A crypto investor recently lost over $3 million in a phishing attack after unknowingly signing a malicious blockchain transaction. According to blockchain analytics platform Lookonchain, the victim signed off on a smart contract without verifying the full address. That single action transferred 3.05 million USDT (Tether) to a scammer’s wallet.
Wallet “0x2d9” total holdings Source: Nansen
The case has brought renewed attention to how phishing scams exploit human error instead of software vulnerabilities. While most investors typically verify wallet addresses by checking only the first and last few characters, this incident reveals how attackers take advantage of visual shortcuts. In this case, a careful check of the middle characters, often hidden or shortened by display interfaces would have flagged the transaction as suspicious.
Lookonchain warned users to always double-check and understand what they’re signing:
“Stay alert, stay safe. One wrong click can drain your wallet. Never sign a transaction you don’t fully understand.”
Rise of Social Engineering in Crypto Scams
This type of scam is part of a broader trend in crypto security. In 2024, phishing attacks have overtaken technical breaches as the most damaging threat to investors. Rather than hacking into blockchain code, scammers are now targeting human vulnerabilities through social engineering, tricking users into willingly giving up access or approving harmful transactions.
🧐After we published an analysis article about the 1155 WBTC phishing incident and a profile of the hacker, it seems like there is a potential turning point in the situation.
3 hours ago, the hacker requested to contact the victim.👀 https://t.co/ZspG0F7bqW pic.twitter.com/4ZUAGttP5c
— SlowMist (@SlowMist_Team) May 9, 2024
Phishing schemes often involve fraudulent websites, fake support accounts, or links shared via emails or social media. Once users interact with these links and approve a transaction, scammers gain control of the funds in their wallets.
These aren’t isolated events. Another user recently lost over $900,000 in a similar phishing attack, but only discovered the loss 458 days later. The investor had unknowingly approved a malicious contract that allowed a scammer to drain their wallet at any time.
Over $1 Billion Lost to Phishing in 2024
According to blockchain security firm CertiK’s Web3 Security Report, phishing attacks were the costliest type of threat in the crypto world in 2024. The report highlights:
Over $1 billion in digital assets were stolen through phishing.
At least 296 phishing incidents were officially reported.
Three individual attacks each caused losses exceeding $100 million.
The true numbers may be even higher due to unreported cases.
“Phishing was the most costly attack vector last year,” a CertiK spokesperson told Cointelegraph. “Our figures are conservative. Many cases, including scams like pig butchering, remain unreported or poorly documented.”
Incidents and losses in 2024 by month. Source: CertiK
The report makes it clear that the weakest link in crypto security isn’t the blockchain, it’s the human behind the wallet.
A $71 Million Case with a Twist
In one of the most dramatic phishing stories of the year, a victim lost $71 million in a wallet poisoning scam in May 2024. This type of scam involves tricking users into sending funds to lookalike wallet addresses.
What made the case unique was its surprising ending: the scammer returned the entire $71 million two weeks later. The reversal followed intense pressure from global blockchain investigators who traced the attacker’s IP address to Hong Kong. Facing mounting legal threats and public exposure, the attacker gave the funds back, a rare outcome in crypto fraud.
Industry Response: New Tools and Education
As phishing attacks grow, crypto platforms are rolling out new tools to protect users. Binance, the world’s largest exchange, launched an algorithm in May 2024 to detect “address poisoning” scams. The tool has already identified nearly 15 million fake addresses designed to trick users into making false transfers.
Security experts urge investors to:
Avoid clicking on unsolicited links or pop-ups.
Always verify the full wallet address, not just the first and last characters.
Use hardware wallets for large transactions.
Never sign a transaction unless you fully understand what it does.
In the fast-moving world of crypto, the greatest vulnerability isn’t faulty code, it’s the human element. As phishing tactics evolve, education and caution remain the first lines of defence.
