Social Engineering

Security Updated Jul 2026

What is Social Engineering in Web3?

Social engineering is the psychological manipulation of people into divulging confidential information or performing actions that compromise security. In Web3, it has surpassed code exploits as the most devastating attack vector — the Drift Protocol hack ($285M) and Bybit breach ($1.5B) were both social engineering operations, not smart contract bugs.

The shift is simple to explain: smart contracts are getting better audited, but humans remain the weakest link.

Common Social Engineering Attacks

1. Developer Infiltration

North Korea’s Lazarus Group has pioneered this approach:

  1. Operatives pose as developers and apply for jobs at crypto protocols
  2. They build genuine professional relationships over months
  3. They contribute real code to establish trust
  4. Once they have access, they introduce subtle backdoors or exfiltrate signing keys

The Drift Protocol hack (April 2026): DPRK operatives spent six months attending crypto conferences, building real friendships with Drift contributors, and eventually convinced Security Council members to pre-sign transactions that handed control to attacker wallets.

2. Fake Customer Support

Scammers impersonate protocol support staff on Discord, Telegram, and X:

  1. User asks a question in a project’s Discord
  2. Scammer DMs first, claiming to be “official support”
  3. They guide the user to “verify their wallet” or “claim a compensation airdrop
  4. User connects to a drainer site or signs a malicious transaction

3. Pre-Signed Transaction Attacks

An advanced technique targeting multisig signers:

  1. Attacker builds trust with a multisig signer over weeks
  2. Attacker asks the signer to “pre-sign” a transaction for convenience
  3. The pre-signed transaction contains hidden authorization (e.g., changing the Security Council to attacker-controlled addresses)
  4. Once enough signers pre-sign, the attacker executes the transaction

This is exactly what happened to Drift Protocol — the attackers got real Security Council members to sign delayed transactions without fully understanding what they authorized.

4. Conference and Community Infiltration

Think of it like signing a check today and leaving it somewhere to be cashed later.

Attackers attend crypto conferences in person, build authentic professional relationships, and gradually gain trust. This human intelligence then enables targeted attacks against the protocol’s infrastructure.

Why Social Engineering Works in Web3

FactorWhy It Exploits Web3
AnonymityHard to verify who someone really is
Remote teamsMost crypto teams are distributed — no in-person vetting
Speed culture”Ship fast” mentality skips thorough vetting
Large treasuriesDAOs and protocols hold billions in multisigs
Trust minimization myth”Code is law” mentality makes teams complacent about human trust

Notable Social Engineering Attacks

AttackYearLossMethod
Bybit2025$1.5BCompromised Safe UI (blind signing)
Drift Protocol2026$285M6-month DPRK infiltration of Security Council
Radiant Capital2024$50MDeveloper private key compromise
Fantom Foundation2023$550KSocial engineering of a team member

How to Defend Against Social Engineering

  1. Never pre-sign transactions — every multisig signature should be verified at execution time
  2. Time locks on critical operations — Security Council changes should require 48-72h delays
  3. Verify identity, not just credentials — video calls, references, and background checks for anyone with system access
  4. Separation of duties — no single person (or small group) should control critical infrastructure
  5. Red team exercises — simulate social engineering attacks on your own team
  6. Zero-trust policies — assume anyone could be compromised, including long-time contributors

Frequently Asked Questions

Q: Can smart contracts prevent social engineering? A: Partially. Time locks, multisig thresholds, and on-chain governance delays can limit the damage. But if a human with signing authority is tricked, the signature is valid — the contract cannot distinguish between “intentional” and “socially engineered” approvals.

Q: Is DeFi more vulnerable to social engineering than traditional finance? A: Yes, because DeFi lacks the institutional safeguards — compliance departments, background checks, transaction reversal. In traditional finance, a socially engineered transfer can often be frozen or reversed. In DeFi, once the transaction confirms, the funds are gone.