On April 28, 2025, blockchain investigator ZachXBT flagged a suspicious transfer of 3,520 Bitcoin, valued at approximately $330.7 million, marking the fifth-largest cryptocurrency theft in history. Unlike most headline-grabbing crypto heists that exploit smart contract vulnerabilities or compromised private keys, this attack relied entirely on psychological manipulation — a sophisticated social engineering campaign that preyed on an elderly American investor who had held over 3,000 BTC since 2017.
The Exploit Mechanics
The attackers employed a multi-layered social engineering strategy that unfolded over an extended period. Posing as trusted entities — potentially law enforcement or technical support representatives — the scammers slowly built credibility with the victim through repeated phone interactions. They leveraged classic manipulation tactics: asserting false authority, manufacturing urgency around fabricated account issues, and exploiting the natural instinct to comply with perceived institutional figures.
The victim, who had no previous record of substantial on-chain transactions, was ultimately persuaded to share sensitive wallet credentials during one of these interactions. Once access was granted, the attackers swiftly transferred 3,520 BTC in a single movement, converting the stolen funds through a carefully pre-planned laundering pipeline.
Affected Systems
The laundering operation was remarkably sophisticated and premeditated. The attackers used pre-registered accounts across more than six instant exchanges and over-the-counter desks, suggesting the infrastructure was in place well before the theft. The stolen Bitcoin was processed through a peel chain method — splitting large amounts into smaller, harder-to-trace portions routed through hundreds of wallets.
A significant portion of the BTC was quickly converted into Monero (XMR), the privacy-focused cryptocurrency with untraceable architecture. This conversion caused XMR to surge roughly 50% to approximately $339 within hours. Some Bitcoin was also bridged to Ethereum and deposited into various DeFi protocols, adding layers of obfuscation to the forensic trail. Blockchain analytics firm Hacken traced $284 million of the stolen BTC, though by that point it had been diluted to approximately $60 million after extensive peeling through obscure platforms.
The Mitigation Strategy
Response efforts were swift but limited in their effectiveness given the attackers’ preparation. ZachXBT and Binance collaborated to freeze approximately $7 million of the stolen funds — a fraction of the total loss. Multiple exchanges were notified in real-time, and investigators worked to identify the perpetrators. Analysts ruled out involvement from North Korea’s Lazarus Group, instead pointing to skilled independent hackers. Two suspects emerged from the investigation: an individual using the alias “X,” allegedly operating from the United Kingdom and believed to be of Somali origin, and an accomplice known as “W0rk.” Both reportedly scrubbed their digital footprints shortly after the theft.
Lessons Learned
This incident delivers a sobering reminder that the most robust technical security measures can be rendered useless by human vulnerability. The victim’s long-term holding pattern — accumulating BTC since 2017 without active trading — may have made them particularly susceptible to sophisticated manipulation. The crypto industry must recognize that social engineering attacks represent a threat vector equal in severity to smart contract exploits and exchange breaches.
At the time of the attack, Bitcoin traded at approximately $94,978 while Ethereum held at $1,798, according to CoinMarketCap data. The broader market context — with April 2025 recording $5.9 billion in total crypto losses across 10 incidents according to DeFi’s REKT database — underscores that security threats continue to evolve faster than defensive measures.
User Action Required
Crypto holders should immediately review their operational security practices. Never share wallet credentials, seed phrases, or private keys with anyone — regardless of their claimed authority. Enable multi-signature authentication on significant holdings, consider using hardware wallets with passphrase protection, and verify any unusual requests through independent channels. If someone contacts you claiming to represent an exchange, wallet provider, or law enforcement, hang up and contact the organization directly through verified channels. The $330.7 million lost in this attack was not a failure of blockchain technology — it was a failure of human defenses.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult qualified professionals.
Education is still the biggest barrier to mainstream adoption
the multi week grooming process is what makes this so hard to prevent. no single red flag, just a slowly building relationship. your bank would flag a large transfer but crypto has no such circuit breaker
Bear markets are for building — and builders are delivering
The fundamental value proposition of crypto keeps getting stronger
330M stolen through phone calls. no smart contract exploit, no key compromise, just talking to someone for weeks until they handed over credentials. social engineering is the meta
The gap between crypto and TradFi is narrowing fast
Interesting perspective — I hadn’t considered that angle before
an elderly holder since 2017 with 3000+ BTC and zero on-chain history. exactly the profile these attackers profile for. patient, isolated, trusting of authority figures
ZachXBT flagged it but the BTC was already moving by then. 3520 BTC through a series of rapid transfers. once the credentials were shared the attacker moved faster than any monitoring could catch