Buy Crypto- Markets
Futures- Spot
- Copy Trade
- Earn
- More
Social Engineering in the Crypto Universe: Safeguarding Your Assets in 2025
Key Takeaways
- Social engineering, a psychological manipulation tactic, has been the leading cause of crypto asset theft in 2025.
- Security experts emphasize reducing human error by implementing automation and robust identity verification processes.
- Increasingly sophisticated AI-driven scams are making traditional security measures less effective, requiring a focus on awareness and vigilance.
- Protecting personal information and employing hardware-based authentication methods can significantly enhance security.
WEEX Crypto News, 2025-12-26 10:06:42
The year 2025 has witnessed an unprecedented surge in crypto-related thefts, predominantly fueled by social engineering tactics. Experts say that the majority of crypto hacks are not instigated by advanced technological breaches but rather by exploiting human vulnerabilities. This trend underlines the critical need for heightened awareness and strategic measures to protect individual and organizational assets in the crypto space.
Understanding Social Engineering: The Human Factor in Cybersecurity
Social engineering represents a manipulative technique used by cybercriminals to induce individuals into revealing confidential information or performing actions that compromise their security. Unlike traditional cyberattacks, these tactics exploit the human inclination to trust or to respond to authoritative-sounding requests.
In 2025, the crypto sector has seen over $3.4 billion in losses due to social engineering attacks, with one significant event involving Bybit in February accounting for nearly half of this total. This incident exemplifies how attackers, posing as trusted entities, manipulated individuals into providing access, which was further exploited through malicious code injection.
Automation and AI: The Dual-Edged Sword
Stephen Katte, a recognized figure within the crypto community, emphasizes the pivotal role of automation in reducing human errors. Automation in cybersecurity involves advanced systems that incorporate AI-driven threat detection and identity verification. These systems can identify unusual activities that might escape human observation.
However, the same technological advancements that aid defense mechanisms also empower attackers. Nick Percoco of Kraken highlights how attackers are not merely attempting to penetrate systems forcibly; instead, they are being “invited in” through subtle and strategic manipulation. The efficiency of such technology in crafting convincing fake scenarios or phishing attempts is alarming, thus underscoring the importance of constant vigilance and adaptive security measures.
Building Resilience: Reducing Human Trust Points
In the digital realm, trust often becomes a liability. Percoco suggests reducing “human trust points” by verifying every interaction and utilizing comprehensive authentication processes. This approach represents a shift from reactive defense against breaches to a proactive prevention strategy, where the focus is on identifying and mitigating threats before they materialize.
Laying out practical measures, he notes that the future of crypto security will be shaped by smarter identity verification systems that can foresee malicious activities well ahead of conventional security protocols. This proactive stance, combined with AI-driven threat detection, forms a robust barrier against potential intrusions.
Infrastructure Sanitation and Credential Security
Lisa, from SlowMist, draws attention to the developer ecosystems that have been prime targets for attacks this year. Mismanagement in handling cloud credentials or insufficient isolation of build environments creates vulnerabilities for malicious code injection. Her foresight into 2026 warns of more sophisticated credential-theft operations, underscoring the necessity for strong access control measures.
Organizations are advised to implement key rotations and infrastructure segmentation to compartmentalize sensitive areas effectively. Simultaneously, for personal crypto strategies, using hardware wallets and rigorously verifying identities across multiple channels can shield individuals from deceitful tactics.
The Threat of AI Deepfakes: Proof of Personhood
AI’s infiltration into identity theft poses a significant threat with its ability to create deepfakes and convincingly mimic legitimate communications. Stephen Walbroehl of Halborn forecasts that AI-enhanced social engineering will play a growing role in attackers’ arsenals. To combat this, he recommends employing proof-of-personhood approaches in communications.
Relying on cryptographic proof-of-personhood for critical interactions and using hardware authentication with biometric safeguards provides a layered defense. Additionally, anomaly detection systems that recognize deviations from normal transaction patterns further bolster security.
Secure Your Crypto: Keeping a Low Profile
Jameson Lopp, a well-known cypherpunk, emphasizes discretion in safeguarding crypto assets. Wrench attacks, or physical assaults aimed at forcing someone to surrender their crypto information, surged with more than 65 incidents in 2025. The advice is clear: avoid flaunting wealth or disclosing financial holdings online.
To further protect themselves, crypto users are encouraged to become “hard targets.” This involves using tools to scrub personal information from online databases and investing in home security devices like cameras and alarms to deter physical threats.
Time-Honored Security Practices
While the adoption of new technologies is critical, David Schwed stresses the importance of adhering to established security practices. Selecting reputable businesses with consistent third-party security audits and enabling hardware tokens for multifactor authentication are solid strategies. Protecting seed phrases by encrypting them or securing them offline are essential practices for safeguarding crypto assets.
Schwed also highlights the necessity of separating funds across varied wallet configurations and maintaining significant holdings in dedicated hardware wallets rather than exchanges. This diversification actively minimizes risk exposure.
Vigilant Verification: A Lifelong Practice
Ultimately, maintaining vigilance in every interaction is crucial. This means thoroughly verifying transaction data on hardware devices to prevent ‘blind signing’ of possibly malicious contracts. Percoco reiterates the importance of skepticism, urging constant verification of authenticity, where every message should be seen as a challenge to one’s security awareness.
These expert insights form an evolving framework for digital asset security, demonstrating that while technology can both empower and threaten us, it is the blend of innovative solutions and disciplined practices that will safeguard our digital futures.
FAQ
What is social engineering, and why is it a threat in crypto?
Social engineering exploits human psychology to trick individuals into revealing sensitive information. It’s particularly threatening in the crypto sector, where large values can be compromised through simple human error or manipulation.
How can automation enhance crypto security?
Automation reduces human errors by using AI-driven systems for threat detection and identity verification, preemptively identifying anomalies and potentially malicious behaviors before they can cause damage.
Why are hardware wallets recommended for crypto holdings?
Hardware wallets store cryptocurrencies offline, making them less susceptible to online attacks compared to keeping large amounts on exchanges, thereby providing additional security against hacks.
What measures can be taken to prevent AI deepfakes and identity fraud?
Using cryptographic proof-of-personhood, implementing biometric-based hardware authentication, and employing robust anomaly detection systems can prevent fraud facilitated by AI-generated deepfakes.
How should individual crypto users protect themselves from physical and online threats?
Users should maintain privacy regarding their crypto holdings, employ hardware wallets for asset storage, use data cleanup tools, and install home security measures to protect against physical threats.
You may also like
Soaring 50 times, with an FDV exceeding 10 billion USD, why RaveDAO?
1 billion DOTs were minted out of thin air, but the hacker only made 230,000 dollars
After the blockade of the Strait of Hormuz, when will the war end?
Before using Musk's "Western WeChat" X Chat, you need to understand these three questions
The X Chat will be available for download on the App Store this Friday. The media has already covered the feature list, including self-destructing messages, screenshot prevention, 481-person group chats, Grok integration, and registration without a phone number, positioning it as the "Western WeChat." However, there are three questions that have hardly been addressed in any reports.
There is a sentence on X's official help page that is still hanging there: "If malicious insiders or X itself cause encrypted conversations to be exposed through legal processes, both the sender and receiver will be completely unaware."
No. The difference lies in where the keys are stored.
In Signal's end-to-end encryption, the keys never leave your device. X, the court, or any external party does not hold your keys. Signal's servers have nothing to decrypt your messages; even if they were subpoenaed, they could only provide registration timestamps and last connection times, as evidenced by past subpoena records.
X Chat uses the Juicebox protocol. This solution divides the key into three parts, each stored on three servers operated by X. When recovering the key with a PIN code, the system retrieves these three shards from X's servers and recombines them. No matter how complex the PIN code is, X is the actual custodian of the key, not the user.
This is the technical background of the "help page sentence": because the key is on X's servers, X has the ability to respond to legal processes without the user's knowledge. Signal does not have this capability, not because of policy, but because it simply does not have the key.
The following illustration compares the security mechanisms of Signal, WhatsApp, Telegram, and X Chat along six dimensions. X Chat is the only one of the four where the platform holds the key and the only one without Forward Secrecy.
The significance of Forward Secrecy is that even if a key is compromised at a certain point in time, historical messages cannot be decrypted because each message has a unique key. Signal's Double Ratchet protocol automatically updates the key after each message, a mechanism lacking in X Chat.
After analyzing the X Chat architecture in June 2025, Johns Hopkins University cryptology professor Matthew Green commented, "If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability." He later added, "I would not trust this any more than I trust current unencrypted DMs."
From a September 2025 TechCrunch report to being live in April 2026, this architecture saw no changes.
In a February 9, 2026 tweet, Musk pledged to undergo rigorous security tests of X Chat before its launch on X Chat and to open source all the code.
As of the April 17 launch date, no independent third-party audit has been completed, there is no official code repository on GitHub, the App Store's privacy label reveals X Chat collects five or more categories of data including location, contact info, and search history, directly contradicting the marketing claim of "No Ads, No Trackers."
Not continuous monitoring, but a clear access point.
For every message on X Chat, users can long-press and select "Ask Grok." When this button is clicked, the message is delivered to Grok in plaintext, transitioning from encrypted to unencrypted at this stage.
This design is not a vulnerability but a feature. However, X Chat's privacy policy does not state whether this plaintext data will be used for Grok's model training or if Grok will store this conversation content. By actively clicking "Ask Grok," users are voluntarily removing the encryption protection of that message.
There is also a structural issue: How quickly will this button shift from an "optional feature" to a "default habit"? The higher the quality of Grok's replies, the more frequently users will rely on it, leading to an increase in the proportion of messages flowing out of encryption protection. The actual encryption strength of X Chat, in the long run, depends not only on the design of the Juicebox protocol but also on the frequency of user clicks on "Ask Grok."
X Chat's initial release only supports iOS, with the Android version simply stating "coming soon" without a timeline.
In the global smartphone market, Android holds about 73%, while iOS holds about 27% (IDC/Statista, 2025). Of WhatsApp's 3.14 billion monthly active users, 73% are on Android (according to Demand Sage). In India, WhatsApp covers 854 million users, with over 95% Android penetration. In Brazil, there are 148 million users, with 81% on Android, and in Indonesia, there are 112 million users, with 87% on Android.
WhatsApp's dominance in the global communication market is built on Android. Signal, with a monthly active user base of around 85 million, also relies mainly on privacy-conscious users in Android-dominant countries.
X Chat circumvented this battlefield, with two possible interpretations. One is technical debt; X Chat is built with Rust, and achieving cross-platform support is not easy, so prioritizing iOS may be an engineering constraint. The other is a strategic choice; with iOS holding a market share of nearly 55% in the U.S., X's core user base being in the U.S., prioritizing iOS means focusing on their core user base rather than engaging in direct competition with Android-dominated emerging markets and WhatsApp.
These two interpretations are not mutually exclusive, leading to the same result: X Chat's debut saw it willingly forfeit 73% of the global smartphone user base.
This matter has been described by some: X Chat, along with X Money and Grok, forms a trifecta creating a closed-loop data system parallel to the existing infrastructure, similar in concept to the WeChat ecosystem. This assessment is not new, but with X Chat's launch, it's worth revisiting the schematic.
X Chat generates communication metadata, including information on who is talking to whom, for how long, and how frequently. This data flows into X's identity system. Part of the message content goes through the Ask Grok feature and enters Grok's processing chain. Financial transactions are handled by X Money: external public testing was completed in March, opening to the public in April, enabling fiat peer-to-peer transfers via Visa Direct. A senior Fireblocks executive confirmed plans for cryptocurrency payments to go live by the end of the year, holding money transmitter licenses in over 40 U.S. states currently.
Every WeChat feature operates within China's regulatory framework. Musk's system operates within Western regulatory frameworks, but he also serves as the head of the Department of Government Efficiency (DOGE). This is not a WeChat replica; it is a reenactment of the same logic under different political conditions.
The difference is that WeChat has never explicitly claimed to be "end-to-end encrypted" on its main interface, whereas X Chat does. "End-to-end encryption" in user perception means that no one, not even the platform, can see your messages. X Chat's architectural design does not meet this user expectation, but it uses this term.
X Chat consolidates the three data lines of "who this person is, who they are talking to, and where their money comes from and goes to" in one company's hands.
The help page sentence has never been just technical instructions.
Parse Noise's newly launched Beta version, how to "on-chain" this heat?
Is Lobster a Thing of the Past? Unpacking the Hermes Agent Tools that Supercharge Your Throughput to 100x
Declare War on AI? The Doomsday Narrative Behind Ultraman's Residence in Flames
Crypto VCs Are Dead? The Market Extinction Cycle Has Begun
Claude's Journey to Foolishness in Diagrams: The Cost of Thriftiness, or How API Bill Increased 100-Fold
Edge Land Regress: A Rehash Around Maritime Power, Energy, and the Dollar
Arthur Hayes Latest Interview: How Should Retail Investors Navigate the Iran Conflict?
Just now, Sam Altman was attacked again, this time by gunfire
Straits Blockade, Stablecoin Recap | Rewire News Morning Edition
From High Expectations to Controversial Turnaround, Genius Airdrop Triggers Community Backlash
The Xiaomi electric vehicle factory in Beijing's Daxing district has become the new Jerusalem for the American elite
Lean Harness, Fat Skill: The Real Source of 100x AI Productivity
Ultraman is not afraid of his mansion being attacked; he has a fortress.
US-Iran Negotiations Collapse, Bitcoin Faces Battle to Defend $70,000 Level
Soaring 50 times, with an FDV exceeding 10 billion USD, why RaveDAO?
1 billion DOTs were minted out of thin air, but the hacker only made 230,000 dollars
After the blockade of the Strait of Hormuz, when will the war end?
Before using Musk's "Western WeChat" X Chat, you need to understand these three questions
The X Chat will be available for download on the App Store this Friday. The media has already covered the feature list, including self-destructing messages, screenshot prevention, 481-person group chats, Grok integration, and registration without a phone number, positioning it as the "Western WeChat." However, there are three questions that have hardly been addressed in any reports.
There is a sentence on X's official help page that is still hanging there: "If malicious insiders or X itself cause encrypted conversations to be exposed through legal processes, both the sender and receiver will be completely unaware."
No. The difference lies in where the keys are stored.
In Signal's end-to-end encryption, the keys never leave your device. X, the court, or any external party does not hold your keys. Signal's servers have nothing to decrypt your messages; even if they were subpoenaed, they could only provide registration timestamps and last connection times, as evidenced by past subpoena records.
X Chat uses the Juicebox protocol. This solution divides the key into three parts, each stored on three servers operated by X. When recovering the key with a PIN code, the system retrieves these three shards from X's servers and recombines them. No matter how complex the PIN code is, X is the actual custodian of the key, not the user.
This is the technical background of the "help page sentence": because the key is on X's servers, X has the ability to respond to legal processes without the user's knowledge. Signal does not have this capability, not because of policy, but because it simply does not have the key.
The following illustration compares the security mechanisms of Signal, WhatsApp, Telegram, and X Chat along six dimensions. X Chat is the only one of the four where the platform holds the key and the only one without Forward Secrecy.
The significance of Forward Secrecy is that even if a key is compromised at a certain point in time, historical messages cannot be decrypted because each message has a unique key. Signal's Double Ratchet protocol automatically updates the key after each message, a mechanism lacking in X Chat.
After analyzing the X Chat architecture in June 2025, Johns Hopkins University cryptology professor Matthew Green commented, "If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability." He later added, "I would not trust this any more than I trust current unencrypted DMs."
From a September 2025 TechCrunch report to being live in April 2026, this architecture saw no changes.
In a February 9, 2026 tweet, Musk pledged to undergo rigorous security tests of X Chat before its launch on X Chat and to open source all the code.
As of the April 17 launch date, no independent third-party audit has been completed, there is no official code repository on GitHub, the App Store's privacy label reveals X Chat collects five or more categories of data including location, contact info, and search history, directly contradicting the marketing claim of "No Ads, No Trackers."
Not continuous monitoring, but a clear access point.
For every message on X Chat, users can long-press and select "Ask Grok." When this button is clicked, the message is delivered to Grok in plaintext, transitioning from encrypted to unencrypted at this stage.
This design is not a vulnerability but a feature. However, X Chat's privacy policy does not state whether this plaintext data will be used for Grok's model training or if Grok will store this conversation content. By actively clicking "Ask Grok," users are voluntarily removing the encryption protection of that message.
There is also a structural issue: How quickly will this button shift from an "optional feature" to a "default habit"? The higher the quality of Grok's replies, the more frequently users will rely on it, leading to an increase in the proportion of messages flowing out of encryption protection. The actual encryption strength of X Chat, in the long run, depends not only on the design of the Juicebox protocol but also on the frequency of user clicks on "Ask Grok."
X Chat's initial release only supports iOS, with the Android version simply stating "coming soon" without a timeline.
In the global smartphone market, Android holds about 73%, while iOS holds about 27% (IDC/Statista, 2025). Of WhatsApp's 3.14 billion monthly active users, 73% are on Android (according to Demand Sage). In India, WhatsApp covers 854 million users, with over 95% Android penetration. In Brazil, there are 148 million users, with 81% on Android, and in Indonesia, there are 112 million users, with 87% on Android.
WhatsApp's dominance in the global communication market is built on Android. Signal, with a monthly active user base of around 85 million, also relies mainly on privacy-conscious users in Android-dominant countries.
X Chat circumvented this battlefield, with two possible interpretations. One is technical debt; X Chat is built with Rust, and achieving cross-platform support is not easy, so prioritizing iOS may be an engineering constraint. The other is a strategic choice; with iOS holding a market share of nearly 55% in the U.S., X's core user base being in the U.S., prioritizing iOS means focusing on their core user base rather than engaging in direct competition with Android-dominated emerging markets and WhatsApp.
These two interpretations are not mutually exclusive, leading to the same result: X Chat's debut saw it willingly forfeit 73% of the global smartphone user base.
This matter has been described by some: X Chat, along with X Money and Grok, forms a trifecta creating a closed-loop data system parallel to the existing infrastructure, similar in concept to the WeChat ecosystem. This assessment is not new, but with X Chat's launch, it's worth revisiting the schematic.
X Chat generates communication metadata, including information on who is talking to whom, for how long, and how frequently. This data flows into X's identity system. Part of the message content goes through the Ask Grok feature and enters Grok's processing chain. Financial transactions are handled by X Money: external public testing was completed in March, opening to the public in April, enabling fiat peer-to-peer transfers via Visa Direct. A senior Fireblocks executive confirmed plans for cryptocurrency payments to go live by the end of the year, holding money transmitter licenses in over 40 U.S. states currently.
Every WeChat feature operates within China's regulatory framework. Musk's system operates within Western regulatory frameworks, but he also serves as the head of the Department of Government Efficiency (DOGE). This is not a WeChat replica; it is a reenactment of the same logic under different political conditions.
The difference is that WeChat has never explicitly claimed to be "end-to-end encrypted" on its main interface, whereas X Chat does. "End-to-end encryption" in user perception means that no one, not even the platform, can see your messages. X Chat's architectural design does not meet this user expectation, but it uses this term.
X Chat consolidates the three data lines of "who this person is, who they are talking to, and where their money comes from and goes to" in one company's hands.
The help page sentence has never been just technical instructions.
App