Social engineering eyewash targets users of a certain platform: "customer service" in the dark forest

Recently, social engineering attacks in the field of crypto assets have become a major threat to the security of user funds. Since 2025, social engineering fraud incidents targeting users of a well-known trading platform have occurred frequently, attracting widespread attention from the community. These incidents are not isolated cases, but rather a type of eyewash that has persistent and organized characteristics.

On May 15, the trading platform issued a statement confirming various speculations about the existence of "insiders" within the platform. It is reported that the U.S. Department of Justice has launched an investigation into this data leak incident.

This article will reveal the main methods used by scammers by organizing information provided by multiple security researchers and victims, and from the perspectives of the platform and users, it will explore how to effectively respond to such eyewash.

Historical Analysis

On May 7, blockchain detective Zach stated in a social media update that over $45 million has been stolen from users of the platform due to social engineering scams in just the past week.

In the past year, Zach has repeatedly disclosed incidents of user theft on the platform, with individual victims losing up to tens of millions of dollars. In February 2025, he released a detailed investigation stating that from December 2024 to January 2025, the total amount of funds stolen due to similar eyewash exceeded 65 million dollars, revealing that the platform is facing a serious "social engineering scam" crisis, with such attacks continuing to threaten user asset security at an annual scale of 300 million dollars. He also pointed out:

• The groups that lead this type of eyewash are mainly divided into two categories: one is low-level attackers from the Com circle, and the other is cybercrime organizations located in India;
• The attack targets of the eyewash gang mainly focus on American users, with standardized methods and mature script processes.
• The actual loss amount may be much higher than the on-chain visible statistics, as it does not include undisclosed information such as unaccessible customer service tickets and police report records.

eyewash techniques

In this incident, the technical system of the trading platform was not breached; the scammers exploited the privileges of internal employees to obtain some users' sensitive information. This information includes: name, address, contact information, account data, ID card photos, etc. The ultimate goal of the scammers was to use social engineering techniques to guide users to make transfers.

This type of attack has changed the traditional "net fishing" methods and has shifted towards "precision strikes," which can be described as "tailor-made" social engineering scams. A typical modus operandi is as follows:

1. Contact users as "official customer service"

Fraudsters use forged telephone systems to impersonate platform customer service, calling users to claim that their "account has encountered illegal login" or "withdrawal anomalies detected," creating a sense of urgency. They then send realistic phishing emails or text messages containing fake ticket numbers or "recovery process" links, guiding users to take action. These links may lead to cloned platform interfaces and can even send emails that appear to come from official domains, with some emails utilizing redirection techniques to bypass security protections.

2. Guide users to download self-custody wallets

Fraudsters will use "asset protection" as a reason to lead users to transfer funds to a "safe wallet", and will also assist users in installing self-custody wallets, guiding them to transfer assets that were originally held on the platform into a newly created wallet.

3. Inducing users to use the mnemonic phrases provided by scammers

Unlike the traditional "eyewash to obtain mnemonic phrases", the scammers directly provide a set of mnemonic phrases they generated themselves, luring users to use it as the "official new platform".

4. Eyewash engages in fund theft

Victims, in a state of tension, anxiety, and trust in the "customer service", are very likely to fall into the trap— in their view, the "officially provided" new wallet is naturally safer than the "suspected to be hacked" old wallet. The result is that once the funds are transferred to this new wallet, the scammers can immediately take them away. Not your keys, not your coins. — This concept is once again brutally validated in social engineering attacks.

In addition, some phishing emails claim that "due to a class action ruling, the platform will fully migrate to self-custody wallets," and require users to complete asset migration by April 1st. Under the pressure of time and the psychological suggestion of "official instructions," users are more likely to comply with the operation.

According to security researchers, these attacks are often organized in their planning and implementation.

• Eyewash toolchain improvement: Scammers use PBX systems to spoof caller ID, simulating official customer service calls. When sending phishing emails, they leverage bots on social media to impersonate official email addresses, accompanied by an "Account Recovery Guide" to guide transfers.
• Targeted Accuracy: Eyewash rely on stolen user data purchased from social platforms and the dark web, targeting users in the US as their main objective. They even use artificial intelligence to process the stolen data, splitting and reorganizing phone numbers to generate TXT files in bulk, then sending text message scams through brute force software.
• The deception process is coherent: from phone calls, text messages to emails, the scam path is usually seamless. Common phishing phrases include "The account has received a withdrawal request", "The password has been reset", "Abnormal login detected on the account", etc., continuously inducing victims to perform "security verification" until the wallet transfer is completed.

On-chain analysis

After analyzing the on-chain anti-money laundering and tracking system, these scammers possess strong on-chain operational capabilities. Here is some key information:

The attackers' targets cover various assets held by users, with the active time of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting up to hundreds of BTC at once, with a single transaction worth millions of dollars.

After obtaining the funds, the fraudsters quickly use a set of laundering processes to exchange and transfer the assets. The main patterns are as follows:

• ETH assets are often quickly exchanged for DAI or USDT through a certain DEX, then dispersed and transferred to multiple new addresses, with some assets entering centralized platforms.

• BTC is mainly bridged to Ethereum through cross-chain bridges, and then exchanged for DAI or USDT to avoid tracking risks.

Multiple eyewash addresses remain in a "static" state after receiving DAI or USDT, and have not been transferred out.

To avoid interaction between one's address and suspicious addresses, thereby facing the risk of asset freezing, it is recommended that users use on-chain anti-money laundering and tracking systems to conduct risk detection on target addresses before trading, in order to effectively mitigate potential threats.

Countermeasures

platform

Current mainstream security measures are more about "technical level" protection, while social engineering scams often bypass these mechanisms and directly hit the psychological and behavioral vulnerabilities of users. Therefore, it is recommended that the platform integrates user education, security training, and usability design to establish a "human-oriented" security defense.

• Regularly push anti-fraud education content: Enhance users' phishing prevention capabilities through app pop-ups, transaction confirmation interfaces, emails, and other channels;
• Optimize risk control model, introduce "interactive abnormal behavior recognition": Most social engineering scams induce users to complete a series of operations (such as transfers, whitelist changes, device bindings, etc.) within a short period. The platform should identify suspicious interaction combinations (such as "frequent interactions + new address + large withdrawals") based on behavior chain models, triggering a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification portal" to clarify the unique official communication channel and avoid confusion.

user

• Implement identity isolation policies: Avoid using the same email or phone number across multiple platforms to reduce joint risks. You can use leak query tools to regularly check if your email has been leaked.

• Enable transfer whitelist and withdrawal cooldown mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.

• Stay updated on security information: Use channels such as security companies, media, and trading platforms to understand the latest developments in attack methods and remain vigilant. Currently, multiple security organizations are about to launch a Web3 phishing simulation platform, which will simulate various typical phishing techniques, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and continuously update the scenario content based on real cases collected from historical discussions. This allows users to enhance their recognition and response capabilities in a risk-free environment.

• Pay attention to offline risks and privacy protection: Personal information leakage may also lead to personal safety issues.

This is not an overreaction; since the beginning of this year, crypto practitioners/users have encountered multiple incidents threatening their personal safety. Given that the leaked data includes names, addresses, contact information, account data, ID card photos, and other content, relevant users also need to remain vigilant offline and pay attention to their safety.

In summary, remain skeptical and continue to verify. For any urgent operations, be sure to request the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure.

Summary

This incident once again exposes the obvious shortcomings in customer data and asset protection in the face of increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions in the platform do not have financial permissions, a lack of sufficient security awareness and capability can still lead to serious consequences due to unintentional disclosure or being coerced. As the platform continues to grow, the complexity of personnel security control increases, becoming one of the most difficult risks to tackle in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically build a "social engineering defense system" that covers internal personnel and outsourced services, integrating human risks into the overall security strategy.

In addition, once it is found that the attack is not an isolated incident, but rather an organized and large-scale ongoing threat, the platform should respond immediately, actively investigate potential vulnerabilities, remind users to take precautions, and control the scope of the damage. Only by addressing both the technical and organizational levels can we truly maintain trust and the bottom line in an increasingly complex security environment.