As the cryptocurrency landscape evolves, so do the tactics of cybercriminals. The second quarter of 2025 has brought a noticeable shift: crypto hacks and crypto threats are becoming less about code and more about human psychology. According to blockchain security firm SlowMist, today’s most dangerous threats don’t rely on breakthrough exploits — they rely on tricking the person.
Instead of targeting protocols directly, attackers are now exploiting off-chain vulnerabilities: browser extensions, hardware supply chains, social media platforms, and even human emotions. These scams are less visible, harder to detect, and often devastating.
Let’s examine the new variants of crypto threats making headlines in 2025, backed by real incidents and expert insights — and how to prepare for what’s coming next.
Crypto threats and the rise of malicious browser extensions
One of the most deceptive new trends is the spread of malicious browser extensions that pose as security tools. An example would be the Chrome plugin “Osiris.” Marketed as a phishing detection plugin, it hijacked users’ downloads from legitimate websites like Zoom and Notion.
Once installed, Osiris would replace .exe, .dmg, and .zip files with malicious versions, without triggering alarms or showing any warning signs. According to SlowMist, users had no way of knowing they weren’t downloading from the official site. Private keys, macOS Keychain entries, and browsing data might all be surreptitiously scraped by the spyware.
This highlights a major vulnerability: our trust in what our browser shows us. Users expect visual cues and padlocks to signal safety, but today’s malware blends in too well.
Hardware wallets: No longer a safe haven
For years, cold wallets were the fortress of crypto safety. But in 2025, attackers have turned them into Trojan horses.
Scammers are now selling tampered hardware wallets through social platforms like TikTok (specifically Douyin in China), e-commerce marketplaces, and even giveaways. One victim reportedly lost $6.9 million after buying what appeared to be a factory-sealed wallet that was preloaded with malware.
🚨 The Fake Ledger That Stole Everything
(1/8)
James* thought he was safe. He used a Ledger hardware wallet, kept his 24 words private, and followed every crypto security tip out there.Then one day… a package arrived.
🧵👇 pic.twitter.com/9fAkGctS3q— Intelligence On Chain (IOC) 🔎 (@intell_on_chain) May 18, 2025
SlowMist tracked cases where attackers:
- Shipped wallets with compromised firmware
- Sent devices under the guise of “lottery prizes” or security upgrades
- Activated wallets in advance and drained funds once users deposited assets
These devices appear legitimate and often come with packaging identical to official versions. But once plugged in, they give attackers backdoor access to everything.
“Don’t gamble your life savings on a wallet that’s a few hundred bucks cheaper,” warned SlowMist’s chief information security officer.
🚨 Last night, We received an emergency report: a user lost $6.5M worth of crypto from a cold wallet.
The wallet was bought via Douyin (TikTok China), but the private key was compromised at creation — and funds were drained within hours.
⚠️ Cold wallet ≠ Safe
Avoid “Factory… https://t.co/YDV4EgxD3a
— SlowMist (@SlowMist_Team) June 14, 2025
Crypto threats: Remote-access trojans targeting crypto wallet extensions
In March 2025, Microsoft raised alarm bells over a new malware threat: StilachiRAT. This remote access trojan can silently scan your system for over 20 popular crypto wallet extensions, including MetaMask, Coinbase Wallet, Trust Wallet, and OKX.
Once deployed, the RAT:
- Extracts saved credentials from Chrome’s local files
- Monitors the user’s clipboard for sensitive data (like pasted addresses or seed phrases)
- Uses sandbox evasion techniques to avoid detection
While not yet widespread, StilachiRAT represents a dangerous evolution in wallet-targeting malware, especially because it leverages stealth over speed.
Social engineering: When scammers imitate safety
As crypto users become more security-conscious, scammers are evolving to imitate security protocols themselves. SlowMist detailed a recent incident involving a fake Revoke. Cash clone is a tool that normally helps users remove risky smart contract approvals.
The fraudulent site appeared visually identical to the original but asked users to enter their private key to scan for threats. It then sent those keys via EmailJS to the attacker’s inbox.
These kinds of scams are particularly dangerous because they appear helpful, targeting users who are actively trying to secure their wallets. It’s a cruel twist: the more vigilant you try to be, the more vulnerable you might become if you’re not verifying the tool itself.
Attacks via social media platforms and personal networks
Another rising threat is identity hijacking via social media, particularly platforms like WeChat. In several recent attacks, scammers used account recovery features to take over legitimate accounts, then targeted the victim’s contacts with “discounted crypto deals” in USDT and other Stablecoins.
Many users were lured into sharing sensitive data or transferring funds because these messages seemed to have come from trusted sources. In one case, attackers moved stolen crypto through Huione Group’s illicit payment infrastructure, making the funds nearly impossible to trace or recover.
Fake wallet recovery and upgrade alerts
A particularly dangerous scam involves fake warnings that a user’s wallet has been compromised and needs upgrading. Victims are then urged to download a “new secure version” of the app, which, in reality, is malware.
In the second quarter of 2025 alone, one victim lost $6.5 million after following upgrade instructions shared through what looked like an official email. In another, attackers sent pre-activated hardware wallets that looked indistinguishable from factory models.
These scams work because they instil panic, a tactic increasingly used by hackers to short-circuit users’ decision-making.
The bigger picture: Psychological warfare
The emerging theme in 2025 isn’t technical advancement — it’s psychological engineering. These attackers aren’t relying on zero-day exploits. They’re exploiting trust, urgency, and fear. Whether it’s a clone of a legitimate tool, a fake download link, or a device that looks brand-new, the end goal is the same: bypass the user’s judgment.
In many cases, users are manipulated into handing over access willingly.
As Lisa from SlowMist puts it, “We’re seeing a shift from purely on-chain attacks to off-chain entry points. Social behaviour, user routines, and mental shortcuts are the new battleground.”
How to avoid getting trapped?
If you’re active in crypto, consider doing the following:
- Verify URLs and extensions before downloading anything
- Buy wallets only from the manufacturer’s websites
- Don’t store seed phrases or private keys on cloud storage, browsers, or phones
- Double-check any revocation or approval tool’s domain
- Use antivirus and EDR software that includes clipboard and browser monitoring
- Be suspicious of “too good to be true” offers, airdrops, and urgent security alerts
