actors have industrialized the fake job offer vector — posing as recruiters or developers to infiltrate exchanges and DeFi protocol teams, plant insider access, and execute long-horizon attacks that can take months to materialize. Two DPRK clusters drive this activity: TraderTraitor (Jade Sleet / Slow Pisces), responsible for the Bybit supply chain attack, and Contagious Interview (Famous Chollima), which approaches targets via LinkedIn with scripted pitches requesting "collaborators" on projects. The Bybit attack methodology followed patterns consistent with these documented DPRK operations, according to Chainalysis. North Korea's total crypto theft in 2025 reached $2.02 billion — a 51% year-over-year increase, with the Bybit hack accounting for 74% of that total and 44% of all crypto theft globally that year. DPRK's cumulative crypto theft since tracking began is estimated at $6.75 billion.

Impersonation attacks — where threat actors pose as exchange support staff, investment partners, or project managers — accounted for at least $9 million in losses in the three months following January 2026 alone, according to AMLBot. SIM swapping continues to circumvent SMS-based two-factor authentication at scale, while insider threats and bribery are growing concerns at institutions managing significant on-chain assets.

Attack Vector Prevalence — 2025 (Indexed to Phishing = 100)
Phishing / Impersonation
Most prevalent; targets employees & users
100
Fake Job Offers (DPRK)
Used in Bybit & multiple exchange hacks
82
SIM Swapping
Bypasses SMS-based 2FA entirely
61
Physical Wrench Attacks
65 recorded incidents; up 75%
45
Insider Threat / Bribery
Growing risk at exchanges & custodians
38

The common thread across every vector: they all bypass technical controls entirely by exploiting human trust. A SIM swap doesn't attack an authentication system — it circumvents it. A fake job offer doesn't break into a codebase — it installs a trusted insider. A wrench attack doesn't need a private key — it just needs the person who holds it to cooperate.

What Robust Defense Actually Looks Like

The defensive response has to be layered across both the human and technical dimensions — and critically, it must include enforcement mechanisms that remain effective even when a human has been compromised.

On May 4, 2026, Binance launched Withdraw Protection — a feature allowing users to lock all on-chain withdrawals from their accounts, specifically designed to neutralize the wrench attack scenario. Even under physical coercion, a locked account cannot be drained in real time. It's a product-level acknowledgment that no amount of digital security solves a threat that bypasses digital controls entirely.

The Pre-Signature Layer — Defense That Survives Compromise

The technical control layer must include pre-signature behavioral simulation — evaluating what a transaction will actually do before any human signs it. When a compromised signer is manipulated into authorizing an anomalous transfer, behavioral baselines fire regardless of whether the credential is legitimate. Unusual destination addresses, transaction amounts outside historical norms, or approval scopes that deviate from expected patterns all generate risk signals before the blockchain confirms anything. This is the same pre-execution enforcement layer that defends against smart contract exploits — and it's equally effective against a socially engineered signer. Platforms deploying this capability intercept the attack at the transaction layer, not the identity layer — the only place where a compromised human's authorization can still be stopped.

Table 1 — Defensive Measures: Applicability & Effectiveness for Crypto Operators
Defense MeasureThreat AddressedApplies ToEffectiveness
Hardware MFA / Passkeys SIM swaps, phishing credential theft Exchanges, Custodians, DeFi ✓ High — eliminates SMS 2FA risk
Out-of-Band Tx Verification Social engineering of signers; insider threats Custodians, Exchanges ✓ High — confirms intent independently
Timelocked Withdrawals Coerced transfers; wrench attacks All operators ✓ High — Binance Withdraw Protection model
Multi-sig + MPC Key Management Single-point key compromise; bribery DeFi protocols, Custodians ✓ High — threshold prevents unilateral action
Pre-Sig Behavioral Simulation Anomalous tx patterns post-compromise All operators ✓ High — catches credential-enabled exploits
Address Allowlisting Unauthorized destination addresses Exchanges, Custodians ✓ High — limits exfiltration paths
Employee Security Training Phishing, fake job offers, impersonation All operators ⚠ Partial — humans remain exploitable
Incident Response Playbooks Reduces damage window post-breach All operators ⚠ Partial — reactive, not preventive
A complete defense requires both human-layer controls and technical enforcement that remains effective even when a human has been compromised. No single measure is sufficient. Sources: CertiK, Chainalysis, Binance security disclosures.
For Institutional Operators — The Minimum Viable Stack

Multi-sig and MPC wallets distribute signing authority so no single compromised individual can authorize a transfer. Out-of-band transaction verification confirms signer intent through a channel separate from the primary interface — the exact control that would have flagged the modified transaction UI in the Bybit attack. Hardware-based MFA and passkeys eliminate the SIM swap attack surface by removing phone-based authentication entirely. And pre-signature behavioral simulation provides a final enforcement layer that fires even when the credential is legitimate but the intent is malicious. Together, these controls create a defense that requires an attacker to simultaneously compromise multiple independent systems — the only meaningful deterrent against sophisticated, patient threat actors.

Crypto security that only hardens the code while leaving the humans around it unprotected is incomplete. The Bybit attack didn't need a zero-day. It just needed one developer to trust the wrong person.

— CoinHub Today Research Desk, May 2026

The Bottom Line

Over $3.4 billion in 2025. Sixty-five physical attacks. A $1.5 billion exchange hack executed not through a code exploit but through a manipulated developer. The lesson is unambiguous: crypto security that only hardens the code while leaving the humans around it unprotected is incomplete.

The institutions that will weather the next wave are those that treat key management, signing workflows, and behavioral anomaly detection as a unified system — one that remains resilient even when a human in the chain has been compromised. The attacker's path of least resistance is always the person, not the protocol. Building defenses that account for that reality is no longer optional.

Frequently Asked Questions

What is a social engineering attack in crypto?
A social engineering attack manipulates people rather than exploiting software vulnerabilities. In crypto, this includes phishing (impersonating trusted entities to steal credentials), fake job offers (DPRK-linked groups posing as recruiters to gain insider access), SIM swapping (hijacking phone numbers to bypass SMS 2FA), and insider threats (bribing employees with signing authority). According to Chainalysis and CertiK, social engineering fueled more than 60% of all crypto security incidents in 2025, resulting in over $3.4 billion in losses.
What was the Bybit hack and how did it happen?
In February 2025, Bybit lost $1.5 billion — the largest single crypto theft in history — without any smart contract code being exploited. Attackers used social engineering to compromise a developer at Safe{Wallet}, Bybit's multi-sig infrastructure provider. Forensic analysis by Verichains confirmed a malicious JavaScript payload was injected into Safe{Wallet}'s AWS S3 or CloudFront infrastructure on February 19, 2025 — two days before the theft — via a compromised API key. The payload modified transaction destination data in the signing interface while displaying a normal UI to authorized signers. The FBI officially attributed the attack to TraderTraitor (Jade Sleet / Slow Pisces), a DPRK threat cluster operating under the Lazarus Group. Out-of-band transaction verification was the missing control.
What is a wrench attack in crypto?
A wrench attack (also called a $5 wrench attack) refers to physical coercion of a crypto holder or operator to force them to transfer funds or reveal private keys. The name is darkly practical — a $5 wrench defeats any cryptographic protection if the person holding the key can be threatened. Wrench attacks surged 75% in 2025 to at least 65 recorded incidents, per Jameson Lopp's physical attack tracker, targeting not just retail holders but exchange employees, protocol administrators, and custodian keyholders.
How does DPRK use fake job offers to hack crypto firms?
DPRK-linked threat actors operate two primary clusters for this vector: TraderTraitor (Jade Sleet / Slow Pisces), which executed the Bybit supply chain attack, and Contagious Interview (Famous Chollima), which approaches targets via LinkedIn with scripted "collaborator" pitches. After months of relationship-building, they plant malicious code, extract credentials, or directly authorize fraudulent transactions. North Korea's total crypto theft in 2025 reached $2.02 billion — a 51% year-over-year increase — with Bybit accounting for 74% of that total. DPRK's cumulative crypto theft since tracking began is estimated at $6.75 billion according to Chainalysis.
What is out-of-band transaction verification?
Out-of-band (OOB) transaction verification confirms a signer's intent through a channel completely separate from the primary signing interface. In the Bybit attack, the signing UI was compromised and displayed false transaction data — but the transaction itself was real. An OOB verification step (e.g., a separate hardware device showing the actual destination address and amount) would have flagged the discrepancy before authorization. It's one of the highest-effectiveness controls against UI manipulation and social engineering of signers.
How can crypto operators defend against social engineering?
A complete defense requires both human-layer and technical controls: hardware MFA/passkeys (eliminates SIM swap risk); multi-sig and MPC key management (no single person can authorize a transfer); out-of-band transaction verification (confirms intent independently of the signing UI); timelocked withdrawals (neutralizes coerced transfers — Binance's Withdraw Protection model); pre-signature behavioral simulation (flags anomalous transactions even when credentials are legitimate); and address allowlisting (limits exfiltration paths). Security training helps but is only partially effective — humans remain exploitable, which is why technical controls that fire regardless of human intent are essential.
Sources & Disclaimer

Sources: Chainalysis 2026 Crypto Crime Report, CertiK 2025 Annual Security Report, Jameson Lopp's Physical Attack Tracker, AMLBot, CoinTelegraph, Binance security disclosures. Loss figures and incident counts are drawn from published third-party research; all amounts and counts are approximate. This article is published for informational purposes only and does not constitute security, legal, or financial advice. Readers should consult qualified security professionals for guidance specific to their operational context.

Stay ahead with The CoinHub Today

Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.

No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com

The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.

𝕏 in
© 2026 The CoinHub Today Ltd. All rights reserved.

The CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.