The scheme routed funds through over 75 shell company accounts before moving them overseas. This case is part of a broader surge in crypto-related cybercrime, with tactics ranging from phishing messages posing as major exchanges to malware hidden in pirated software. Experts warn that human error is still the weakest link, with scammers often exploiting users for their wallet recovery phrases. Meanwhile, the recent $8.4 million exploit of the Zoth Protocol shed some light on the ongoing vulnerabilities in DeFi due to leaked admin privileges and poor contract security.
US to Return $7M to Victims of Crypto Scam
US authorities are working to return $7 million to the victims of a sophisticated social engineering scam that lured people into sending money to fraudulent crypto investment platforms. According to a statement that was released by the Eastern District of Virginia’s US Attorney’s Office on March 21, the scam began with fraudsters gaining the trust of victims before directing them to websites posing as legitimate crypto investment platforms. After victims deposited their funds, the money was quickly routed through more than 75 bank accounts tied to shell companies and then sent abroad under the guise of domestic wire transfers.
These fraudulent platforms falsely claimed that users were generating large returns on their investments. When victims then tried to withdraw funds, they were met with coercive tactics from the scammers, who demanded additional payments. This was very often done under the pretense of taxes owed on alleged profits.
In 2023, the United States Secret Service managed to seize some of the stolen funds from a foreign bank and started a civil forfeiture process through a US District Court. Although the foreign bank made a claim on the funds, a settlement was eventually reached that allowed for $7 million to be returned to victims. Affected individuals were encouraged to contact the Secret Service to petition for reimbursement.
This case is part of a broader trend in the crypto space, where cybercrime has become even more organized and professional. Chainalysis shared in its 2025 Crypto Crime Report that sophisticated cyber syndicates now dominate the landscape.
On the same day as the US Attorney’s announcement, Australian federal police reported having to notify 130 people about a scam message campaign spoofing sender IDs of major exchanges like Binance. Similarly, users on X reported a series of scam messages on March 14 that mimicked Coinbase and Gemini. The main goal of these messages were to deceive recipients into creating new wallets using recovery phrases that were already known to the scammers.
Even more threats have emerged from more advanced tactics. On March 18, cybersecurity firm Malwarebytes warned of a new form of crypto-stealing malware embedded in a pirated version of TradingView Premium. A day earlier, Microsoft’s Incident Response Team revealed that a remote access trojan was deployed by cybercriminals to target crypto held in 20 different Chrome wallet extensions.
Scammers Still Outsmarting Crypto Users
The ongoing battle between crypto wallet providers and cybercriminals is also still locked in a constant tug-of-war, according to Ian Rogers, the chief experience officer at Ledger. In a recent interview, Rogers described the dynamic as a "cat and mouse game," with wallet firms continuously upgrading security measures while hackers simultaneously evolve their tactics to exploit vulnerabilities. Despite the many advances in wallet technology, the most effective scams are often the simplest as they rely on human error rather than technical sophistication.
Rogers shared that scammers frequently manipulate users into giving away their 24-word recovery phrases through direct messages or deceptive replies under cryptocurrency-related social media posts. “Anyone who asks for your 24 words is a criminal,” he warned, and he also stressed just how important it is to stay vigilant over any other security measure. These scams are commonly disguised as customer support or assistance messages, particularly on platforms like Twitter.
Adding to the complexity, scammers sometimes hijack high-profile accounts to distribute malicious links, making fraudulent messages appear more credible. In one incident in September of 2023, Ethereum co-founder Vitalik Buterin's account was compromised, which led to a fake NFT giveaway that ultimately drained more than $691,000 from unsuspecting users.
Jason Jiang, chief business officer at blockchain security firm CertiK, also believes in the growing importance of social media awareness in combating phishing attacks. As scammers leverage increasingly sophisticated social engineering techniques, the cost and scale of attacks continues to rise. In 2024 alone, crypto-related hacks surged by 15% from the previous year, with more than $3 billion in assets stolen.
Among the most concerning threats is the rise of “pig butchering” scams, which involve long-term manipulation and emotional grooming to convince victims to willingly hand over their assets. These scams inflicted massive damage across the Ethereum network, and contributed to an estimated $5.5 billion in losses over 200,000 cases in 2024.
Zoth Protocol Hacked via Admin Privilege Leak
More recently, real-world asset re-staking protocol Zoth fell victim to a major exploit that resulted in more than $8.4 million in losses and forced the platform into maintenance mode. On March 21, blockchain security firm Cyvers detected a suspicious transaction involving Zoth, and revealed that the deployer wallet was compromised. The attacker very quickly withdrew the crypto assets, converted them into DAI stablecoin, and transferred the funds to a separate address.
In response, Zoth confirmed the security breach through an official notice and stated that it is working with partners to mitigate the damage and fully resolve the issue. The platform also promised to release a detailed incident report once its investigation is complete. Blockchain analytics firm PeckShield later reported that the stolen assets were moved and swapped into Ethereum.
According to Cyvers, the attack was likely the result of leaked administrative privileges. Hakan Unal, senior SOC lead at Cyvers Alerts, explained that about 30 minutes before the hack was identified, a Zoth smart contract was upgraded to a malicious version by a suspicious address. This move bypassed standard security measures and gave the attacker immediate and full control over user funds.
Unal explained that this type of exploit feeds on the ongoing vulnerabilities in smart contract systems, particularly around admin-level permissions. He mentioned that the damage could have been prevented with stronger protections like multisig contract upgrade mechanisms, timelocks for added transparency, real-time alerts for admin changes, and improved key management practices.
Despite preventative options, Unal warned that such admin key compromises will likely stay a persistent risk in the DeFi ecosystem. As long as centralized control points exist without sufficient oversight, attackers will continue to target privileged roles in their efforts to take over protocols.
