Crypto users faced a rise in “psychologically manipulative” attacks in the second quarter as hackers dreamt up advanced and creative ways to try and steal crypto, according to blockchain security firm SlowMist.

SlowMist’s head of operations, Lisa, said in the firm’s Q2 MistTrack Stolen Fund Analysis report that while it didn’t see an advancement in hacking techniques, the scams have become more sophisticated, with a rise in fake browser extensions, tampered hardware wallets and social engineering attacks.

“Looking back on Q2, one trend stands out: attackers’ methods may not be getting technically more advanced, but they are becoming more psychologically manipulative.”

“We’re seeing a clear shift from purely onchain attacks to offchain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces,” said Lisa. 

Malicious browser extensions pretend to be security plugins

Ironically, one emerging attack vector involved browser extensions masquerading as security plugins, such as the “Osiris” Chrome extension, which claimed to detect phishing links and suspicious websites. 

Instead, the extension intercepts all downloads of .exe. .dmg and .zip files, replacing those files with malicious programs. 

“Even more insidiously, attackers would guide users to visit well-known, commonly used websites like Notion or Zoom,” said Lisa. 

“When the user attempted to download software from these official sites, the files delivered had already been maliciously replaced — yet the browser still displayed the download as originating from the legitimate source, making it nearly impossible for users to spot anything suspicious.”

These programs would then collect sensitive information from the user’s computer, including Chrome browser data and macOS Keychain credentials, giving an attacker access to seed phrases, private keys or login credentials. 

Attacks prey on crypto user anxiety

SlowMist said another attack method focused on tricking crypto investors into adopting tampered hardware wallets.

In some cases, hackers would send users a compromised cold wallet, telling their victims they had won a free device under a “lottery draw” or telling them their existing device was compromised and they needed to transfer their assets. 

In Q2, one victim reportedly lost $6.5 million by purchasing a tampered cold wallet that they saw on TikTok, according to Lisa. 

Another attacker sold a victim a hardware wallet they had already pre-activated, allowing them to immediately drain the funds once the new users transferred in their crypto for storage. 

Social engineering with fake revoker website

SlowMist said it was also contacted in Q2 by a user who could not revoke a “risky authorization” in their wallet.

Upon investigation, SlowMist said the website that the user was using to try to revoke the smart contract’s permission was “a near-perfect clone of the popular Revoke Cash interface,” which asked users to input their private key to “check for risky signatures.” 

“Upon analyzing the front end code, we confirmed that this phishing website used EmailJS to send users’ input — including private keys and addresses — to an attacker’s email inbox.” 

“These social engineering attacks are not technically sophisticated, but they excel at exploiting urgency and trust,” said Lisa. 

“Attackers know that phrases like ‘risky signature detected’ can trigger panic, prompting users to take hasty actions. Once that emotional state is triggered, it’s much easier to manipulate them into doing things they normally wouldn’t — like clicking links or sharing sensitive information.”

Attacks exploit Pectra upgrade, WeChat friends

Other attacks included phishing techniques that exploited EIP-7702, introduced in Ethereum’s latest Pectra upgrade, while another targeted several WeChat users by gaining control of their accounts. 

Cointelegraph Magazine recently reported that the attackers utilized WeChat’s account recovery system to gain control of an account, impersonating the real owner to scam their contacts with discounted Tether (USDT). 

SlowMist’s Q2 data came from 429 stolen fund reports submitted to the firm during the second quarter.

The firm said it froze and recovered around $12 million from 11 victims who reported having crypto stolen in Q2.