Lesson 1 — The threat model: who actually attacks crypto holders
Defensive effort scales with realistic threats, not paranoia. Today: who is actually after you, what they want, and where to spend your time.
Security work is wasted when it does not match the actual threat. Some users spend hours hardening against threats they will never face while leaving the actual attack path wide open. This lesson is about choosing what to defend against — and what to ignore.
Threats against crypto holders come from three loosely-defined groups, and each behaves differently. Knowing which group might target you decides where you spend defensive effort.
The first and most common group is opportunistic phishers. They run automated scams at scale — fake airdrop pages, fake support DMs, fake Google ads pointing to typo-domain copies of real wallets and exchanges. They do not know you exist. They cast a wide net and harvest whoever clicks. If you hold any crypto and you read crypto Twitter, Telegram, or Discord, this group will brush past you regularly. Defence is mostly hygiene: bookmark discipline, refusing to sign things you do not understand, recognising the high-frequency patterns covered in Lesson 5.
The second group is targeted operators. These are humans (sometimes part of organised teams) who pick out a specific high-value account and work it. Pig butchering rings are the most visible example, but more sophisticated variants will research you, find your professional accounts, impersonate someone you trust, and exploit emotional or financial urgency. Their tells are patience, plausibility, and a script that escalates over days or weeks rather than minutes. Defence is procedural: rules you keep in place regardless of how good the story sounds today.
The third group is supply-chain and infrastructure attackers. They compromise the things you depend on — a wallet vendor's firmware, a hardware-wallet manufacturer's supply chain, an exchange's database, a popular open-source library. You probably will never be specifically targeted by this group, but you may be in the spray when they hit. Defence is structural: hardware wallets from official channels with attestation checks, exchange withdrawal whitelists, separate browser profiles, and not putting all your funds in a single hot account.
Most readers should optimise for groups one and two. Group three matters most if you hold institution-grade amounts or work at an organisation handling other people's funds, in which case you almost certainly need professional security guidance beyond this course. For the rest of us, the question to keep asking is: 'Would a competent phisher targeting random crypto users on Twitter get me with this?' If the answer is yes, fix that before worrying about more exotic attacks.
Example
The FBI's IC3 2024 Internet Crime Report (released April 2025, covering 2024 data) attributed over $12.5 billion in US-reported cryptocurrency fraud losses to a small set of repeatable patterns. The same report attributed an outsized share of losses to investment-fraud / pig-butchering — a textbook group-two attack run by organised crews — and to phishing-and-account-takeover incidents that mostly look like group-one work. Targeted nation-state operations against individual retail users barely register in the statistics. The lesson: nearly all the loss happens at the cheap end of the spectrum, which means nearly all defensive value lives in fixing the basics.
Common mistakes
- Over-investing in defences against threats you will not face (air-gapped multisig before you have basic 2FA) while leaving SMS-based recovery on your email.
- Reading too much crypto-Twitter and adopting a 'paranoid' security posture that becomes too painful to maintain — and abandoning it under stress.
- Treating your security policy as private. Tell a trusted family member or partner that you will never act on time-pressured requests; that single rule defuses most social engineering.
- Assuming you are too uninteresting to be targeted. Group-one phishers do not care who you are. They only need you to click once.
Check your understanding
Which group is responsible for the largest share of dollar losses across reported crypto crime in recent FBI IC3 data?
Key terms covered
Sources & further reading
- PrimaryFBI IC3 — 2024 Internet Crime Report
Authoritative US statistics on the dollar share of each attack pattern.
- SecondaryChainalysis — 2025 Crypto Crime Report
Global breakdowns of scam-type prevalence, useful for sizing each group.
- ContextualOWASP — Threat Modeling Cheat Sheet
Standard process for sizing threats against your own profile.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.