Based on a report from SlowMist, private key leaks have been identified as the chief contributor to cryptocurrency theft, resulting in 317 reports of stolen funds in Q3 2025. The total losses have led to $3.73 million in assets being successfully frozen or recovered in some cases.

Private Keys: A Core Weakness

The analysis indicates that many thefts stem from compromised credentials rather than sophisticated hacking. Unauthorized sellers continue to offer counterfeit hardware wallets which often contain fraudulent seed phrases, enabling attackers to access victims’ funds readily after they deposit their assets.

SlowMist recommends that users only buy hardware wallets from trustworthy vendors, generate seed phrases on the device itself, and conduct small test transfers before handling more significant amounts of money. Basic precautions such as checking the packaging’s integrity and avoiding pre-set recovery phrases are crucial in preventing financial losses.

New Phishing Techniques

Criminals are also evolving, employing phishing tactics and social engineering. The report covers a new phishing method known as EIP-7702 delegate phishing, where attackers manipulate accounts linked to contracts that drain assets once a transaction is started. Victims are misled into thinking they are performing usual operations while hidden permissions grant hackers access to their assets.

Reports indicate that social engineering remains a significant threat, particularly with scammers impersonating recruiters on LinkedIn. These fraudsters build rapport with candidates over weeks, convincing them to download malware or install malicious software. In one instance, such tactics led to losses exceeding $13 million.

Perseverance of Classic Scams

Traditional scams also remain effective. Fraudulent Google ads mimicking legitimate services like MistTrack have resulted in substantial losses through concealed authorization requests. Moreover, attackers have used abandoned Discord links from project documentation to mislead users.

Another method involves disguising malware commands as CAPTCHA verifications, tricking users into copying harmful code that steals wallet details and personal information.

SlowMist elucidates that cybercriminal activities in the Web3 environment often exploit ordinary user behavior rather than relying on intricate deception. Therefore, slowing down, validating sources, and avoiding shortcuts are essential practices in navigating a constantly shifting landscape of threats.