Request Demo
Platform
Company
Resources
Request Demo

Weaponized Influence: Social Engineering in Crypto Scams

Merkle Science
February 11, 2025

At Merkle Science, we regularly analyze crypto crime using our blockchain analytics platform, Tracker. Most cases involve criminals exploiting vulnerabilities in an entity, such as an exchange’s hot wallet or a bridge’s smart contract. These attacks frequently incorporate social engineering tactics to gain initial access. A prime example is the $600 million Ronin attack, where hackers deceived an in-house developer with a fake job interview. They sent a fraudulent job description embedded with a malicious payload, which allowed them to infiltrate internal systems and ultimately compromise Ronin’s hot wallet.

Our research uncovered a new trend: attacks driven entirely by social engineering, from start to finish. One striking example is the August 29, 2024 hack of Kylian Mbappé’s X account. The attacker posted a message promoting a $MBAPPE meme coin on Solana, which quickly surged to a $460 million market cap. Thousands of fans, lured by the endorsement, collectively invested over $1 million—only to realize too late that they had fallen victim to a scam.

Here’s what we learned in more detail:

Victim type

This is the breakdown of victim profiles for crypto scams built around social engineering. Attackers generally prefer accounts that have some alignment with technology, or accounts that have the trust of their fandom. Note: Purple columns are general categories. Green columns are tech-related categories; numbers are rounded.

In 2024, there were 36 attacks of this nature in a representative sample we examined from cases that were documented in the media. The most frequently targeted victims were tech figures—business leaders in general tech, venture capital, crypto, or Web3—accounting for 30% of cases. Tech brands, including those in general tech and crypto, made up another 19%, bringing the combined total to 49%. This indicates that hackers tend to focus on profiles closely aligned with the crypto industry. 

Celebrities were the second most targeted group at 33%, suggesting that attackers also favor individuals with dedicated fan bases who may be more likely to trust and act on their crypto-related endorsements, even if those figures lack direct expertise.

 Meanwhile, government agencies, consumer brands, and communities were the least targeted, each representing just 5% of cases. The average follower count across all victim types was 2.3 million. [1]

Attack vectors

Note: Numbers are rounded. 

The most common attack vectors were X (75%), YouTube (19%), and official websites (5%). Notably, none of the communication platforms most closely associated with Web3—such as Discord and Telegram—were exploited in these attacks.

These channels were compromised through various methods, including phishing links sent via direct messages and vulnerabilities in two-factor authentication. The prevalence of these attacks highlights the need for a broader approach to crypto security. Companies must go beyond safeguarding on-chain assets and ensure that their Web2 communication channels are equally secure against exploitation.

Typologies

Note: Numbers are rounded.

There were two main typologies:

  • Rug pull - In this attack typology, which comprised 44% of attacks, hackers exploit the influence of compromised accounts to persuade their followers to buy a meme coin—similar to the $MBAPPE hack. All documented attacks of this nature in 2024 took place on the Solana blockchain, where tools like pump.fun have made it remarkably easy to launch and promote meme coins, including fraudulent ones. The attackers' goal is straightforward: artificially inflate the coin’s price through hype, then sell their holdings at the peak, triggering a sharp collapse in value.
    When assessing financial impact, news sources sometimes extrapolate losses based on how much an individual investor or several investors was defrauded. However, a more accurate and consistent metric may be the peak market capitalization of the meme coin before it crashed. Since these coins typically lose 99% of their value after the exit, measuring peak market cap provides a clearer picture of the total amount at risk. The market capitalization ranged from a low of $8,100 to a high of $460 million. [2]
  • Phishing - This attack typology, which also accounted for 44% of incidents, involved hackers leveraging the influence of compromised accounts to lure followers into clicking on malicious links. The most common tactics included fake giveaways, token airdrops, and fraudulent investment schemes—sometimes featuring well-known tokens like $XRP, and other times using entirely fabricated ones, such as the Lego coin. [3]
    Unlike the rug-pull typology, these attacks do not involve launching a token or meme coin. Instead, the sole objective is to trick users into clicking the link, leading to theft of personal information or malware installation, which can ultimately drain the victim’s crypto wallets.
  • Miscellaneous - A small portion of the attacks fell into other distinct categories. One notable example combined phishing and rug-pull tactics: it promoted an actual meme coin while simultaneously attempting to phish users. At least two attacks involved market manipulation: the SEC’s X (Twitter) account was compromised to artificially hype $BTC ahead of exchange-traded fund (ETF) approval, while the Gigantic-Cassocked-Rebirth account was exploited to promote lesser-known, low market-cap coins. Additionally, the account of Staci Warden, CEO of the Algorand Foundation, was hacked, but the primary intent appeared to be vandalism, rather than financial gain.

Conclusion    

The rise of social engineering-driven attacks underscores a critical shift in crypto crime—one that targets human psychology rather than technical vulnerabilities. By compromising influential figures and trusted platforms, hackers exploit credibility to manipulate investors at scale. As these attacks become more sophisticated, the industry must adopt a holistic approach to security, ensuring that both Web3 and Web2 infrastructure are fortified against manipulation.

While blockchain analytics can help track and mitigate financial losses, true prevention requires stronger authentication measures, increased awareness among both influencers and their fans, and rapid response strategies. The burden is on businesses, platforms, and individuals to recognize the risks and strengthen defenses against the next wave of social engineering threats.

[1] This figure was calculated through current follower count rather than historical follower count at time of attack. [2] These figures were taken from contemporaneous news articles about the attacks from those that included this data point. [3] This typology excludes spear phishing or any kind of phishing done on private channels, like email. We focused on phishing attempts that targeted the general public by hacking social media profiles or websites.