All Posts

Where do hacked crypto wallets usually come from? 7 common causes

blockchainJanuary 23, 2026·#Blockchain

Detailed report on the current state of digital asset security in 2026, in-depth analysis of system vulnerabilities and optimal defense instructions from Tan Phat Digital to protect investors against attacks using AI and quantum computers.

Where do hacked crypto wallets usually come from? 7 common causes

The strong development of the blockchain economy in the period 2025-2026 has brought unprecedented investment opportunities, but at the same time turned this ecosystem into a key target for international cybercriminals. According to observations from Tan Phat Digital, statistics show an alarming situation: the total value of digital assets lost due to illegal activities has hit a record, reflecting the professionalization of hacker groups and the rise of attack techniques based on artificial intelligence (AI). To understand why crypto wallets are often hacked, it is necessary to consider both flaws in technical processes and vulnerabilities in human psychology.

The cybersecurity landscape in 2026 is shaped by the confrontation between advanced security systems and organized crime networks, including state-sponsored hacker groups like North Korea's Lazarus. Analysis from Tan Phat Digital shows that, while the number of attacks may have decreased slightly, the level of financial loss per incident has skyrocketed, indicating a shift towards high-value and liquid targets.

Typical Blockchain Security Indicators (Period 2024 - 2025)

  • Total losses from hacks: Increase from about 2.01 billion USD (in 2024) to 3.35 billion USD (in 2025), corresponding to a growth of 66.6%.

  • Value received by illegal addresses: Jumped from 57.2 billion USD to 154.0 billion USD, a strong growth of 169.2%.

  • Damage due to North Korean hacker groups Cause:Increased from 1.33 billion USD to 2.02 billion USD, a growth of 51.8%.

  • Rate of damage due to private key leak:Increased from 15.0% to 23.3% of total damage value, showing that vulnerabilities in user management are becoming increasingly serious.

See more: Is blockchain safe? Blockchain Security Analysis 2026

1. Phishing: The dominance of new generation phishing attacks

Phishing attacks are no longer about clumsy emails or sketchy fake websites. In 2026, phishing has become an AI-optimized industry, accounting for 93.5% of all funds stolen during peak attacks on individual users. Attackers today use large language models to create personalized phishing scenarios, making it difficult for victims to distinguish between real messages from exchanges and hacker traps.

Phishing-as-a-Service (PaaS) model and the role of AI

The emergence of modern tool platforms has lowered the barrier to entry for cybercriminals. These platforms offer "phishing for beginners" toolkits, which include hundreds of fake website templates that automatically adapt the interface to the victim's device and bypass browser detection mechanisms.

With the integration of AI, impersonation scams have grown 1400% compared to 2024. AI helps attackers analyze the victim's on-chain transaction history to deliver "just-in-time" messages, for example like requesting revalidation of a pending transaction or announcing an airdrop reserved for certain token holders. This makes the money extraction efficiency of AI-enabled scams 4.5 times higher than traditional methods.

Address Poisoning Technique

One of the reasons crypto wallets are often hacked in 2026 is subjectivity in checking transaction addresses. Address Poisoning technique takes advantage of the habit of copying addresses from users' transaction history.

  • Characteristics of Traditional Phishing: The main goal is to steal Seed Phrase or Private Key through tools such as fake websites, Email, or SMS messages. The best way to prevent it is to absolutely not enter the secret key into any interface.

  • Characteristics of Address Poisoning: The goal is to trick users into sending money to the wrong address. Hackers perform low or zero value on-chain transactions to put fake addresses (with the same first and last characters as real wallets) into the transaction history. The way to avoid this is to carefully check each address character before confirming the deposit.

See more: What is private key and passphrase in the wallet? Instructions for self-management of digital assets

2. Smart Contract and Platform Infrastructure Vulnerabilities

Although phishing dominates the number of victims, flaws in smart contract source code (Smart Contracts) and centralized exchange infrastructure (CeFi) cause the largest financial losses. The year 2025 will see hackers shift from exploiting simple logic errors to multi-layered attacks targeting liquidity "bottlenecks" of the ecosystem.

Bybit disaster and risks from centralized infrastructure

The attack on Bybit exchange in February 2025 is a typical example that even the largest platforms can be vulnerable. With losses of up to 1.5 billion USD, this was the largest hack in blockchain history up to that time. The attacker successfully penetrated the exchange's Ethereum cold wallet system, a technical feat often considered impossible without insider intervention or a serious leak of key management processes.

This event highlights the fact that vulnerabilities lie not only in the code but also in human operating processes. APT hacker groups regularly target employees with high access rights through months-long social engineering campaigns to take control of transaction signing devices.

Typical attacks in 2025 - 2026

  • Bybit exchange (February 2025): $1,460 million in damage. The main cause was cold wallet and supply chain intrusion.

  • Cetus Protocol (May 2025): $230 million in damage. The cause was a contract logic error on the Sui network.

  • Balancer (November 2025): $100 million in damage. The cause was precision loss in calculation.

  • Phemex (January 2025): Damage of 69.1 million USD. The cause was an attack on the hot wallet system.

  • Truebit (January 2026): Damage of 26.4 million USD. The cause is due to an overflow error in the contract.

3. Leaking and insecure Private Key storage

Most answers to the question of why crypto wallets are often hacked point to one root cause: the failure to protect the Private Key and Secret Recovery Phrase. In 2025, more than 80% of value lost on blockchains is determined to be due to compromised private keys or signature errors.

Mistakes in digital asset management

Users often make basic but deadly storage errors that Tan Phat Digital regularly warns about:

  • Cloud storage: Taking photos of seed phrases stored in Google Photos, iCloud or send via message. Modern malware has the ability to automatically scan image files to search for secret keywords.

  • Use hot wallets for large balances: Maintain large assets on browser wallets without hardware wallet support. Clipboard content modification attacks can cause users to mistakenly sign the hacker's address.

  • Signature Permit Vulnerability (EIP-2612): Hackers trick users into signing an off-chain message to silently grant permission to spend the entire token without needing the private key directly.

4. Social Engineering and Criminal Psychology

As technical security systems become more resilient, cybercriminals have turned their attention to attacking the weakest link: people. Social engineering accounts for 12% of total losses in 2025, but is the method with the highest success rate for organizational targets.

Tan Phat Digital documents sophisticated phishing campaigns impersonating technology recruiters on LinkedIn to trick employees into installing malware through technical tests. In addition, "Pig Butchering" scams that use AI to build trust over a long period of time also cause billions of dollars in losses to individual investors.

5. Risks from Hot Wallets and Third Party Applications

Hot wallets are always in danger because of constant internet connection. Attacks often take place through browser vulnerabilities or extensions that are installed with malicious code (backdoors) from the inside.

Common types of technical risks

  • Malware: Infection through malicious files or websites to steal keystore files and record keystrokes.

  • Browser exploits (Browser Exploit): Taking advantage of vulnerabilities in browsers such as Chrome/Brave to hijack wallet sessions.

  • Fake Extension: Fake applications on the Chrome store trick users into entering seed phrases and sending them directly to hackers.

  • Unlimited Approval: The habit of granting unlimited spending rights to smart contracts Smart system causes assets to be silently withdrawn when the project is hacked or the project owner commits fraud.

6. Emerging Attack Patterns in 2025-2026

The digital asset market in 2026 faces real risks of violence and the sophistication of infrastructure attacks:

  • Physical Coercion Attacks (Wrench Attacks):An increase in kidnappings and the use of violence to coerce victims into transferring funds. Tan Phat Digital recommends that users should not disclose too much information about their assets.

  • MEV and Sandwich Attacks: High-speed bots take advantage of price inflation to profit from users' large transactions.

  • DNS and BGP hijacking: Hackers control domain names of large projects, causing users to access the correct address but are actually connecting to the company's server. hacker.

7. Risks from Quantum Computing and the Fall of Traditional Cryptography

In 2026, quantum computing has become a real threat. Attackers begin implementing a "Harvest Now, Decrypt Later" strategy to seize assets in the future.

Quantum risk level by Script type

  • P2PK / P2MS: Extremely high risk level in the long term due to public key exposure directly on the blockchain.

  • P2TR (Taproot): High level of risk because the public key structure is exposed in the transaction output.

  • P2PKH / SegWit: Medium level of risk because the public key is only exposed when the user spends money.

  • Address Reuse: Very high level of risk because the public key has been permanently exposed since the spend first, facilitate easy decoding by quantum computers.

8. 10 Typical Case Studies on Crypto Security and Fraud (2025-2026)

To better understand the fierce nature of the market, Tan Phat Digital has compiled 10 typical cases illustrating the analyzed vulnerabilities:

  1. Bybit ($1.46 Billion USD - February 2025): This is the largest Ethereum cold wallet attack in history. Hacker Lazarus (North Korea) successfully infiltrated by installing malicious code on the devices of exchange employees, tricking them into making money transfer orders while thinking it was an internal operation.  

  2. AntEx (10,000 Billion VND - December 2025): The most shocking scam in Vietnam involves stablecoin VNDT. The project allegedly had no real collateral, leading to a 99.9% devaluation of the token and the loss of tens of thousands of investors.

  3. Libra Token ($251 Million USD - 2025): A large-scale "Rug Pull" when the development team suddenly drained liquidity from the project and fled, leaving worthless tokens to investors.  

  4. Cetus Protocol ($230 Million USD - May 2025): Attack on the liquidity protocol on the Sui network due to logic errors in the source code. Thanks to the timely intervention of validators to freeze assets, approximately $162 million was recovered.  

  5. Balancer ($100 Million USD - November 2025): Hackers successfully exploit precision-loss in stable pools, allowing them to extract system assets at extremely low cost.  

  6. Nobitex ($81.7 Million USD - 2025): Iran's largest exchange was attacked by a group of hackers on its infrastructure system, leading to large asset losses and causing concerns about cybersecurity in the Middle East region.  

  7. Phemex ($69.1 Million USD - January 2025): The attack directly targeted the hot wallet system of this exchange, determined to be related to professional hacker groups from North Korea.  

  8. BingX ($44 Million USD - September 2025): Another centralized hot wallet hack, accounting for 37% of total exchange losses in September 2025.  

  9. Truebit ($26.4 Million USD - January 2026): The hack occurred right in early 2026 due to Overflow error in the purchase contract, allowing hackers to manipulate the price to buy tokens at a price close to zero.  

  10. Trust Wallet (December 2025): The "Christmas Heist" hack caused a stir when hackers successfully installed a backdoor into the wallet's browser extension, draining users' funds in just a few hours.

Comprehensive MetaMask Wallet Security and Testing Guide

To protect assets, Tan Phat Digital recommends a comprehensive security testing process Periodic security:

  1. Revoke approval authority (Revoke): Use tools like Revoke.cash to revoke spending permission of unnecessary applications.

  2. Use Hardware Wallet: Connect MetaMask to Ledger or Trezor to ensure private keys are always offline.

  3. Device hygiene: Use a separate browser for transactions and scan for malware regularly.

Rescue assets when infected with Sweeper Bot

When a wallet is infected with a bot that automatically withdraws funds, adding additional gas fees manually is pointless. The only solution according to expert Tan Phat Digital is to use Flashbots. This technique allows gas deposit and withdrawal transactions to be packaged into the same block for validators to process simultaneously, preventing bots from intervening in the middle. However, this process requires support from reputable Whitehat hackers.

Frequently Asked Questions (FAQ) about Crypto Wallet Security 2026

Below is a summary of the 10 most common questions answered by experts at Tan Phat Digital based on the latest security data:

  1. Why are phishing attacks so successful? in 2026? This success comes from the industrialization of phishing using AI. AI helps criminals create personalized scripts and sophisticated fake websites through Phishing-as-a-Service models. According to Tan Phat Digital, the money extraction efficiency of AI-enabled scams is 4.5 times higher than traditional ones.  

  2. What's special about the Bybit hack and why do investors need to worry? This is the largest cryptocurrency theft in history with 1.46 billion USD withdrawn from cold wallets. The scary point is that hackers do not attack the blockchain source code but use social engineering to trick exchange staff into approving transactions, showing that human error is the weakest link.

  3. How do I know if my wallet is infected with a "Sweeper Bot"? The clearest sign is that the money just loaded into the wallet (usually native tokens for gas fees) is immediately transferred to another address in just a few seconds. This shows that your private key has been exposed and hackers are running automated code to monitor your balance.  

  4. Can I get my money back after it has been removed from my wallet? It's actually very difficult. Blockchain transactions are irreversible once confirmed. The asset recovery rate in 2025 will only reach about 4.2% due to the complexity of multi-chain money laundering networks.  

  5. How does Address Poisoning work? Hackers use software to create a "vanity" address with the same first and last characters as your wallet, then send a zero-value transaction to your wallet. The goal is for this fake address to appear in your transaction history, tricking you into copying it by mistake for your next money transfer.  

  6. How does EIP-7702 affect personal wallet security? EIP-7702 enables EOA wallets to temporarily have smart contract capabilities. However, if you mistakenly sign a malicious authorization via phishing, a hacker can take full control of the account and drain all assets in just one execution.

  7. Is using a cold wallet 100% absolutely safe? Although it is the safest method today, cold wallets still pose a risk if the user accidentally signs a malicious transaction message or exposes the secret recovery phrase (Seed Phrase). In addition, risks from the hardware supply chain are also a factor to consider.  

  8. When did quantum computers really threaten Bitcoin? Although it did not collapse immediately, in 2026, financial institutions began to consider this risk. It is estimated that 20-50% of circulating Bitcoins are in old addresses or reused public keys, which are easy targets for decryption by quantum computers in the future.  

  9. What are physical coercive attacks (Wrench Attacks)? This is a form of crime that uses violence, kidnapping or home invasion to force victims to transfer electronic money directly. The number of physical attacks targeting crypto investors doubled in 2025.  

  10. How has AI changed the face of crypto scams? AI helps reduce the cost of fraud by automating multilingual content and using deepfake (voice, video) to impersonate relatives or support staff. According to Tan Phat Digital, these interactions now have a very high degree of authenticity, making it much more difficult for victims to identify risks than before.  

The 2026 Crypto Wallet Security Study shows that security is no longer a static state but a continuous process. 5 golden principles that Tan Phat Digital always emphasizes: Responsible self-management (save seed phrases offline), Multi-level authentication (hardware wallet & Multisig), Be wary of AI (beware of Deepfake), On-chain hygiene (regularly revoke permissions) and Prepare for the quantum era (do not reuse addresses).

The safety of assets depends entirely on the investor's own level of vigilance and knowledge in the volatile Web3 world. dynamic.

Share

Comments

0.0 / 5(0 ratings)

Please login to leave a comment.

No comments yet. Be the first to share your thoughts.

Related Posts

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital
blockchain2/27/2026

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital

Does Blockchain help increase customer trust | Tan Phat Digital
blockchain2/27/2026

Does Blockchain help increase customer trust | Tan Phat Digital

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation
blockchain2/27/2026

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation

Does Blockchain really prevent internal fraud? | Tan Phat Digital
blockchain2/26/2026

Does Blockchain really prevent internal fraud? | Tan Phat Digital

Integrating Blockchain into the application | Tan Phat Digital
blockchain2/26/2026

Integrating Blockchain into the application | Tan Phat Digital

Can Blockchain replace ERP systems? | Tan Phat Digital
blockchain2/26/2026

Can Blockchain replace ERP systems? | Tan Phat Digital

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development
blockchain2/25/2026

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital
blockchain2/25/2026

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital