The explosion of the digital economy and the widespread adoption of digital assets have led to a new era of financial crime. In the period 2025-2026, as blockchain's technical security layers such as transmission encryption or ledger immutability become stronger than ever, attackers have shifted their targets to the weakest link in the security chain: humans.
Social engineering attacks, or Social Engineering, are no longer rudimentary phishing attempts but have evolved into a sophisticated criminal industry. According to observations from the team of experts at Tan Phat Digital, these campaigns are currently a smooth combination of deep behavioral psychology and pioneering technologies such as artificial intelligence (AI) and Deepfake. This report details manipulation methods, the economic reality of cybercrime, and defense solutions in today's volatile cybersecurity landscape.
The economic picture and current state of global cryptocurrency crime
Data from leading on-chain analytics organizations shows that 2025 will be a record year for illicit money flows in the cryptocurrency ecosystem. This increase not only reflects the size of the market but also shows the outstanding professionalization of transnational criminal organizations.
Below are the main financial indicators and trends of cybercrime in 2025 compiled by Tan Phat Digital:
Total illegal cash flow on-chain: Reaching about 154 - 158 billion USD, growing from 145% to 162% compared to 2024. This is a record high in the past 5 years.
Loss from scams (Scams): Ranging from 14 to 17 billion USD, an increase of about 17% - 41%, mainly driven strongly by AI intervention.
Social Rate Engineering: Accounted for 40.8% of all incidents, becoming the most dominant attack vector in 2025.
Impersonation Fraud: Recorded a staggering growth of up to 1400%, showing the explosion of impersonation of reputable organizations.
Illegal Stablecoin volume ratio: Occupied up to 84% of the total black trading volume, showing that Stablecoin is the preferred tool of criminals.
Average value per scam: Reached 2,764 USD, an increase of 253%, demonstrating that hackers are focusing on higher value targets.
The polarization in attack methods shows that hackers are gradually abandoning pure source code errors to focus on manipulating human need. Cybersecurity experts emphasize that the damage from these scams is often much greater than from technical errors because they directly target the victim's control of their wallet and top-secret security information.
See also: How dangerous is Approval scam and why so many people fall into the trap
Psychological manipulation mechanism: Greed and the rise of Deepfake
Social Engineering is the art of tricking users into voluntarily doing the real thing perform actions that harm themselves. The most effective way to do this is to exploit greed through artificial intelligence technology. In 2025, AI has become the core of large-scale phishing campaigns.
Hackers use Deepfake technology to create fake videos or audio clips of influential figures such as Elon Musk, Vitalik Buterin or exchange CEOs. A common scenario is that victims are asked to send a small amount of cryptocurrency to a wallet address for "verification" and are promised double or triple that in return. However, the reality is that as soon as the money is sent, the victim will lose all assets.
Detecting Deepfake in 2026 becomes more difficult, but users can note the following signs:
Eye movements:It is often difficult for AI to simulate random circadian rhythms, leading to characters blinking too little or following an irregular mechanical rhythm usually.
Lip-sync: Sound and images often have a small phase difference, especially in difficult consonants such as m, f, th due to the complexity of lip muscle movements.
Lighting and shadows: AI rendering models often create shadows that do not perfectly match the ambient light sources in the video.
Audio quality: Voices are often too "smooth", lacking natural expressive nuances such as breathing sounds, or have a slight metallic sound.
Picture and object edges: Appearance blur or slight distortion when the character turns his head quickly or has an object covering his face.
Hackers also use psychological effects such as countdown timers or fake notifications about the number of people who have received gifts to create fear of missing out (FOMO), causing victims to lose their ability to make logical judgments.
Fear and urgency: Phishing and wallet attack campaigns
If greed is for newbies, then fear is a weapon aimed at experienced users. Phishing (phishing attack) is still the most popular form. Current campaigns often impersonate reputable platforms such as MetaMask, Binance or Ledger to send urgent notifications about compromised accounts or request security updates.
The phishing process often takes place through 3 sophisticated steps:
Human verification: Asking the victim to perform a CAPTCHA on the fake page to create a feeling of safety and expertise industry.
Fake message: Displays statuses like "Encrypting connection" to reinforce confidence that the user is on a secure site.
Seed Phrase Hijack: This is the final step, the site asks to enter 12 or 24 recovery words for "verification". As soon as the information is entered, the hacker will take control of the wallet and drain the assets.
A notable event in early 2026 was a data leak from a Ledger partner, leading to personalized Spear Phishing attacks, hackers even sent fake hardware wallet devices to the victim's home.
Building fake trust: "Pork Belly" tactic and total transformation demand
"Pig Butchering" is a form of long-term fraud that causes the most terrible losses. Hackers build emotional relationships or friendships with victims for months before luring them into fake investment platforms.
Criminal "fattening" mechanism:
Access: Use perfect personal profiles on dating apps like Tinder, Bumble or LinkedIn.
Build relationships: Share thoughts, build trust Absolute belief without mentioning money in the beginning.
Investment suggestion: "Accidentally" boasted of profits from a crypto platform and offered to guide the victim to participate with a small amount of capital.
Profit manipulation: The victim saw virtual growth of assets on the fake app and was even allowed to withdraw small amounts of money the first few times to reinforce their belief. news.
The final blow: When the victim deposits a large amount of money, the platform locks the account for "tax payment" or "violation" reasons, then the scammer disappears.
See more: Where do hacked crypto wallets usually come from? 7 common causes
Tech support impersonation and intrusions into Discord, Telegram
Discord and Telegram are support impersonation hotspots. Hackers often monitor users' questions in community groups and proactively send private messages (DMs) in the name of "Admin".
Common tricks:
Wallet Sync: Require users to visit a third-party website to "synchronize wallet" to handle errors, essentially collecting Seed Phrase.
Impersonate Zoom call: Invite project managers to meetings and request to download "security plugins" containing Trojan malware to take control of computers.
The data breach at Coinbase in mid-2025 is an example, when support staff were bribed to provide user information for hackers to make extremely convincing impersonation calls.
Ice Phishing Attack: Level Phishing permissions
Ice Phishing is a form of tricking users into signing an authorization transaction (approval) instead of obtaining a private key. This makes the victim not feel like their security information is being violated.
- Nam
Proving fake P2P payments using AI: Buyers create photos of fake bank receipts to pressure sellers to unlock coins on exchanges Transaction.
SMS Brandname and Smishing: Using fake broadcast stations to send messages impersonating banks/exchanges into the real message stream on the victim's phone.
Reputation building scam: Fraudsters conduct many small reputable transactions in the Telegram group to build "Reputation" before committing a scam large.
Absolutely do not share Seed Phrase: There is no any support Any official support requires this phrase.
Multi-channel authentication: Always call directly to confirm if you receive a money transfer request from someone you know via text message.
Using a Hardware Wallet: Separate large assets into cold wallets and only keep a small amount in hot wallets for daily transactions.
Revoke.cash: Check and revoke unnecessary token approval permissions to prevent Ice Phishing.
GoPlus Security: Scan for Smart Contract malware and detect Honeypot traps before interacting.
MetaMask Transaction Shield: Risk warning service and insurance for transaction incidents translation.
Kerberus Sentinel3: Browser extension that helps block 99.9% of phishing websites and warns about impostor accounts on X/Telegram.
1. Where should I store my recovery phrase (Seed Phrase) to be absolutely safe? A: You should store it completely offline, for example writing it down on paper or using heat-resistant metal cards. Absolutely do not take photos, save them in the cloud or email them because those are the top targets of malicious code.
2. How to recognize a celebrity's giveaway video as Deepfake? Answer: Observe carefully the blinking rhythm (AI often blinks mechanically), the synchronization between lips and sound, or the lighting on the face does not match the surrounding environment. Also, if it asks you to deposit money in advance to get more in return, it's definitely a scam.
3. Why is the "Pig Butchering" scam difficult to prevent? Answer: Because hackers spend a lot of time (from several weeks to several months) to build affection and trust, causing the victim to let down their guard before making an investment invitation.
4. How is Ice Phishing different from traditional Phishing? Answer: Traditional Phishing aims to obtain private keys, while Ice Phishing tricks you into signing an authorization transaction (approval) that allows hackers to withdraw money without knowing your password.
5. Can I get my money back after being scammed? A: It is difficult because of the anonymous and irreversible nature of blockchain. However, you should immediately report to the exchange and authorities to have the opportunity to freeze assets if hackers move to centralized exchanges.
6. Why do hackers impersonate support staff on Telegram/Discord? Answer: Because this is where users often publicize wallet problems, hackers will impersonate Admins to offer "help" to trick them into getting 2FA or Seed Phrase codes.
7. Ví lạnh (Hardware Wallet) có bảo vệ tôi khỏi lừa đảo thao túng tâm lý không? Đáp: Không hoàn toàn. Cold wallets protect private keys from cyber hackers, but if you are manipulated into personally signing a malicious transaction or paying yourself, the assets will still be lost.
8. What is the best tool to check the safety of a new Token? A: You can use GoPlus Security, Honeypot.is or Token Sniffer to detect no-sale traps or malicious code in contracts.
9. How did the $1.5 billion Bybit hack in 2025 happen? Answer: Hackers (believed to be from North Korea) took advantage of a vulnerability in the process of transferring money from cold wallets to warm wallets of the exchange to appropriate a large amount of Ethereum.
10. What security toolkit does Tan Phat Digital recommend for 2026?Answer: A multi-layered solution including: hardware wallet (Ledger/Trezor), browser extension (Kerberus Sentinel3 or Wallet Guard) and routine approval checks via Revoke.cash.
According to analysis from Tan Phat Digital, Vietnam is a key target due to the high rate of crypto ownership but uneven security knowledge.
Popular forms in Vietnam:
Multi-layer defense strategy and security tools 2026
To protect assets, users need to establish a Zero Trust process and use modern support tools:
Personal security rules:
Tool system recommended by Tan Phat Digital:
10 Frequently Asked Questions (FAQs) about Social Engineering Crypto
Social Engineering has become a fierce front, where the line between digital security and psychological manipulation has been completely erased blurred. Dữ liệu thiệt hại hàng tỷ USD hàng năm cho thấy các giải pháp kỹ thuật là không đủ. The future of Web3 security lies in the combination of automated security technology and digital literacy.
Tan Phat Digital recommends that users always maintain a healthy skepticism and perform a regular cross-checking process. In the decentralized world, you are your own bank, and alertness is the strongest shield to protect your assets from sophisticated traps.
Share
