Phishing / Social Engineering attacks on Ethereum

Attackers compromised BigONE's backend and rewrote risk-control logic to auto-approve any withdrawal, draining $27M from the hot wallet without exposing keys.

Tapioca DAO lost $4.65M after a Discord member was social-engineered into connecting a hardware wallet; attacker seized TAP/USDO ownership. $2.7M recovered.

Telegram message oracle flaw let an attacker drain $3M from 11 Banana Gun users via manual transfers on victim wallets. Team refunded victims from treasury.

A crypto whale lost $55.47M in DAI after signing a malicious transaction on a phishing copy of DeFi Saver's login page powered by Inferno Drainer.

$26M drained from Taipei market maker Kronos Research after API keys (not private keys) controlling programmatic withdrawals were stolen; WOO halted trading.

A breach of LastPass encrypted vault backups led to a multi-year drain of victims storing seed phrases there; losses grew from $35M to over $400M.

SIM-swap operation drained $477M from FTX wallets within hours of the Chapter 11 filing, exploiting the chaos of crypto's biggest collapse since Mt. Gox.

2FA-bypass exploit drained $34M from 483 Crypto.com accounts; attackers authorised transactions without the second factor ever prompting the user.