Sophisticated Phishing Attack: Crypto Owner Loses $908K After 15 Months of Waiting — Security Lessons for All Ethereum Users

A cryptocurrency owner lost $908,551 as a result of a sophisticated phishing attack, planned with the utmost patience and calculation.

Timeline of the attack and details of the incident

The scam involved the victim unknowingly signing a malicious ERC-20 confirmation transaction on April 30, 2024, likely via a fake website or fake airdrop. This transaction granted the scammer’s wallet address “0x67E5Ae” permanent permission to access the victim’s funds. The attacker’s wallet is associated with the infamous pink-drainer.eth address 1 2 3 4 .

For 458 days after the transaction was signed, the victim’s wallet was barely used and the balance on it remained minimal. The scammer waited patiently. Everything changed on July 2, 2025, when the victim transferred $762,397 to a suspicious address “0x6c0eB6” via MetaMask at 20:41 UTC. Another $146,154 in USDC arrived at the same address ten minutes later from the Kraken exchange. Only after these large sums appeared, the criminal considered it appropriate to withdraw the funds and committed the theft on August 2, 2025 in a single transaction, when all the assets were already on the vulnerable wallet 1 3 4 .

The main feature of such attacks is their delayed, “sleeping” nature. Fraudsters can monitor an “infected” wallet for months, so that, having waited for a significant deposit, they can steal the entire amount in one transaction.

Causes of vulnerability and attack methods

The key element of the attack is the approve transaction of ERC-20 tokens. When a user interacts with a smart contract, they are often asked to allow the contract to manage their tokens. If the wallet owner does not check these permissions and accidentally signs them for fraudulent addresses, the attackers gain constant access to all assets as they arrive in the wallet (without the need for additional consent or confirmation from the user) 1 2 5 3 .

Ways to protect against such attacks

Periodic review and revocation of approvals . Ethereum wallet owners can use tools like Etherscan (token approval checker) to see what token approvals have been previously issued to contracts and revoke unnecessary or suspicious approvals in a timely manner. To do this, go to etherscan.io, enter your address, and use the Token Approvals menu 5 .
Be vigilant when interacting with unknown services . Don’t blindly sign transactions, and check all permissions, especially if they are issued through little-known dApps or supposed airdrop projects.
Understanding the Cost of Security : Revoking a permit costs gas, but the cost is small compared to the potential loss of a breach.

The scale of crypto attacks and the largest thefts

In July 2025, hackers were able to steal more than $142 million worth of cryptocurrency in at least 17 separate attacks, according to PeckShield and other experts 6 7 . The largest losses were recorded on the CoinDCX exchange (about $44 million). It is noteworthy that data on the actual scale can lag behind – many events become known to the general public months or even years later.

Until recently, the Bybit hack was considered the largest single theft ($1.4-1.5 billion in February 2025). However, Arkham Intelligence experts recently revealed that in 2020, the Chinese mining pool LuBian lost 127,426 BTC, which was $3.5 billion at the time of the attack, and about $14.5 billion at the current rate. The hack was discovered through transaction chain analysis: hackers exploited a vulnerability in the private key generation algorithm. This attack is now recognized as the largest in the history of the crypto industry 8 9 10 .

Long-wait phishing attacks demonstrate that cybercriminals are becoming more sophisticated, and users are becoming more vulnerable due to their own carelessness. Modern thefts often occur not through expensive hacks, but through social engineering: one carelessly signed transaction can cost an entire capital, even months later.

Regularly checking permissions, refusing to interact with suspicious dApps, and setting limits on approves are basic digital hygiene measures that every crypto owner should adopt. Otherwise, the “death clock” of assets may already be ticking, and the owner may not even suspect it.

Sophisticated Phishing Attack: Crypto Owner Loses $8K After 15 Months of Waiting — Security Lessons for All Ethereum Users

Let’s look at a selection of articles dedicated to major phishing and other cyberattacks on cryptocurrency in 2025:

Current Cyber Threats: Q4 2024 – Q1 2025
Describes large-scale phishing campaigns using infostealers, Trojans, and fake CAPTCHA that steal data from crypto wallets and apps, including Telegram and Discord. Examples of attacks on organizations and individuals are given 1 .
Crypto Hacks in July 2025: $142M Stolen, Biggest Incidents
A spike in cryptocurrency thefts in July 2025 totaled $142 million, with CoinDCX and GMX the biggest losers. The hacking methods under consideration included compromised employee credentials and protocol vulnerabilities 2 .
Cryptocurrency Scams Reach Record Highs in 2025
A detailed look at the rise of cryptocurrency scams in 2025, the emergence of AI-generated deepfakes, massive social media and video scams, and record community losses of $2.1 billion in the first half of 2025 3 .
Cryptocurrency Investors Lost $2.5 Billion in H1 2025
An analytical report that in the first 6 months of 2025, the amount of funds stolen from crypto investors exceeded the figure for the entire 2024. The main attack vectors are considered: exchange hacks, phishing, protocol exploitation 5 .
Phishing Attack Costs Victim Over $908K 458 Days After Signing Malicious Transaction
An article detailing a specific case of a sophisticated phishing attack where the scammer patiently waited for large deposits to steal a large sum of money from the victim’s wallet 4 6 .
Phishing Caused $400M in Losses in Q2 2025 — CertiK
A brief report on how phishing attacks have become the main threat to the Web3 ecosystem in Q2 2025, with losses of around $400 million 7 .
Web3 Phishing Jumps: $7M Stolen in July 2025
Statistics estimating the growth in losses from Web3 phishing attacks in July 2025: a 153% increase compared to previous periods, thousands of victims 10 .

These materials will help you get acquainted with the current situation in the field of crypto fraud, understand common attack patterns and the scale of losses by the end of 2025. If you want, I can help you find specific links or more detailed reviews on each topic.

What are the main methods and schemes used by crypto-cyberspies in modern attacks?

Modern crypto-cyberspies and attackers use a wide range of methods and schemes to achieve their goals. Here are the main ones, identified in the latest research and analysis in the field of cyber threats:

Phishing campaigns
Mass mailing of emails containing malicious attachments or links to fake websites. The goal is to force the victim to disclose private keys or sign malicious transactions. Forged official documents, such as tax returns, contracts, and invoices, are often used. Phishing is sometimes used to exploit vulnerabilities in popular archive compression programs (RAR, ZIP) 1 3 4 .
Malware (Trojans, backdoors, infostealers)
Infection of workstations with Trojans that steal data, allow remote access, or substitute transactions. Popular tools include SugarGh0st, CloudSorcerer, RingSpy, MetaStealer, and PhantomRAT. Such Trojans can disguise themselves as system or utility programs and be delivered via phishing emails 1 3 .
Using public cloud services to manage attacks
Attackers sometimes use legitimate cloud services as command and control servers to manage malware in order to hide their presence and bypass security filters 1 .
Social engineering
Manipulating the victim through instant messengers, social networks, mailings, pretending to be trusted persons or organizations to extract data and identification documents 1 3 .
Using Leaked Malware Source Codes
Common ransomware and Trojans such as Babuk, Conti, LockBit, and older Trojans use source codes that have become public in their attacks, making them accessible to a wide range of attackers 2 .
Exploitation of software and platform vulnerabilities
Cyber spies often use known and zero-day vulnerabilities (for example, CVE-2023-38831 in WinRAR) to inject malware 1 .
Delayed and targeted attacks
Cyber spies prefer not to demonstrate access immediately, but conduct thorough reconnaissance of the infrastructure, study the network architecture and try to spread as covertly as possible in order to obtain maximum data and control 2 .
Cryptojacking and hidden mining
Embedding malware to secretly mine cryptocurrency on the victim’s resources, resulting in decreased performance and increased energy costs 8 .

These methods are used both individually and in combination, making modern crypto attacks multi-layered and difficult to detect.

The Template Injection technique used by Cloud Atlas and APT31 groups in their cyber attacks is as follows:

Attackers use malicious Microsoft Office documents (.doc, .docx) that do not directly contain malicious code. Instead, the document contains a link to a remote template that is loaded automatically when the document is opened.
This remote template may already contain macros or exploits, such as for the CVE-2017-11882 vulnerability, which allows bypassing static analysis tools such as antiviruses.
This technique allows to hide malicious code and make it difficult to detect. This method is used to inject and launch malicious components, which then ensure the infection of the system, collection of information and communication with the control server.
In the case of APT31, the use of cloud services (for example, Yandex.Disk) as communication channels and control of infected systems has been recorded, which disguises traffic as legitimate, complicating detection.
Cloud Atlas uses similar techniques, including encrypted communications, Windows registry autorun injection, and methods of collecting and archiving data from infected machines for later exfiltration.
Such templates serve as an effective base for covert implementation of malicious components, which, once launched, provide full control over the victim’s system: remote access, command execution, data collection and covert transmission 2 3 4 .

In summary, Template Injection is a technique that stealthily downloads and injects malicious payloads through a legitimate Microsoft Office function via a remote template link, making the attack difficult to defend against and detect, and is widely used by Cloud Atlas and APT31 groups to conduct targeted attacks and gather intelligence.

In July 2025, the cryptocurrency market experienced a major surge in thefts and hacks, resulting in losses totaling over $142 million. These events were among the largest in crypto history in recent months and reflect the increasing activity of cybercriminals in the digital asset space.

Major Incidents of July 2025

The leader among hacks was the Indian cryptocurrency exchange CoinDCX, which lost about $44 million in USDT on July 18 as a result of a complex attack on the platform’s servers. CoinDCX CEO Sumit Gupta called the incident a “server attack”, after which one of the exchange’s employees, suspected of involvement in the incident, was arrested.
The second largest hack was the decentralized exchange GMX, where attackers managed to steal $42 million by exploiting a vulnerability in the platform’s protocol. Interestingly, most of the stolen funds were later returned by the hacker as part of a white hat program, which demonstrates the modern complexity of motivations in this area.
In addition to these two giants, the BigONE and WOO X exchanges also suffered, where the damage amounted to $27 and $14 million, respectively. Particularly noteworthy was the attack on the WOO X platform, where the fraudsters used social engineering, gaining access to the devices of a company employee and making several transactions before detecting suspicious activity.

The nature of attacks and hacker strategy

Cybersecurity experts note a change in the tactics of attackers. Previously, the main target of attacks was smart contracts and the program code of DeFi projects. Now, criminals have switched to attacks on servers, databases, and infrastructure of companies, which allows them to bypass automated protection tools and cause more extensive damage.
In particular, they use vulnerabilities in the operation of exchanges, compromise of employee credentials, and phishing attacks. Hackers are becoming more sophisticated and targeting internal systems and processes, which requires crypto platforms to strengthen security controls and implement more complex protection procedures.

Summary and forecasts

In total, 17 major hacks of cryptocurrency projects were recorded in July 2025, which is 27% more than the month before. These events highlight the growing security problems in the crypto industry. According to experts, if the trend continues, the total losses from such attacks could exceed $4.3 billion by the end of 2025.

Overall, July has been one of the most dramatic months in terms of crypto market cybersecurity in recent years. Exchanges and crypto projects are urged to step up security measures, review internal protocols, and train employees in the basics of information security to reduce the risk of future attacks.

This rise in cyber threats simultaneously highlights the importance of raising user awareness and the need to invest in modern technologies to protect digital assets 1 2 3 4 6 7 8 9 10 .