While billion-dollar crypto heists like the Bybit hack dominate headlines, there are threats that are far more subtle and more disruptive than any data breach.
I have recently interviewed Alex Ferrer, Director of Forensics at Crypto Legal, who once again reminded me of how often we cybersecurity reporters fail to keep our readers’ eyeballs where they should be. Take the recent Bybit Hack as an example:
“Everyone’s shocked by big numbers in a single hack… But phishing is death by a thousand cuts-quiet, constant, and devastating.”
So let’s unpack his warning about the true scale of phishing in crypto, what loopholes in internet infrastructure are making the problem worse, and why regulators urgently need to rethink their approach to this. With scammers outpacing security teams using AI and automation, this isn’t just a crypto issue - it’s a growing threat to consumer trust, financial systems, and digital safety as a whole.
Numbers speak
Phishing scams are quietly stealing just as much (if not more) than the most publicized hacks every few months. Just CoinMarketCap data shows phishing accounted for an estimated $1.05 billion in crypto losses in 2024-roughly 40% of all stolen crypto that year.
But the real damage goes far beyond money:
- Phishing fuels ransomware and terrorism – In one case, £2.3 million from a fake NFT platform was traced to a sanctioned entity.
- Victims aren’t always crypto users – A retired couple wired £45,000 to scammers impersonating police to “unfreeze” crypto their son never even owned.
- Some web hosting companies and domain registrars are enabling it – Ferrer’s team reported 132 fraudulent sites to a major registrar this year. Only 17 were removed. Some providers even charge for takedowns-creating a perverse incentive to delay.
“Crypto exchanges are heavily regulated. Hosting providers? Almost zero oversight. Until that changes, phishing will keep thriving-and evolving with AI.”
Crypto Legal tracks over 100 new phishing domains weekly and runs the free public Crypto Legal Scam Hub, with 50,000+ entries to help victims verify threats.
Even so, he admitted, "For every domain we report, three more emerge.”
The good news is that many phishing attacks can be avoided with stronger habits, smarter tech, and clearer accountability from the companies that power the web.
What you can do
I asked Ferrer what people should start doing today to prevent crypto phishing scams. Here are his tips:
- Never trust links from search ads - Always use in-app support
- Bookmark sites you trust - Typosquatting like Binancce[.]com is rampant
- Use hardware multi-factor authentication (MFA) - SMS-based two-factor authentication (2FA) is vulnerable to SIM Swapping (when an attacker socially engineers a mobile provider or bribes an insider into transferring your phone number to a SIM card they control), and does not prevent phishing
- Search "Crypto Legal Scam Hub" to check for known scam sites
- Report anything suspicious - To registrars, the NCSC, and Action Fraud
What the big guys should do
Ferrer’s tips will help people stay safer only to a certain extent, since the problem isn’t just the scammers. It’s the system that lets them flourish: hosting providers that ignore abuse, regulators that overlook infrastructure, and consumers left fighting sophisticated scams with outdated tools.
Otherwise, we’re fighting with toothpicks against AI-powered hydras.
Scammers are counting on that.