Disclosure: The views and opinions expressed herein belong solely to the authors and do not represent the views and opinions of crypto.news editorials.
Over the past year, most of the biggest abuses in cryptocurrencies have had the same root cause: humans. In the past few months alone, Ledger has urged users to pause on-chain activity after npm maintainers were fooled and malicious packages were spread. Workday reveals a social engineering campaign that accessed data from a third-party CRM. And operators with ties to North Korea continued to solicit fake jobs for crypto teams in order to distribute malware.
summary
Cryptocurrency is not being hacked, it is being talked into transferring the virtual currency itself. Today, most breaches are not caused by code corruption, but by phishing, fake updates, and spoofing, with humans being the primary target. Programmable money turns small mistakes into catastrophic losses. A single key leak or approved request can cause funds to be instantly and irrevocably revoked, making social engineering a system-wide risk rather than user error. Until operational security is treated like core infrastructure, exploits will continue to grow. Audits and code reviews cannot stop human deception. All it can do is enforce standards for devices, access, and training.
Despite spending billions of dollars on cybersecurity, companies continue to be victimized by simple social engineering. Teams pour money into technical safeguards, audits, and code reviews while ignoring operational security, device hygiene, and basic human factors. As more financial activities move on-chain, that blind spot becomes a systemic risk to digital infrastructure.
The only way to slow the proliferation of social engineering attacks is widespread and continued investment in operational security, which will reduce the returns on these tactics.
Social engineering is the Achilles heel of cybersecurity
Verizon’s 2025 Data Breach Investigations Report states that the “human element” of cybersecurity (phishing, stolen credentials, routine mistakes) is involved in approximately 60% of data breaches.
Social engineering works because it targets humans, not code, and exploits trust, urgency, familiarity, and everydayness. These types of exploits cannot be eliminated with coding audits and are difficult to prevent with automated cybersecurity tools. Code reviews and other common cybersecurity practices can’t stop employees from approving fraudulent requests that look like they come from their managers or downloading fake Zoom updates that look legitimate.
Even highly skilled teams can be caught. Human weakness is universal and stubborn. As a result, social engineering continues to cause real-world incidents.
Cryptocurrency raises the stakes
Programmable money concentrates risk. In Web3, compromising a seed phrase or API token can be the equivalent of breaking into a bank vault. The irreversible nature of cryptocurrency transactions magnifies mistakes. Once funds are transferred, there is often no way to reverse the transaction. One mishandling of device security or keys can result in asset loss. Because of Web3’s distributed design, there is often no help desk to contact, leaving users to fend for themselves.
Hackers, including state-sponsored mercenaries, have taken note of the effectiveness of social engineering attacks and adapted accordingly. The activity attributed to North Korea’s Lazarus Group relies heavily on social engineering, including fake job postings, tainted PDFs, malicious packages, and tailored phishing targeting human vulnerabilities.
These exploits are incredibly effective and easy to execute, and technology companies can’t seem to prevent them. Unlike zero-day exploits that are quickly patched (which forces hackers to find new exploit strategies), hackers can leverage the same social engineering tactics over and over again autonomously, spending more time hacking and less time doing research and development.
Businesses need to invest in operational security
Too many organizations still treat security as a compliance exercise, reinforced by permissive regulatory standards. Companies routinely pass audits and issue clean reports despite obvious operational risks, such as admin keys stored on personal laptops, credentials shared via chat or email, outdated access privileges that are never updated, and travel laptops repurposed as development machines.
Correcting this lack of discipline requires explicit and mandatory operational security. Teams should use managed devices, strong endpoint protection, and full disk encryption. Corporate logins should leverage password managers and phishing-resistant MFA. System administrators must carefully manage permissions and access. These controls are not foolproof, but they can help make social engineering attacks more difficult and reduce the impact of potential exploits.
Most importantly, teams need to invest in operational security training. Your employees (not your cybersecurity team) are your first line of defense against social engineering attacks. Companies should spend time training their teams to identify potential phishing attacks, practice safe data hygiene, and understand operational security practices.
Importantly, organizations cannot be expected to adopt enhanced cybersecurity postures voluntarily. Regulators need to step in and set enforceable operational baselines that make real security not optional. Compliance frameworks should go beyond documentation to require empirical proof of secure practices: validated key management, regular access reviews, endpoint hardening, and phishing response simulations. Without regulatory teeth, incentives will always favor optics over results.
Social engineering is only getting worse
With attack rates rapidly increasing, it’s important to invest in operational security now.
Generative AI has changed the economics of deception. Attackers can now personalize, localize, and automate phishing at an industrial scale. Campaigns that were once focused on a single user or business can now target thousands of businesses with little additional cost. Phishing attacks can be customized with just a few clicks and include personal details to make the spoofed email seem legitimate.
AI also accelerates reconnaissance. Public footprints, leaked credentials, and open source intelligence can be mined into a “summary” about each victim, helping hackers develop convincing attacks.
slow down attack speed
Social engineering thrives when implicit trust and convenience take precedence over verification and prudence. Organizations must adopt a more defensive posture and assume (correctly) that they are under constant threat of social engineering attacks.
Teams should adopt Zero Trust principles in their daily work and embed operational security principles throughout the company. You need to train your employees on operational security so they can stop attacks early and keep your team up to date on the latest social engineering tactics.
Most importantly, companies need to find where trust is still alive in their operations (where attackers can impersonate employees, software, or customers) and add additional safeguards.
Social engineering will not disappear, but it can be made much less effective and far less catastrophic when an attack occurs. As the industry strengthens its defenses against these attacks, social engineering will become less lucrative for hackers and attacks will become less frequent, ultimately bringing a true end to this stifling cycle of exploitation.
