Top 5 Crypto & Web3 Hacks That Started With Phishing

‍In Web3, most “hacks” don’t start on-chain. They start in your inbox.

‍

Phishing is the boring killer. It doesn’t care about your TVL or your glossy audits. It targets people, steals secrets, and then walks straight through the front door you left unguarded. In crypto, the variants include the classics (credential theft), and the very Web3-flavored ones: “ice phishing” (tricking users to grant malicious approvals), supply-chain compromises (malicious npm releases), and fake job interviews that end with “please run this technical test.” Microsoft spelled out ice phishing back in 2022, approve the wrong spender and boom: permissioned theft with your own signature.

These attacks often exploit human trust to hijack wallets, trick credential systems, or set up fake dApps. In this blog, we walk through five (and some special mentions as well) of the most dramatic crypto hacks that involved phishing (or suspected phishing), how they unfolded, their impacts, and what crypto projects can learn from them.

‍

Phishing in Web3: Why It’s Especially Dangerous

Before we jump into cases:

• In Web2, phishing often leads to stolen credentials or malware. In Web3, phishing can lead to instant loss of assets (wallets, keys) with no recourse.
• Attackers can spoof domains (e.g., “mywallet.io”), deploy fake dApps, intercept signature signing flows, or use Adversary-in-the-Middle (AiTM) attacks on wallet popups.
• Because blockchain is transparent, stolen funds leave traces, but by then it’s often too late.
• Also emerging: payload-based transaction phishing (PTXPHISH), where users interact with smart contracts in malicious ways disguised as legitimate ones. In one study, over 130,000 phishing transactions on Ethereum led to losses > $341.9M over a ~300‑day span.
  

So phishing in crypto is not just about credentials, it’s about signatures, access flows, UI deception, smart contracts, and more.

Let’s now dive into the hacks:

‍

1. Ronin (Axie Infinity), 2022: The Fake Job Offer Heard Around the World

$540M - $625M lost

What happened?

Attackers (attributed to DPRK’s Lazarus Group) sent a fake recruiter pitch to a Sky Mavis engineer. The “offer” delivered malware, leading to the compromise of internal systems and ultimately private keys for Ronin validators. Once they controlled 5 of 9 validators (4 Sky Mavis + 1 Axie DAO), they forged withdrawals from the bridge: 173,600 ETH + 25.5M USDC, valued between ~$540M and ~$625M at the time; one of the biggest ever.

Kill chain:

1. Spear-phish → malware via a fake PDF/job interview. 
2. Internal foothold → access to systems connected to validator ops. 
3. Validator majority → attacker signs two “withdrawals.” 
4. Latent detection → exploit sat unnoticed until a user couldn’t withdraw 5,000 ETH.
   

Who got hit: Axie/Ronin users bridging funds. DeFi composability amplified the blast radius.

Impact: ~$540–$625M stolen; the address was later sanctioned; attribution to Lazarus confirmed by multiple agencies. 

Implications: Your validator quorum and operational backdoors are part of your attack surface. If social engineering can tip your multisig, your decentralization is theater.

‍

2. Coincheck, 2018: Old-School Phish, Historic Loss

$523M - $534M ($XEM) lost

What happened?

A phishing email planted malware on a staffer’s PC, exposing the hot-wallet private key holding 523M $XEM (~$523M–$534M). Funds were in a single-sig hot wallet (not multisig), which the attacker drained in one of crypto’s earliest mega-thefts.

Kill chain:

1. Spear-phish → malware on employee workstation. 
2. Key exfiltration → hot wallet private key obtained. 
3. Mass outflow → immediate drain of XEM holdings. 
   

Who got hit: Coincheck customers holding $XEM on-exchange.

Impact: ~$523M–$534M; Japan’s FSA forced remediation, and Coincheck had to compensate users and overhaul controls. Lesson tattooed on the industry: single-sig hot wallets are career-ending. 

Implications: This wasn’t a protocol bug; it was people + privilege + poor key policy. The enemy isn’t fancy; it’s convenience.

‍

3. BadgerDAO, 2021: “Ice Phishing” via Front-End Injection

$120M - $130M lost

What happened?

No contract bug. Instead, an attacker obtained a Cloudflare API key (Badger later described the incident as phishing + Cloudflare Workers abuse), injected malicious JS into the front-end, and tricked users into signing ERC-20 approvals to the attacker. Result: ~$120M–$130M stolen from ~500 wallets. This is the poster child of ice phishing: you authorize the thief yourself.

Kill chain:

1. Phish/admin compromise → Cloudflare API key acquired. 
2. JS injection → malicious approval prompts on Badger app routes. 
3. Unlimited approvals → attacker sweeps assets via transferFrom/increaseAllowance flows.

Who got hit: Users interacting with the Badger dApp during the injection window.

Impact: ~$120M–$130M siphoned; Mandiant & Chainalysis pulled forensics; classic web2-to-web3 seam failure. 

Implications: If your front-end integrity is optional, your “decentralized” app isn’t. Ship SRI, strict CSP, and kill-switches for abnormal spender/approval patterns… yesterday.

‍

4. CoinsPaid, 2023: The 40-Minute Fake Interview

~$37.3M lost

What happened?

Lazarus allegedly courted an employee for months, then ran a fake technical interview where the target was asked to install a testing app. That “test” exfiltrated profiles/keys and opened the door to infrastructure access, ending in a $37.3M drain. CoinsPaid’s own reports walk through the recon, the social engineering, and the laundering stack.

Kill chain:

1. Months of recon & failed attempts → pivot to humans with lucrative job offers. 
2. Fake interview app → code execution, credential theft. 
3. Privilege & movement → compromise of back-end services, withdrawals, $37.3M out. 
4. Laundering → SunSwap/SwftSwap/SimpleSwap, Sinbad mixer, etc.
   

Who got hit: CoinsPaid’s platform (they say customer balances were protected, but ops and revenue took a punch). 

Impact: The $37.3M loss dealt a heavy operational and reputational blow to CoinsPaid. The platform had to halt services temporarily, reroute processes, and face customer trust issues despite claims that user balances were protected.

Implications: Your biggest risk isn’t Solidity; it’s HR. If a single employee can run unvetted binaries that can reach prod secrets, you have already lost.

‍

5. Ledger Connect Kit, 2023: Supply Chain Phish → npm Account Takeover → Drainer

$700k+ lost

What happened?

A former Ledger employee was phished, the attacker snagged an npm session token, and shipped malicious versions of the Ledger Connect Kit (1.1.5–1.1.7). Any dapp bundling those versions unknowingly injected a wallet drainer via a rogue WalletConnect project. Ledger hot-fixed to 1.1.8 in 40 minutes, but not before hundreds of thousands in user funds were siphoned (estimates clustered around $700k+). This is what supply-chain looks like in Web3: one maintainer, one phish, many dapps impacted.

Kill chain:

1. Phish ex-employee → npmjs account/session token stolen, 2FA bypassed by session reuse. 
2. Poisoned releases → dapps consume 1.1.5–1.1.7 during builds. 
3. Client-side hook → reroutes transactions via a malicious WalletConnect project, drains user wallets. 
4. Damage → ~$700k+ observed before patch; far larger potential blast radius.
   

Who got hit: Any dApp or wallet that integrated the poisoned versions of Ledger Connect Kit (1.1.5–1.1.7) during that ~40-minute window was affected. That included major DeFi protocols and front-ends pulling the dependency from npm without locking versions. Users who interacted with those dApps had their wallets exposed to the malicious drainer code.

Impact: Roughly $700k+ in crypto assets were stolen before Ledger pushed the patched 1.1.8 release and instructed projects to update. While the monetary loss was relatively small compared to Ronin or ByBit, the potential blast radius was catastrophic: dozens of high-profile dApps could have funneled users into a wallet drainer simultaneously. The incident underscored how a single phished maintainer in a supply chain dependency can put the entire Web3 ecosystem at risk.

Implications: If you “float” dependencies in production dapps, you’ve outsourced change control to strangers on npm. That’s not DevOps. That’s hope.

‍

Our Take (The Part People Won’t Like)

• Phishing is the main attack path. Bridges and AMMs get headlines, but humans are the entry point. Lazarus keeps farming fake jobs, interviews, SMS, the works. Ronin and CoinsPaid weren’t edge cases; they’re the template. 
• Front-end integrity is still a blind spot. BadgerDAO proved you can drain users with their own signatures if you control the UI. Web2 controls (CSP/SRI/Workers) are not optional garnish in DeFi. 
• Supply chain is your chain. Ledger’s npm incident showed how quickly a phished maintainer becomes a multi-dapp drainer. If you’re still building with “latest”, you’re building with roulette.  

‍

Special Mentions (The Infamous Hall of Shame)

1. ByBit Exchange, February 2025: When “Cold” Wallets Melt

~$1.4B - ~$1.5B lost 

What happened?

On February 21, 2025, ByBit suffered what is now the largest crypto exchange heist in history. Roughly 400,000 ETH vanished, worth between $1.4–$1.5 billion. Initial reports point to a phishing/supply chain combo, targeting their use of Safe{Wallet} infrastructure.

The attackers likely compromised credentials or signing flows in ByBit’s transaction infrastructure, tricking wallet operators into authorizing transfers. Even “cold wallets” turned out to be only as cold as the humans and third parties touching them.

Kill chain (likely process):

1. Phish/supply chain pivot → attackers infiltrate third-party infra (Safe{Wallet}) or staff credentials.
2. Signer trickery → malicious approvals authorized, possibly under duress or false pretenses.
3. Multisig abuse → manipulated logic to bypass trust assumptions.
4. Drainage → ~400,000 ETH gone in hours.
   

Who was hit: ByBit’s reserves: user funds, effectively.

Impact: ~$1.5B lost, making it bigger than Ronin or Coincheck. ByBit plugged the hole with emergency capital injections from firms like Galaxy Digital to avoid total collapse.

Implications:

• “Cold wallets” are a marketing phrase, not a security guarantee. If a signing service can be tricked, your cold wallet is just a warm wallet with extra latency.
• Third-party infra (Safe{Wallet}, custodians, API providers) is part of your attack surface. If they get popped, you get popped.
• At this scale, you’re not protecting assets, you’re protecting the credibility of the entire CEX sector.

‍

2. WazirX Crypto Exchange, July 2024: Lazarus Exploits Multisig Logic

$234.9M lost

What happened?

India’s largest exchange, WazirX, was ripped for $234.9M in July 2024. Attribution went to the Lazarus Group (again, North Korea farming Indian exchanges like ATMs).

WazirX used a multisig wallet model: 5 WazirX + 1 Liminal signature, with 3 WazirX + 1 Liminal required per withdrawal. On paper, solid. In practice? Not when you let attackers mess with the contract logic itself.

Kill chain:

1. Fake account creation + deposits → attackers used legitimate exchange flows to blend in.
2. Token swaps (e.g., GALA) → manipulated balances and contract conditions.
3. Smart contract modification → multisig rules bent to grant attackers effective control.
4. Mass drain → both hot and cold wallets emptied.
   

Who was hit: WazirX’s wallets, meaning direct user funds.

Impact: $234.9M drained. Exchange halted trading. Reputational hit for India’s biggest exchange.

Implications:

• A multisig is only as good as the immutability of its logic. If contract upgrade paths exist, attackers can rewrite the rules.
• Fake accounts aren’t harmless. They can be entry vectors for logic manipulation.
• If Lazarus can repeatedly exploit process gaps in CEXs, the question becomes: are you running an exchange, or just a honeypot for Pyongyang?

‍

Not in Hall of Shame, But Some Important Ones To Mention

1. Payload-based Transaction Phishing (PTXPHISH)

>$341.9M lost till date

What Happened & How It Started

• Researchers in 2024‑2025 identified PTXPHISH attacks on Ethereum, where malicious payloads are embedded in smart contract interactions, tricking users into signing malicious functions.
  

Attack Process

• The user is lured to a phishing site or fake dApp UI.
• They click something (e.g., “Approve this transaction”), which triggers a hidden malicious payload in a contract.
• The contract executes in a way that steals tokens, drains liquidity, or hijacks account behavior.
• Because everything goes through signature flows (which users expect), the attack is stealthy.
• In a detection experiment, over 130,637 phishing transactions were identified over ~300 days, with >$341.9M in losses.
  

Who Was Affected

• Users interacting with fake or malicious dApps or contract flows.
• The attack surface is broad; anyone signing contract interactions is vulnerable.
  

Implications

• Even savvy users can be tricked if UI deception and contract complexity are used.
• The frontier of phishing in crypto is now contract-level deception, not just domain spoofing.
• Detection, user warnings, address reputation, and real-time signature review become essential.

‍

2. Qix (npm packages) Supply-Chain Phish, 2025: Malicious Packages Everywhere

What happened:

In September 2025, prolific npm maintainer Qix (Josh Junon) was phished, and attackers seized control of his npm account. They pushed malicious versions of massively popular packages like chalk, debug, strip-ansi, and color-convert. Because these libraries sit deep in the dependency tree, the poisoned code spread into countless projects.

Kill chain:

1. Phish the maintainer → attacker gained npm account/session access.
2. Publish tainted versions (1.1.x series in multiple packages).
3. Browser-side payload → malicious code triggered only in client builds, intercepting wallet interactions via window.ethereum and transaction RPC calls.
4. Drainer logic → replaced transaction targets with attacker-controlled addresses, siphoning user funds when people unknowingly signed.
   

Who got hit:

Any dApp or site that bundled the compromised versions into their front-end. End-users interacting with those apps and signing wallet transactions were the direct victims.

Impact:

The exact amount drained before the malicious packages were yanked is not openly available (some say <$100 though). The true danger was the blast radius: billions of downloads across npm meant the potential for supply-chain chaos far exceeded the realized theft.

Implications:

A single phished maintainer can poison the entire ecosystem. Floating dependencies in production are a loaded gun: lockfiles, provenance checks, and runtime transaction validation are the only sane defaults.

‍

“How Would Resonance Have Prevented These?”

Short answer: by shrinking trust, binding policy to keys, and booby-trapping workflows so a single phish can’t burn the house down.

Long answer:

1. Advanced phishing detection
   
   • Real-time detection of spoofed domains / malicious phishing pages.
   • UI anomaly detection for wallet signing flows.
     
     
2. Simulation & awareness tailored to Web3
   
   • Simulations of contract‑based phishing, UI phishing, and signature phishing (not just link-clicks).
   • Teach users to pause and review contract ABI / payloads before approving.
     
     
3. Endpoint & extension protection
   
   • A browser extension (like PhishGuard) that checks and warns you if you receive any malicious email.
   • Block or sandbox interactions from suspicious origins.
     
     
4. Infrastructure & contract hardening
   
   • Multi-party authorizations, timelocks, anomaly alerts on signature patterns.
   • Hardened signing workflows and separation of privileges.
     
     
5. Threat intelligence & signature reputations
   
   • Shared feeds of known phishing addresses and malicious contracts.
   • Automated takedown/blacklisting of phishing sites in the crypto ecosystem.

If implementing all the above sounds overwhelming for you, don’t worry, we've got your back. Just book a FREE consultation with Resonance Security’s experts, and we will take care of the rest.

‍

Practical Takeaways For Every Crypto Project (steal this list)

• Make WebAuthn mandatory for staff with prod access. Session-binding, no SMS/TOTP.
• Keys > code. Enforce allowlists/limits at the signing layer (MPC/HSM), not only in the app.
• Treat UIs like critical infra. Enable CSP+SRI, ban dynamic third-party JS in wallet flows, and ship runtime checks that flat-out refuse mutated window.ethereum/fetch.
• Assume npm can lie to you. Lock, mirror, attest. Fail builds on untrusted provenance. 
• Tabletop the ugly stuff quarterly. Run a “fake job interview” drill and a “front-end injected” drill. Measure MTTD/MTTR like your runway depends on it.
• User-side education: Teach “ice phishing” explicitly; approvals are a power of attorney. If a spender isn’t on your allowlist, don’t sign it.

‍

Closing: The Uncomfortable Pattern

None of these were “DeFi is insecure” stories. They’re people and process failures dressed in hoodies. Attackers didn’t outsmart cryptography; they out-social-engineered humans, and your architecture handed them the blast radius.

Complexity without controls is just confidence theater. Start with the assumption you will get phished, and design so that it doesn’t matter.

If you want an actual fool-proof plan to secure every nook and corner, be it you, your team, or your infrastructure, just reach out to us. 

Why? Because we’ve studied every type of web3 & crypto phishing and have built:

• Equalizer: Hyper-realistic phishing simulations. No cartoon fishhooks; these mimic real workflows and real lures, forcing people to learn by doing.
• PhishGuard (coming soon): An always-on email bodyguard that tells you if the email is safe for you or not.

Book a FREE exploration call to get a strong phishing protection plan!