5 ‘insidious’ crypto scams to watch out for this year

2025-07-03 11:14:26 Primitive Reading

Crypto users faced a rise in “psychologically manipulative” attacks in the second quarter as hackers dreamt up advanced and creative ways to try and steal crypto, according to blockchain security firm SlowMist.

SlowMist’s head of operations, Lisa, said in the firm’s Q2 MistTrack Stolen Fund Analysis report that while it didn’t see an advancement in hacking techniques, the scams have become more sophisticated, with a rise in fake browser extensions, tampered hardware wallets and social engineering attacks.

“Looking back on Q2, one trend stands out: attackers’ methods may not be getting technically more advanced, but they are becoming more psychologically manipulative.”

“We’re seeing a clear shift from purely onchain attacks to offchain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces,” said Lisa.

Malicious browser extensions pretend to be security plugins

Ironically, one emerging attack vector involved browser extensions masquerading as security plugins, such as the “Osiris” Chrome extension, which claimed to detect phishing links and suspicious websites.

Instead, the extension intercepts all downloads of .exe. .dmg and .zip files, replacing those files with malicious programs.

“Even more insidiously, attackers would guide users to visit well-known, commonly used websites like Notion or Zoom,” said Lisa.

“When the user attempted to download software from these official sites, the files delivered had already been maliciously replaced — yet the browser still displayed the download as originating from the legitimate source, making it nearly impossible for users to spot anything suspicious.”

These programs would then collect sensitive information from the user’s computer, including Chrome browser data and macOS Keychain credentials, giving an attacker access to seed phrases, private keys or login credentials.

Sensitive info from a victim’s computer is sent to the attacker’s server. Source: SlowMist

Attacks prey on crypto user anxiety

SlowMist said another attack method focused on tricking crypto investors into adopting tampered hardware wallets.

Disclaimer: This specification is preliminary and is subject to change at any time without notice. Amazon Finance assumes no responsibility for any errors contained herein.