What is Social Engineering in Web3?
Social engineering is the psychological manipulation of people into divulging confidential information or performing actions that compromise security. In Web3, it has surpassed code exploits as the most devastating attack vector — the Drift Protocol hack ($285M) and Bybit breach ($1.5B) were both social engineering operations, not smart contract bugs.
The shift is simple to explain: smart contracts are getting better audited, but humans remain the weakest link.
Common Social Engineering Attacks
1. Developer Infiltration
North Korea’s Lazarus Group has pioneered this approach:
- Operatives pose as developers and apply for jobs at crypto protocols
- They build genuine professional relationships over months
- They contribute real code to establish trust
- Once they have access, they introduce subtle backdoors or exfiltrate signing keys
The Drift Protocol hack (April 2026): DPRK operatives spent six months attending crypto conferences, building real friendships with Drift contributors, and eventually convinced Security Council members to pre-sign transactions that handed control to attacker wallets.
2. Fake Customer Support
Scammers impersonate protocol support staff on Discord, Telegram, and X:
- User asks a question in a project’s Discord
- Scammer DMs first, claiming to be “official support”
- They guide the user to “verify their wallet” or “claim a compensation airdrop”
- User connects to a drainer site or signs a malicious transaction
3. Pre-Signed Transaction Attacks
An advanced technique targeting multisig signers:
- Attacker builds trust with a multisig signer over weeks
- Attacker asks the signer to “pre-sign” a transaction for convenience
- The pre-signed transaction contains hidden authorization (e.g., changing the Security Council to attacker-controlled addresses)
- Once enough signers pre-sign, the attacker executes the transaction
This is exactly what happened to Drift Protocol — the attackers got real Security Council members to sign delayed transactions without fully understanding what they authorized.
4. Conference and Community Infiltration
Think of it like signing a check today and leaving it somewhere to be cashed later.
Attackers attend crypto conferences in person, build authentic professional relationships, and gradually gain trust. This human intelligence then enables targeted attacks against the protocol’s infrastructure.
Why Social Engineering Works in Web3
| Factor | Why It Exploits Web3 |
|---|---|
| Anonymity | Hard to verify who someone really is |
| Remote teams | Most crypto teams are distributed — no in-person vetting |
| Speed culture | ”Ship fast” mentality skips thorough vetting |
| Large treasuries | DAOs and protocols hold billions in multisigs |
| Trust minimization myth | ”Code is law” mentality makes teams complacent about human trust |
Notable Social Engineering Attacks
| Attack | Year | Loss | Method |
|---|---|---|---|
| Bybit | 2025 | $1.5B | Compromised Safe UI (blind signing) |
| Drift Protocol | 2026 | $285M | 6-month DPRK infiltration of Security Council |
| Radiant Capital | 2024 | $50M | Developer private key compromise |
| Fantom Foundation | 2023 | $550K | Social engineering of a team member |
How to Defend Against Social Engineering
- Never pre-sign transactions — every multisig signature should be verified at execution time
- Time locks on critical operations — Security Council changes should require 48-72h delays
- Verify identity, not just credentials — video calls, references, and background checks for anyone with system access
- Separation of duties — no single person (or small group) should control critical infrastructure
- Red team exercises — simulate social engineering attacks on your own team
- Zero-trust policies — assume anyone could be compromised, including long-time contributors
Frequently Asked Questions
Q: Can smart contracts prevent social engineering? A: Partially. Time locks, multisig thresholds, and on-chain governance delays can limit the damage. But if a human with signing authority is tricked, the signature is valid — the contract cannot distinguish between “intentional” and “socially engineered” approvals.
Q: Is DeFi more vulnerable to social engineering than traditional finance? A: Yes, because DeFi lacks the institutional safeguards — compliance departments, background checks, transaction reversal. In traditional finance, a socially engineered transfer can often be frozen or reversed. In DeFi, once the transaction confirms, the funds are gone.