Phishing attacks are common in the Web3 space as attackers attempt to trick users into handing over private keys or installing malware on their computers. However, the first week in May 2025 was notable for the fact that attackers stole over $45 million worth of crypto in just seven days, according to ZachXBT.
Inside the Attack
Social engineering attacks, like phishing, are some of the most effective tools in DeFi hackers’ arsenals. These attacks don’t require smart contract vulnerabilities to execute and can’t be detected via a smart contract audit. Instead, they target users and projects off-chain, using trickery or coercion to steal private keys to get users to sign malicious transactions.
ZachXBT’s report on the $45 million stolen in the first week of May 2025 is just the tip of the iceberg, including the crypto stolen from users of one cryptocurrency exchange within just a few days. In this case, ten addresses were impacted by the theft, demonstrating that the attackers commonly target high-value wallets.
According to ZachXBT’s investigations, Coinbase users lose an estimated $300 million to these types of phishing attacks each year. This makes these seven days especially notable since they’d account for over 15% of the average yearly total but less than 2% of the year. This could indicate that attackers are increasingly focused on social engineering attacks targeting individual users, just like how many of the biggest hacks of 2025 have involved off-chain attack techniques.
Lessons Learned from the Attack
This surge in attacks targeting Coinbase users demonstrates the importance of implementing strong private key security practices for personal and project wallets alike. These include:
Using Multisig or MPC Wallets: Multisig and MPC wallets require multiple users to sign to approve a transaction. This increases the difficulty for an attacker attempting to collect enough private keys or trick enough signers to approve a malicious transaction.
Use a Cold Wallet: Cold wallets store private keys on a dedicated, offline device. This makes it more difficult for an attacker to access and steal these keys since they never leave this device.
Validate Links: Phishers commonly use malicious links that point to lookalike websites to trick people. Always verify that a URL is correct before entering login information or a private key.
Be Wary of Downloaded Code: Some cybercrime groups will embed malware in software or a code sample used as part of a fake interview. Always be cautious about running downloaded code on your computer or connecting a wallet to a program.
Hackers are using a variety of sophisticated techniques to steal private keys and crypto from projects and users alike. Learn more about the top attacks targeting crypto private keys.