"I never thought it would happen to me."
That’s the phrase everyone mutters after a devastating loss. In Web3, where mistakes are permanent and funds irretrievable, this line isn’t cliché; it’s a warning.
When I saw Alexander Choi’s X-post, "I just got drained for $996,000… writing it out feels completely unreal", I paused. The man lost 150 wallets, wiped clean in a flash, nearly a million dollars gone in minutes.
It didn’t happen because of a smart contract glitch or a subtle exploit. It happened due to something far more insidious: social engineering.
This isn’t just a cautionary tale; it's a magnifying glass highlighting a critical flaw in Web3 security. If you think you're too savvy to fall for this… You might already be. Let’s break it down.
The Anatomy of the Attack
On September 2, Alexander received a DM from @SparkTokenSOL, a seemingly legitimate account with mutual followers, polished branding, and references to a real project founder. In our echo chambers of shared follows, that’s often enough to lower one’s defenses.
They introduced “Dan,” who spoke with a professional American accent. He delivered a sharp pitch via video call. If I can see them and hear their voice… surely it’s real, I thought.
A few days later, while Alexander planned a weekend trip, his phone lit up with alerts: hundreds of USDC transfers, and every Phantom and MetaMask wallet (150 of them) drained. $996,000 gone.
By the time the dust settled, he realized what had transpired: a devastating, human-engineered exploit.
Pause.
I know what you’re thinking: this can’t happen to me, but the truth is, it’s rarely the code that fails; it’s human judgment, and like Alex, the data shows it.
A Growing, Human-Centric Threat
It’s tempting to treat this as an isolated incident. But the data says otherwise.
In 2024, phishing was the most costly attack vector, accounting for over $1 billion across 296 incidents.
In April 2025, CertiK reported $364 million in total Web3 losses, with $337 million attributed to phishing alone.
In 2024, Web3 saw total losses of $2.3 billion across 760 incidents, with phishing leading as the costliest method at $1.05 billion.
-
In Q3 2024 alone, the sector lost $730 million, including nearly $295 million from phishing scams.
The Human-First Threat
AI-driven phishing and deepfake scams surged 456% between May 2024 and April 2025, exploiting voices, visuals, and fake credentials to deceive victims, according to the New York Post.
Investopedia, according to their report, cite phishing and deepfakes as their top AI-driven security fears, prompting many to boost budgets and cybersecurity measures.
-
Martin Lewis, a consumer advocate, reports that nearly 80% of scams originate online, especially through social media, and calls for regulators to act decisively.
State-Backed Social Engineering
-
North Korean-linked Lazarus Group alone stole $659 million in crypto during 2024 using advanced social engineering and malware deployment—like impersonation and job offer lures.
Unpacking Alex’s Hack: Where the Mistake Happened
This wasn’t about code; it was psychology.
- Familiarity Bias
Mutual followers create a false sense of safety. We see “friends in common” and think, “this must be legit.” Attackers exploit that trust shortcut.
- Trust via Voice & Video
The human brain is built to trust faces. A polished accent and presence can dismantle skepticism unless there's cryptographic proof.
- Single Point of Failure
Having all wallets accessible in one place is a design flaw. If one layer fails, everything collapses.
Where Web3 Security Fails
We’ve over-engineered code protection while under-engineering human security. Smart contracts can be bulletproof, but it only takes one convincing call to undo it all.
Here’s what professionals and every serious Web3 user should adopt immediately:
1. Always Host Your Own Calls
Take control of the virtual environment. You create the meeting link. Own the setup. No surprise overlays, no trap files.
2. Demand Cryptographic Identity
Never rely on visuals or branding. Ask for a signed message from an official on-chain address. That’s proof.
3. Segment Wallets Strategically
Tier your wallets:
- Hot Wallets: daily use (small amounts)
- Warm Wallets: medium-term
- Cold/Hardware Wallets: vault storage
4. Use Multisig for Critical Funds
Require multiple keys to authorize transfers. One compromised key doesn’t drain it all.
5. Leverage Air-Gapped Devices
Offline environments remain unfishable. No screen, no click, no risk.
6. Build a Culture of Verification
Treat every contact as potentially hostile unless proven otherwise. Not paranoia—professional responsibility.
Sophisticated Deepfake Era
This isn’t ancient history. In one high-profile case in 2024, a Genesis creditor lost $243 million due to phishing via impersonation of Google and Gemini support.
Meanwhile, deepfakes of public figures like Prince William are being used in ads promoting fake crypto trading schemes, reaching hundreds of thousands, according to The Times.
We stand at a point where faces, voices, and credentials can be faked at scale. The only ground truth left is cryptography.
It’s All Gone
Beyond the six-figure hit, the emotional toll is immeasurable. Watching funds drain in real-time, knowing there's no undo button, it shakes trust to the core.
Security is not just technical, it's emotional. It's the peace of mind that your assets are safe, your trust validated. Once taken, it's nearly impossible to rebuild.
Which is why prevention isn't optional; it’s essential.
Conclusion
Alexander’s loss isn’t just his story; it’s ours. It shows how Web3 doesn’t forgive mistakes, even by experienced users.
The real exploit wasn't in the blockchain; it was in our heads.
So here’s what I urge anyone reading this to do, whether you're a small-holder or a fund manager:
Don’t trust because something feels familiar. Verify—cryptographically, systematically.
Segment your assets. Host your environments. Use multisig. Build a security-first culture because in Web3, trust isn't a feeling.
Trust is what you can verify.
Top comments (0)