How to protect your crypto from social engineering in 2026
Crypto security experts say most crypto exploits in the coming year won't happen because of a zero-day bug in your favorite protocol. It's going to be created by you.
Because 2025 showed that most hacks don't start with malicious code; They start with conversation, Nick Percoco, chief security officer of crypto exchange Kraken, told Cointelegraph.
“Aggressors aren't coming in, they're being invited in.”
From January to early December 2025, data from Chinalysis shows that the crypto industry saw more than $3.4 billion in thefts, with February's Bybit deal accounting for nearly half of the total.
During the attack, bad actors were able to gain access through social engineering, delivering malicious JavaScript payloads that allowed them to modify transaction details and destroy funds.
What is social engineering?
Social engineering is a cyberattack technique that tricks people into revealing confidential information or performing actions that compromise security.
Percoco says that the battlefield of crypto security will be in the mind, not in cyberspace.
“Security isn't about building high walls, it's about training your brain to detect fraud. The goal should be simple: Don't give away the keys to a castle just because someone looks like it's inside or it causes a panic.”
Tip 1: Use automation whenever possible
Supply chain compromise has proven to be a key challenge this year, Percoco says, as a seemingly small breach can turn out to be catastrophic later, “It's a digital Jenga tower, and the integrity of each block is at stake.”
In the coming year, Percoco recommends automating defenses while reducing human trust points and ensuring every digital interaction is “shifted from reactive defense to proactive defense.”
“The future of crypto security will be shaped by smarter identity verification and AI-driven threat detection. We're entering an era where systems can detect unusual behavior before the user or trained security analysts can sense something is amiss.”
“Especially in crypto, the weakest link remains human trust, greed and FOMO. It's a loophole that attackers use all the time. But no technology can replace good practices,” he said.
Tip 2: Silo out infrastructure
Lisa, who leads security operations at SlowMist, said this year that bad actors have targeted developer ecosystems, which combined with cloud-proof vulnerabilities, have created opportunities to inject malicious code, steal secrets and poison software updates.
“Developers can mitigate these risks by posting dependency versions, ensuring package integrity, isolating build environments, and reviewing updates before deployment,” she said.
As we move into 2026, Lisa predicts that the most significant threats will arise from increasingly sophisticated data-theft and social-engineering operations.
“Threat actors are using AI-generated deep fakes, custom phishing and fake developer experiments to obtain wallet keys, cloud credentials and signature tokens.
Lisa's advice to organizations to maintain security is strong access control, key rotation, hardware-based authentication, infrastructure segmentation, and anomaly detection and monitoring.
Individuals should rely on hardware wallets, avoid interacting with unverified files, check identities on independent channels, and be wary of unwanted links or downloads.
Tip 3: AI personality verification to combat deep fakes
Steven Wallbroehl, founder and chief technology officer of blockchain cybersecurity company Halborn, predicts that AI-enhanced social engineering will play a big role in crypto hackers' playbook.
In March, at least three crypto founders reported foiling an attempt by North Korean hackers to steal sensitive data through deeply fake hoaxes.
Walbroehl warns that hackers are using AI to create highly personalized context-aware attacks that go beyond traditional security awareness training.
To combat this, he suggests implementing hardware-based authentication with biometric linkage, atypical authentication systems based on standard transaction patterns, and authentication protocols using pre-shared secrets or phrases for all critical communications.
Tip 4: Keep your crypto to yourself.
Hacking attacks, or physical attacks on crypto holders, were also a major theme in 2025, according to Bitcoin OG and cypherpunk Jameson Lopps' GitHub list, with at least 65 recorded instances. In the year The last bull market peak in 2021 was the worst year on record, with a total of 36 strikes recorded.
Hacking attacks are still relatively rare, X user Bow, a former CIA officer, said in an X post on December 2, but he still advises crypto users to be careful not to talk about wealth or disclose crypto holdings or extravagant lifestyles online.
It also suggests being a “harder target” by using data-cleaning tools to hide personal information such as home addresses and investing in home defenses such as security cameras and alarms.
Tip 5: Ignore the tried and true safety tips
Security expert David Schwedt, who served as chief information security officer at Robinhood, said his top tip is to stick with reputable businesses that demonstrate proactive security practices, including rigorous and regular third-party security audits of everything from smart contracts to infrastructure.
But regardless of the technology, he said, users should avoid using the same password for multiple accounts, use hardware tokens as a multi-factor authentication method, and protect genealogy by securely encrypting it or storing it in a secure offline location.
It also recommends using a dedicated hardware wallet for critical holdings and minimizing exchange holdings.
RELATED: Spear Phishing Is North Korean Hackers' Main Tactic: How to Stay Safe
“Security hinges on the interactive layer. Users should be vigilant when connecting a hardware wallet to a new web application and properly verify the transaction data displayed on the hardware device's screen before signing. This prevents ‘blind signing' of harmful contracts,” Schwed added.
Lisa's top tips are to only use official software, avoid interactions with unverified URLs, and separate funds into hot, warm, and cold configurations.
To prevent the spread of scams such as social engineering and phishing, Kraken Percoco always recommends “extreme skepticism”, ensuring its authenticity and assuming that every message is a cognitive test.
“And there's one universal truth: No legitimate company, service or opportunity will ask for your lineage or login credentials. The moment they do, you're talking to a scammer,” Percoco added.
Meanwhile, Wallbroehl recommends generating keys using cryptographically secure random number generators, strict separation between development and production environments, regular security audits and disaster response planning as standard practices.
Magazine: When Privacy and AML Laws Collide: Crypto Projects' ‘Impossible Choice'
