Social engineering attacks for compromising crypto currency can be very sophisticated, as the reward can be very large.
This recent 2024 case involved 4,064 BTC with value of about $239MM (BTC transaction hash 4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090). The steps of the attack included:
(1) Calling the victim as Google Support via spoofed number to compromise its Gmail personal account,
(2) Calling the victim as purported Gemini exchange support claiming that its account was hacked,
(3) persuading the victim into resetting 2FA and sending funds from Gemini exchange wallet to a compromised non-custodial wallet, and finally
(4) persuading the victim to share his screen to steal private keys to that compromised wallet.
The stolen 4,064 BTC were first split equally into two wallets, and then, after a few hops, into 6 wallets. As the next step, each of these six wallets implemented a peeling chain with dozens and hundreds of hops at the end of which the stolen funds were transferred to more than 15 centralized crypto exchanges. Some of the stolen BTC funds were also swapped through Thorswap Finance DEX into LTC, ETH and XMR (privacy coin Monero). Some of the funds have already been frozen by exchanges and recovered, while some of the funds have been located in non-custodial wallets (for example, more than $60MM current value are sitting in two non-custodial ETH addresses).
In a similar, but smaller-scale attack in 2022, the hacker targeted a Crypto.com user, and followed the following steps:
(1) Took over the victim's email account, most likely by obtaining the password from a database of hacked account.
(2) Observed transaction confirmations from Crypto.com to gain intelligence about the user's holdings.
(3) Obtained the user's PIN for the Crypto.com App.
(4) Played man-in-the-middle between Crypto.com and the victim Request a security reset on Crypto.com to get a one-time code. Sent email, pretending to be from Crypto.com, to the victim claiming his account is compromised and needs to have a security reset. Asking for a picture of the victim holding a piece of paper with a one-time secret.
(5) With the picture from the victim, the hacker completed the security reset process with Crypto.com, including reset the phone number associated with the account, and reinstall and setup the App.
(6) Once all this is done, the hacker took over the victim's Crypto.com account, and converted all movable assets to BTC, and sent all BTC to an external account (bc1qm3n8fg828apfdw2s3km4p3yx774urtjpay8t97). In March 2024, the BTC in this address has been transferred out to other addresses:
bc1qa86actz3808u8epjml27n0hdkks283f0z02396
bc1qr4qkufpv6xdtgp6d88dyyfwmxes7k2y6vhj2hg
Crypto.com did not have any security alerting capabilities related to these suspicious activities (a security reset followed almost immediately by ten transfers out) and claim no responsibility for this loss.