Share article

AMLBot: Social Engineering Accounted for 65% of Crypto Fraud Cases Investigated in 2025

Crypto did not get "hacked" as much in 2025 as people think. According to AMLBot's internal investigation stats, the real exploit was the user, with social engineering linked to 65% of the cases the firm probed last year.

That headline number matters because it flips the usual narrative. Smart contract bugs and chain level vulnerabilities still exist, but AMLBot says most of what crossed its desk came down to access and response failures: compromised devices, weak verification, impersonation, and slow detection, rather than some wizard finding a critical flaw in a blockchain.

Moonwell oracle glitch prices ETH at $1.12, bots liquidate collateral and leave ~$1.78M in bad debt

Enjoy articles without ads?

Register for free and get unlimited access to all articles.

What AMLBot actually reported (and what it does not)

AMLBot is a blockchain analytics and investigations outfit, so its dataset is not "all of crypto crime." It is the slice of incidents that reached AMLBot and were investigated, which can skew toward retail heavy cases and recoverability work. Still, the breakdown is a useful signal because it is grounded in casework, not vibes.

The key datapoint

  • 65% of investigated incidents in 2025 involved social engineering and access or response failures, per AMLBot.
  • The remaining 35% were cases where the primary issue was not social engineering (typically more technical compromise patterns, contract level issues, or other fraud types).

The framing is important. AMLBot is not saying blockchains became secure overnight. It is saying criminals are increasingly choosing the cheapest path to funds, and the cheapest path is often a human being under pressure, not a hardened smart contract.

Why scammers went human first in 2025

Social engineering scales because it exploits routine behaviour: DMs, email, search ads, fake support chats, rushed "KYC" requests, and "urgent" wallet migrations. If you can convince a user to sign a malicious transaction, reveal a seed phrase, or install remote access software, you bypass a lot of on-chain security altogether.

AMLBot's "access and response failures" bucket is basically the full lifecycle of how most people lose funds:

  1. Access gets compromised (device, SIM, email, password manager, cloud backups, browser extensions).
  2. Verification is weak (no hardware key, no withdrawal allowlist, no address book, no out of band checks).
  3. Detection is delayed (victim notices hours later, support queues, slow account freezes).
  4. Funds are already in motion (bridged, swapped, peeled, or sent to deposit addresses).

This is why the crime mix can skew toward impersonation and "support" scams. It is not clever, it is just effective.

The on-chain footprint: social engineering still leaves tracks

Even when the entry point is off-chain, the cash out is on-chain, and it often looks familiar:

Common post-theft patterns investigators see

  • Rapid consolidation: multiple victim inflows into a smaller set of collector wallets.
  • Peel chains: repeated transfers where a portion is shaved off each hop to complicate tracing.
  • Asset switching: swapping into highly liquid assets (often stablecoins) to reduce volatility and improve exit options.
  • Cross-chain movement: bridging to other networks where monitoring is weaker or where preferred off-ramps exist.
  • Deposit address clustering: funds flowing into addresses associated with centralised exchanges, brokers, or high turnover services.

None of that requires a protocol exploit. It only requires a victim to approve one transaction or to lose control of an account long enough for withdrawals to clear.

Impersonation, fake support, and "verification" traps

AMLBot's emphasis on social engineering lines up with what independent on-chain investigators have been shouting about for a while: criminals love the "helpdesk" angle because it weaponises trust.

Typical setups include:

  • Fake exchange support on X, Telegram, and Google results: the user searches for support, lands on a sponsored ad or lookalike site, then gets walked into handing over credentials or signing a transaction.
  • KYC refresh and compliance theatre: "Your account will be closed unless..." scams that funnel users into malicious forms or wallet connects.
  • Address poisoning and clipboard hijacking: the attacker aims for one wrong paste, one wrong last-four check, and the money is gone.
  • Remote access tools: the scammer "assists" while silently capturing seed phrases or approving withdrawals.

Separate reporting and community investigations have also pointed to significant losses tied to these tactics, including claims that Coinbase users collectively lost tens of millions of dollars to social engineering style scams. Whether every figure is exact is less important than the trend: brand impersonation works because users default to trust, especially under time pressure.

Why this trend is a bit of a mess for "security theatre"

Crypto security discourse still over-indexes on smart contract audits and exploit post-mortems. Audits matter, but they do not stop:

  • SIM swaps
  • email takeovers
  • fake support chats
  • malicious wallet connections
  • coerced transaction signing

Social engineering thrives in the gaps between products. A wallet can be secure, but if the user's device is compromised, or if they approve a malicious signature, the "security" is mostly theatre.

AMLBot's stat is effectively saying: the marginal attacker ROI is better targeting people than targeting protocols.

Practical defences that actually map to how people get drained

If the bulk of fraud is access and response failure, then the defence is mostly operational security (OPSEC) and transaction hygiene. Not exciting, but proper.

User level controls

  • Use hardware wallets for meaningful size, and treat hot wallets like spending accounts.
  • Turn on withdrawal allowlists where exchanges support them, and set time delays if available.
  • Lock down email first (hardware security key, unique password, recovery options audited). Email is the master key to most accounts.
  • Separate devices: one device for day-to-day browsing, another for signing if you can manage it.
  • Never follow support links from ads or DMs, and never share seed phrases, ever.

Team and platform level controls (for projects and exchanges)

  • Out-of-band verification for account recovery and high risk withdrawals.
  • Better impersonation monitoring (domain takedowns, brand protection, and rapid response).
  • User education that focuses on signatures, not just "don't share your seed phrase." A malicious signature is the new seed leak.
  • Faster incident response paths, because time is the enemy once funds move.

What would invalidate the move (risk box)

AMLBot's 65% figure is a strong indicator, but it is not the whole market. Here is what would make the takeaway less applicable:

  • Sample bias: AMLBot's casework may over-represent retail scams and under-represent protocol level exploits that are handled privately or by other firms.
  • Classification blur: "social engineering" often overlaps with malware, phishing infrastructure, and compromised browser extensions. Categories can get fuzzy fast.
  • Regime change: a new wave of contract vulnerabilities, bridge failures, or novel MEV style attacks could shift the balance back toward technical exploits.

For now, the clean read is simple: if you are still modelling crypto fraud as "hackers break code," you are already behind. The dominant attack surface in 2025 looked human, and the chain only shows you the exit.

Tags

#AMLBot#crypto fraud#social engineering#Phishing scams#account compromise#blockchain investigations#Cybersecurity#On-chain analytics