jakiro
Author:Prathik Desai, Source: TokenDispatch
Preface
It all starts with a message.The branding looks credible, the logo is as expected, and your LinkedIn profile shows you have some common contacts.The recruiter says they discovered your GitHub project and would like to offer you a contract job at a well-funded company that combines AI with DeFi protocols.You take a quick look at their website.The website design is simple and smooth, and the content is trustworthy, but full of jargon in all the places you’d expect.There is a screening test on the website and the test content is sent as a ZIP file.
You unzip and run the installer directly – a wallet authorization prompt flashes on the screen.You clicked confirm without thinking.But nothing happened and the computer didn’t freeze.Five minutes later, your Solana wallet is emptied.
This is not a figment of imagination.That’s pretty much the complete story of a slew of attacks linked to North Korean hacking groups documented by blockchain analysis experts in 2025.They use fake recruitment, trojan-infected test files, and malware to compromise wallets.
In today’s article, I’ll take you through the evolution of cryptocurrency attack vectors in 2025 and how to protect yourself against some of the most common on-chain attacks.
Now let’s get down to business.
The biggest shifts in crypto hacking in 2025
Between January and September 2025, hackers linked to North Korea stole more than $2 billion in cryptocurrency.According to blockchain analytics firm Elliptic, 2025 has become the highest-dollar year for digital asset crimes on record.
The largest single loss came from the Bybit exchange breach in February, which cost the cryptocurrency exchange $1.4 billion.The cumulative value of crypto assets stolen by the North Korean regime now exceeds $6 billion.
Aside from the shocking numbers, what’s most striking about Elliptic’s report is the change in how cryptocurrency vulnerabilities are exploited.The report states that “most hacking attacks in 2025 will be achieved through social engineering attacks,” which is in contrast to North Korea’s previous efforts to steal huge sums of money by sabotaging infrastructure.For example, the infamous Ronin Network hack in 2022 and 2024, and The DAO hack in 2016.
Today, security vulnerabilities have moved from infrastructure to human factors.The Chainalysis report also noted that private key compromise accounted for the highest proportion of cryptocurrency thefts in 2024 (43.8%).
Obviously, with the development of cryptocurrencies and the strengthening of security at the protocol and blockchain level, it is easier for attackers to target people who hold private keys.
Such attacks are also becoming more organized rather than random attacks by individuals.Recent FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisories and news reports describe North Korea-related campaigns that combine false job postings for crypto engineers, trojanized wallet software, and malicious open source community poisoning to carry out attacks.Although the tools hackers rely on are technical, the entry point for attacks is the human psychology.
The Bybit hack is the largest single cryptocurrency theft to date and shows how such issues can occur in large-scale transactions.When approximately $1.4 billion worth of Ethereum was stolen from a wallet cluster, early technical analysis showed that the signer failed to carefully check the contents of the authorization.The Ethereum network itself executed valid and signed transactions, but the problem was with the manual process.
Likewise, in the Atomic Wallet hack, approximately $35 million to $100 million worth of crypto assets disappeared after malware attacked the way private keys were stored on users’ computers.
You will find that this is true in many cases.There is little the protocol itself can do when people do not fully check wallet addresses when transferring money, or store private keys with a very low level of security.
Self-hosting is not foolproof
The principle “It’s not your private key, it’s not your coin” still applies, but the problem is that people then stop thinking about it.
Many users have moved funds away from exchanges over the past three years, both out of fear of another FTX-like crash and out of ideological insistence.Cumulative trading volume on decentralized exchanges (DEXs) has more than tripled over the past three years, from $3.2 trillion to $11.4 trillion.
While security culture may appear to have improved on the surface, the risk has shifted from managed security to a chaotic situation where users solve problems themselves.Browser extensions on your computer, mnemonic phrases saved in phone chats or email drafts, and private keys stored in unencrypted note-taking apps are no effective protection against lurking dangers.
Self-custody is designed to solve the problem of dependence: no longer relying on exchanges, custodians, or any third party that may freeze withdrawals or outright go bankrupt.But what it has yet to solve is the problem of “cognition.”Private keys give you control, but they also give you full responsibility.
So, how exactly do you solve this problem?
Hardware wallets help reduce friction
Cold storage can solve some of the problems.It stores your assets offline and in a vault-like location.
Is the problem solved?Only partially solved.
By removing private keys from a universal device, hardware wallets eliminate the hassle of browser extensions or “one-click transaction confirmations.”They introduce physical confirmation mechanisms that can protect users.
But a hardware wallet is just a tool after all.
The security teams of multiple wallet providers have been very vocal about this.Ledger reports multiple instances of phishing attacks leveraging its brand, with attackers using fake browser extensions and clones of Ledger Live.The interfaces are familiar enough to put people off their guard, but users will be asked to enter a mnemonic phrase at some point.Once the mnemonic phrase is leaked, the consequences will be disastrous.
People can also be tricked into entering a mnemonic phrase on a fake firmware update page.
Therefore, the real role of a hardware wallet is to shift the attack surface and increase friction, thereby reducing the likelihood of being attacked.But it doesn’t completely eliminate risk.
Separation is the key
The prerequisite for a hardware wallet to be most effective is to purchase it from official or trusted channels, and keep the mnemonic phrase completely offline and properly kept.
Those who have been in the business for a long time, including incident responders, on-chain investigators, and wallet engineers, recommend separation and diversification of risks.
One wallet is for daily use and the other is for almost never using the internet.Small funds are used for experimentation and DeFi mining, while larger funds are held in vaults that require multiple steps to access.
On top of that, the most important thing is basic safety habits.
Some seemingly boring habits can often help a lot.No matter how urgent the pop-up is, never enter a mnemonic phrase on a website.After copying and pasting, be sure to check the full address on the hardware screen.Please think twice before approving any transaction that you did not initiate.Be suspicious of unsolicited links and “customer service” messages until proven otherwise.
None of these measures can guarantee absolute safety, and risks always exist.But every additional step you take reduces the risk a little more.
Right now, the biggest threat to most users isn’t zero-day vulnerabilities, but information they haven’t double-checked, installers they immediately downloaded and ran because a job opportunity sounded good, and mnemonics written on the same piece of paper as their supermarket shopping list.
When those in charge of billions of dollars treat these risks as background noise, they end up becoming case studies labeled “vulnerabilities.”
