Introduction As the cryptocurrency industry matures and digital asset adoption grows, cybercriminals are refining their tactics to exploit new vulnerabilities, particularly those involving people, not just systems. This year, threat actors are increasingly targeting high-value individuals in the crypto space through highly personalized, voice-driven social engineering campaigns. These attacks go far beyond traditional phishing; they are meticulously planned, human-oriented operations that aim to bypass even the most robust technical safeguards.In June, researchers at GK8 identified an emerging cybercrime threat. On a highly restricted underground forum, a well-established threat actor was recruiting experienced voice-based social engineering operatives to conduct targeted attacks against senior executives at leading U.S.-based cryptocurrency firms. In one of his posts, the actor claimed to possess a verified and curated dataset containing personally identifiable information (PII), including phone numbers, email addresses, and residential details, of senior executives holding critical roles in the crypto sector. This report examines the actor’s tactics, the broader infrastructure behind these operations, and the steps financial institutions must take to defend against this new strain of socially engineered cybercrime. An Alarming Trend A new and deeply concerning pattern is emerging across restricted cybercriminal forums: In addition to broad, low-effort phishing tactics, threat actors are focusing on highly personalized social engineering campaigns that actively exploit human trust – using phone calls, deepfake content, and live impersonation. A recent forum post illustrates this shift clearly, with one actor actively recruiting skilled voice phishers for impersonation scams against high-value U.S.-based crypto executives. In 2025 alone, several major breaches targeting crypto executives have underscored just how effective these new tactics can be. Unlike typical phishing scams, these attacks demonstrate a profound grasp of the crypto ecosystem and executive vulnerabilities, employing tailored phishing and intricate social engineering tactics around specific individuals: Bybit: A social engineering attack on a third-party developer allowed hackers to access a machine containing valuable data and steal $1.5 billion in digital assets, the biggest crypto hack ever (and possibly the biggest heist of any kind.) MoonPay: According to a Department of Justice complaint, online fraudsters impersonating the Trump inaugural committee tricked an unnamed victim into donating $250,000 in digital assets. Clues in the court filing led the news site NOTUS to infer two probable victims: MoonPay CEO Ivan Soto-Wright and CFO Mouna Ammari Siala. BigONE: The crypto exchange lost $27 million to a third-party attack, reportedly caused by advanced social engineering that compromised a senior developer’s work and computer files Recruiting Skilled Voice Impersonators On the underground forum, the threat actor claimed to possess an exclusive dataset about U.S.-based crypto executives and wanted to assemble a social engineering scheme targeting them, with the goal of carrying out complex attacks designed to: Gain access to internal systems Obtain access to wallets, customer data, and private keys Steal funds or carry out insider-style attacks To execute this attack, they sought an experienced team of “callers”–scammers who could conduct phishing attacks by phone. In May, the threat actor posted their first ads seeking a team of experienced callers. The next month, the actor posted another want ad on the same cybercriminal forum, again requesting experienced professional scammers capable of conducting social engineering scams via phone calls. The poster explicitly requested native English speakers with American accents, not for random spam, but to target verified individuals working at top-tier crypto companies. The attacker claimed to possess full personal profiles on each target, including: Full names Personal phone numbers Home addresses Private emails Verified employment All such data can help attackers manipulate their victims and carry out more complex attacks. To establish credibility, the actor included a sample list of five potential targets, all high-level executives at U.S. crypto companies, with a minimum net worth of roughly $500,000. These targets are not randomly chosen. They are senior legal officers, engineers, financial controllers, and CTOs – individuals who likely have access to their company’s internal systems and digital asset custody infrastructure. Crime Pays… Up to $20k a Month To understand the deeper infrastructure that the threat actor is looking to create, let’s examine the operatives referred to as callers. In the modern era, cyberfraud has evolved far beyond lone malicious actors into a sophisticated and interconnected ecosystem, resembling a full-fledged illicit industry. In this ecosystem, almost every component, from tools and services to human operatives, can be easily acquired or rented. This ecosystem enables threat actors to carry out highly coordinated, multi-stage attacks, often combining malware, phishing, impersonation, and financial fraud. A complete operation can be assembled using widely available resources accessible through clandestine channels, including closed threat actor forums, dark web marketplaces, and invitation-only Telegram groups. Offerings in these channels range from basic elements such as stolen credit card numbers, forged identification documents, and malware to advanced, personalized services. One of the advanced services available is the hiring of individuals to conduct fraudulent phone calls – a tactic commonly referred to as “Voice Phishing” or “Vishing.” Sometimes the callers read from a generic script; in other cases, they tailor their calls around a victim’s unique profile, whether targeting a specific individual or a defined group. Always, the goal is to manipulate victims into revealing sensitive information or initiating unauthorized actions. When engaging with victims, callers impersonate legitimate entities, ranging from banks and crypto services to government agencies. Financial compensation for these roles varies widely, from $15 per 20-minute call to over $20,000 per month for experienced or specialized callers embedded in larger fraud networks. The Voice Phisher’s Bag of Tricks Beyond the human element, a robust technical infrastructure is essential to support these scam operations. This includes, but is not limited to: DIDs (direct inward dialing numbers): These are virtual phone numbers that allow incoming calls to be routed to specific extensions or individuals in a system, often used to make the outgoing calls seem legitimate. VOIP (Voice over Internet Protocol): This technology enables voice communication over the internet, offering greater flexibility and often anonymity compared to traditional phone lines. SMS text messages: Used for initial contact, verification codes, or follow-up communication, adding another layer of perceived authenticity to the scams. Furthermore, threat actors are meticulous in their search for the “ideal” partners for these calling operations. They often specify detailed requirements and skills for their callers, including: Accent: To enhance credibility by mimicking local dialects or specific professional tones. Gender: Sometimes chosen to match the impersonated figures or to conduct specific types of scams, such as romance scams. Languages: To target victims from specific geographies. Availability: To ensure consistent operations and maximize victim engagement during peak hours or across time zones. Scam Scenario and Target Profile: Some of the threat actors mention the victim’s level in their organization and type of scam that they want to conduct, helping tailor the caller’s role accordingly. The sophistication of these operations, from the recruitment of specific individuals to the deployment of advanced technical infrastructure, underscores the evolving landscape of cybercrime and the persistent threat posed by social engineering tactics. Targeting Crypto Whales and Keyholders Cybercriminals are dedicating substantial time, money, and resources to develop sophisticated attack infrastructures and recruit accomplices. These investments are driven by the potential for significant payoffs from successful attacks on crypto leaders, which can grant access to sensitive data, internal systems, digital assets or private communication channels in a crypto company. While mass phishing campaigns and spam-based scams are still prevalent and effective, a growing trend involves highly targeted attacks aimed at wealthy individuals, influential figures, and professionals with privileged access in the crypto ecosystem. Datasets containing information on such potential targets are extremely valuable to threat actors. These actors are increasingly investing in sophisticated operational frameworks and collaborating with social engineering specialists to execute deeply personalized attacks. These campaigns incorporate voice and video impersonation, deepfake content, and meticulously crafted pretexts, all customized to the victim’s role, behavior, and communication patterns. Observations from cybercriminal forums reveal threat actors actively seeking or selling datasets of “high-balance” and “high-net-worth” targets. The posts show rising demand for tailored intelligence, enabling attackers to concentrate on fewer, but significantly more valuable, victims. Traditional vs. Targeted Social Engineering Mitigating and Preventing Targeted High-Stakes Social Engineering Attacks The emergence of specialized threat actor teams targeting high-level crypto executives marks a dangerous evolution in the threat landscape, one that demands a proactive, layered defense approach.Consequently, organizations, particularly in crypto, must bolster their defenses not only against widespread phishing campaigns but also against customized social engineering attacks that exploit human vulnerabilities at the highest levels of trust and access.At GK8, we believe that recognizing and responding to these trends is critical for the industry’s continued security and resilience. Below are the essential steps your organization should take to prepare for and mitigate targeted social engineering attacks: Assume your personal information (phone numbers, emails, home addresses) has already been exposed. Implement protective measures accordingly. Executives and crypto professionals must be aware that they are probable targets. Strengthen company confirmation algorithms and policies. High-value transactions should not be confirmed by a single individual. Amend company policies to require additional personnel or procedures to review and confirm substantial asset transactions. Strengthen human firewalls. Social engineering thrives on human error. Ongoing education, training, and simulation specifically for high-risk employees are essential. Create specific protocols and training on voice and video social engineering tactics. Stay informed on the latest tricks employed by threat actors. Provide your personnel with relevant information regarding new cyberattacks and social engineering tactics. Reduce attack surfaces with secure architecture. Your company’s custody infrastructure should be built with the understanding that employees are susceptible to social engineering. Third-party custody providers are also vulnerable to third-party attacks that can damage clients. Consider dividing your digital assets between the two forms of custody solution GK8 offers: a hot multi-party computation (MPC) wallet and an Impenetrable Vault. Keep a small percentage of your assets, only the absolute minimum, in a hot wallet online, and the rest in an Impenetrable Vault that remains offline, significantly reducing the risk that compromised accounts could take client funds. With highly personalized scams on the rise, companies need to accept that even the most trusted insiders can be duped. Separate roles and private keys, so no single person has full signing power. Mitigate risk by distributing control. With GK8’s Unlimited MPC, no single individual, even if compromised, can unilaterally move assets or gain unauthorized access. It is significantly more challenging to execute sophisticated attacks when they require compromising multiple individuals rather than a single point of failure. Conclusion Threat actors are dedicating significant time and resources to invest in more complex, well-planned attacks to maximize their gains. They have the ecosystem and resources to build specialized teams, pay salaries, and execute highly targeted and sophisticated operations. With the rise of crypto adoption and the degree of anonymity provided by blockchain protocols, these tactics will continue to. Institutions must detect and disrupt these threats early in the planning stages and take them seriously. The growing focus on targeted social engineering attacks represents not only a technical challenge but a human one. Protecting crypto infrastructure now requires more, including greater vigilance from those who secure it. At GK8, we remain committed to helping our partners and the wider ecosystem stay ahead of these evolving threats. Disclosures:This document has been prepared by GK8, a Galaxy company, solely for informational purposes. It does not constitute an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options, digital assets, or other financial instruments, nor does it constitute investment, legal, or tax advice. Any statements or views expressed herein reflect current observations regarding cybersecurity trends and custody architecture and do not guarantee protection against unauthorized access, fraud, or asset loss. References to specific custody models (including MPC and Vault architecture) are illustrative and should not be interpreted as guarantees of performance or security. Certain information contained in this report, including observations on threat actor tactics and forum activity, has been derived from third-party sources. GK8 and Galaxy Digital Holdings LP do not independently verify such data and make no representations as to its accuracy or completeness. Galaxy Digital and its affiliates may have financial interests in, or provide services to, entities and protocols discussed in this report. The views expressed are those of the authors and do not necessarily reflect those of Galaxy Digital, GK8, or their affiliates. © Copyright Galaxy Digital Holdings LP 2025. All rights reserved.