In the final quarter of 2025, Regtech and cybersecurity focused firm SlowMist released its MistTrack analysis on stolen funds, shedding light on persistent threats in the blockchain ecosystem. Drawing from 300 user-submitted reports—210 from domestic sources and 90 from international ones—the report underscores the evolving tactics employed by cybercriminals. While excluding cases handled through alternative channels like email, it focuses on form-based submissions, all of which received complimentary community evaluations.
Notably, the team supported nine individuals in halting or reclaiming around $1 million in compromised assets.
The analysis reveals phishing as the predominant method of attack, surpassing other categories in frequency and impact. Unlike previous periods, Q4 saw a shift toward more insidious techniques that exploit everyday user behaviors rather than overt vulnerabilities.
For instance, “look-alike character poisoning” in wallet addresses led to staggering losses, such as one victim transferring nearly $50 million in USDT to a deceptive address that mirrored the legitimate one in its initial and final characters.
Attackers amplified confusion by inserting misleading transactions into the blockchain history, making verification trickier.
Similar incidents echoed past events, including a 2023 theft of over 1,000 Wrapped Bitcoin that was eventually recovered in full.
Fake domains continued to pose risks, with hackers using visual mimics like altered URLs to redirect users.
A novel twist involved browser autocomplete manipulation, where poisoned search histories from ads or announcements steered victims to fraudulent sites. Authorization scams also proliferated, often disguised as enticing airdrops or rewards.
In a Solana-based case, a user unwittingly signed away wallet ownership, resulting in a $3 million drain, with an additional $2 million at high risk of permanent loss.
Social engineering emerged as another major vector, leveraging psychological manipulation and impersonation.
Perpetrators posed as trusted entities, such as security professionals, to extract sensitive information.
One elaborate scheme involved adding a passkey to a victim’s Google account, intercepting verification codes, and piecing together a private key from cloud backups.
Urgency tactics, like warnings of impending asset freezes, coerced users into hasty actions like exporting keys or installing malware.
Job interview frauds blended recruitment lures with technical traps.
Scammers, masquerading as Web3 project recruiters, shared code repositories laced with viruses that scanned for private keys in environment files.
In other instances, fake video calls led to downloads that compromised devices and granted unauthorized wallet access.
Computer malware made a comeback, often hidden in seemingly benign links, such as those mimicking blockchain explorers.
A notable example targeted a multisig wallet, infecting a signing device and bypassing safeguards to siphon funds.
Social media scams rounded out the threats, with hijacked influencer accounts used to initiate “partnership” discussions that funneled victims toward phishing sites or harmful commands.
Trends in Q4 highlighted a move toward “process-oriented” attacks, embedding dangers in routine interactions to exploit trust gaps and low security awareness.
Rather than relying on sophisticated exploits, hackers capitalized on human elements like habit and information asymmetry.
To combat these, SlowMist advocates building robust habits: using address books, verifying full wallet strings, bookmarking trusted sites, and scrutinizing transaction signatures for hidden risks like ownership transfers.
For social engineering, the advice is clear—never share keys or mnemonics, authenticate alerts through official channels, and employ hardware wallets with multi-factor authentication.
Job seekers should isolate unknown code in virtual environments and verify opportunities thoroughly.
Malware defense calls for segregating critical devices from non-essential tasks.
The report emphasizes that most incidents stem from manipulated trust rather than unbreakable tech flaws.
By fostering long-term vigilance and utilizing various resources or training platforms for signature evaluation, users can better navigate this unpredictable landscape.
SlowMist MistTrack platform, with its database of risk indicators, continues to aid in proactive threat detection and asset recovery, reinforcing the need for collective industry awareness.