The September 2023 ransomware attack on MGM Resorts by the BlackCat (ALPHV) group and its affiliate Scattered Spider delivered a masterclass in social engineering that every cryptocurrency user and organization should study. While MGM is not a crypto company, the attack techniques deployed — voice phishing, credential harvesting, and identity impersonation — are the same methods increasingly used to compromise crypto exchange accounts, wallet services, and DeFi platforms. With Bitcoin hovering around $27,021 and Ethereum at $1,652, the crypto ecosystem holds hundreds of billions of dollars in value, making it an irresistible target for the same threat actors.
The Threat Landscape
The MGM attack began with a simple phone call. Scattered Spider, a subgroup affiliated with the ALPHV/BlackCat ransomware-as-a-service operation, used voice phishing — also known as vishing — to trick an MGM IT help desk employee into providing credentials. From that initial foothold, the attackers escalated privileges, moved laterally through the network, and deployed ransomware that disrupted MGM operations for days. The estimated cost exceeded $100 million in damages and lost revenue.
This attack pattern maps directly onto the crypto threat landscape. Exchange support desks are routinely targeted by social engineers attempting to bypass two-factor authentication, reset passwords, or authorize fraudulent withdrawals. Hardware wallet companies have faced phishing campaigns impersonating their support teams to trick users into revealing seed phrases. DeFi protocol governance forums have been infiltrated by attackers building trust over weeks before proposing malicious contract upgrades.
The convergence of traditional cybercrime techniques with crypto-specific attack vectors creates a particularly dangerous environment. Attackers no longer need to find zero-day vulnerabilities in smart contracts when they can simply call an employee and ask for their password. The human element remains the weakest link in every security chain, regardless of how sophisticated the underlying technology.
Core Principles
Defending against social engineering attacks requires adherence to several fundamental security principles. First, never trust unsolicited communications. Whether it is a phone call from someone claiming to be exchange support, an email about a wallet security update, or a direct message on Telegram offering technical assistance, always verify the identity of the person contacting you through an independent channel. Call the official support number from the company website rather than accepting calls from unknown numbers.
Second, implement defense in depth. No single security measure is sufficient. Combine hardware security keys for two-factor authentication, unique passwords managed through a reputable password manager, withdrawal whitelist restrictions, and anti-phishing codes on all exchange accounts. The goal is to ensure that compromising any single element does not grant an attacker full access to your funds.
Third, understand the principle of least privilege. Do not keep more funds on any exchange or in any hot wallet than necessary for immediate operations. The vast majority of your crypto holdings should reside in cold storage, preferably across multiple hardware wallets stored in separate secure locations. This limits the damage from any single social engineering success.
Tooling and Setup
Building a robust defense against social engineering requires specific tools and configurations. Start with a hardware security key, such as a YubiKey, configured as your primary two-factor authentication method for all exchange accounts. Unlike SMS-based 2FA, which is vulnerable to SIM swapping attacks, hardware keys require physical possession and cannot be intercepted remotely.
Set up a dedicated password manager like Bitwarden or 1Password with unique, randomly generated passwords for every crypto-related service. Enable anti-phishing codes on exchanges that support them — these are custom text strings included in all legitimate emails from the platform, making it easy to identify fraudulent communications.
For advanced users, consider implementing a multi-signature wallet setup for large holdings, requiring multiple devices or individuals to authorize transactions. This adds a critical layer of protection against social engineering, as an attacker would need to compromise multiple independent parties simultaneously.
Ongoing Vigilance
Social engineering attacks evolve constantly. The techniques used in the MGM attack were relatively simple but devastatingly effective. Stay informed about emerging threat patterns by following security research from organizations like SlowMist, CertiK, and ReversingLabs. Regularly review and update your security configurations, and conduct periodic audits of your own practices. Consider running simulated phishing tests on yourself or your organization to identify vulnerabilities before real attackers do.
Pay particular attention to periods of market volatility or major news events, as attackers frequently exploit these moments of heightened attention and urgency. The period following the CoinEx hack in September 2023 saw a surge in phishing campaigns impersonating security alerts from various exchanges. Recognizing these patterns is essential for maintaining effective defenses.
Final Takeaway
The MGM BlackCat attack demonstrated that even organizations with substantial security budgets can be compromised through social engineering. For individual crypto users and smaller organizations with limited security resources, the lesson is clear: your security is only as strong as your willingness to follow rigorous operational security practices consistently. Invest in proper tools, establish clear security procedures, and remain perpetually skeptical of unsolicited communications. In the cryptocurrency ecosystem, where transactions are irreversible and there is no customer service department to reverse fraudulent transfers, prevention is your only reliable defense.
Disclaimer: This article is for educational purposes only and does not constitute professional security advice. Always consult with cybersecurity professionals for comprehensive security assessments.
a single phone call took down MGM. $100M in damage. and people wonder why im paranoid about sharing any info over the phone
^ this. ive done red team exercises and social engineering beats technical exploits 9 times out of 10
paranoid is the right default. most people treat their phone like its harmless and thats exactly what social engineers exploit
Scattered Spider is scary good at social engineering. theyve hit multiple targets using the same vishing playbook and it keeps working
because help desk workers arent trained to deal with determined attackers. one friendly voice and the credentials are gone
Hassan Al-Farsi scattered spider keeps working because help desks are judged on resolution speed not security verification. until that incentive flips nothing changes
its not even sophisticated. they just sound confident and use internal jargon. help desk workers are trained to be helpful, not suspicious
the parallel to crypto exchanges is direct. one compromised help desk ticket at a custodian and the hot wallet is gone. happened at least twice in 2023
vishing works because attackers exploit the human instinct to be helpful. no amount of MFA stops someone from handing over their credentials voluntarily