Leaked private keys leading to cryptocurrency thefts in Q3 2025

The latest analysis from MistTrack, the platform that follows stolen assets from SlowMist, shows that the leak of the (private key) remains the most common cause of cryptocurrency thefts.

According to the report, from July to September, there were 317 reports of stolen assets, of which over $3.73 million was successfully frozen or recovered in 10 cases.

Private key — the core weakness of users

The report emphasizes that most cryptocurrency thefts do not come from sophisticated technical attacks, but from leaked login information or compromised devices.

A common scam nowadays is selling fake cold wallets — devices that come pre-installed with a seed phrase or have hardware tampered with to record recovery information, allowing scammers to seize assets right after the victim funds the wallet.

SlowMist recommends users:

• Only buy hardware wallets from official distributors.
• Create seed phrase directly on the device.
• Transfer a small amount for testing before making a large transaction.
• Check the device thoroughly, do not use available recovery cards

In addition, SlowMist warns of the increase in phishing scams and (social engineering) practices. A new type of attack, called EIP-7702 deleGate phishing, allows hackers to link victims' wallets to contracts that automatically withdraw funds during transactions. Users think they are operating normally, but in reality, they have granted control of their assets to the malicious actor.

SlowMist's analysis shows that "old but effective" scams still account for a high percentage. Some scammers impersonate employers on LinkedIn, building trust with candidates over weeks, and then lure them into installing "camera driver" or malicious software.

In one case, hackers even combined malware with a Chrome extension during a Zoom call, causing the victim to lose more than 13 million USD.

Familiar scams are still ongoing.

Some fraudulent ads on Google mimic the interface of MistTrack and DeFi platforms like Aave, causing losses of over $1.2 million through authorization requests. Additionally, the perpetrators have also taken control of abandoned Discord links to deceive the community.

Another trick is to disguise malware as a CAPTCHA check, tricking users into copying codes that steal wallet data, browser cookies, and private keys.

SlowMist believes that most Web3 attacks do not stem from complex techniques, but from users being hasty and lacking verification.

Therefore, slowing down a bit, carefully checking the source of information, and avoiding quick shortcuts is the most effective way to protect yourself in the ever-changing environment of Web3.

Kong Ming