MoonPay, Bybit, BigONE: How AI-based scams are emptying crypto vaults
According to a report by GK8, crypto criminals are focusing on executives who have access to private keys or vast amounts of digital assets. The new method is called vishing (voice phishing) – they use AI to mimic voices and faces to trick victims into approving fund transfers.
A new fraud method in the crypto industry: while in the past, cybercriminals were content with generic phishing emails or fake links, today they employ far more sophisticated techniques such as personal phone calls, voice impersonation, and AI-based cloning of familiar voices and faces. This emerges from a new report by GK8 ,a Galaxy company and institutional digital asset custody platform. According to the report, this latest phenomenon is called vishing (voice phishing) and marks an escalation in threats against senior executives in the industry.
The report describes how criminals directly approach CEOs, VPs, legal counsels, and CTOs of crypto companies, calling them while impersonating colleagues inside the company, bankers, or regulators. In many cases, AI-generated deepfake voices are used to sound exactly like a familiar person. In others, manipulated AI-generated video is employed. The goal is to trick the victim into authorizing transfers, disclosing passwords, or revealing private keys.
Behind the scenes, an entire criminal industry is at work. On darkweb forums, criminals recruit “callers” – individuals with convincing voices and natural American accents, capable of impersonating professionally and persuasively. The structure is almost business-like, with division of roles, recruitment of staff, and salaries that can reach up to $20,000 a month. Attackers also rely on detailed databases that have been compromised, containing full names, personal phone numbers, and addresses of executives, to make conversations more credible and to craft compelling impersonation scenarios.
The report highlights several major breaches from the past year. At the Bybit exchange, $1.5 billion worth of assets were stolen – the most significant event in crypto history. At MoonPay, fraudsters managed to trick executives into transferring $250,000 after posing as a U.S. political committee. And at the BigONE exchange, $27 million was stolen after a senior developer was deceived in a sophisticated attack.
The report notes that cybercriminals are shifting from broad phishing campaigns to a targeted strategy, investing significant time and resources to attack only a small number of very high-value individuals – executives with access to private keys or large sums of digital assets. For criminals, one successful attack is far more profitable than millions of failed attempts on regular users. One of the report’s key insights is that this type of crime is no longer run by lone amateurs but by organized, industry-like structures.
Closed forums now offer a range of complementary services, including virtual phone numbers, VOIP systems for anonymous calls, and spoofing services that conceal the caller’s identity. SMS messages are also used to build credibility, all run as part of a sophisticated operation that mirrors the structure of a legitimate company.
GK8 emphasizes that confronting these new threats requires a change in mindset: organizations cannot rely solely on technological barriers but must also strengthen their “human firewall.” According to Lior Lamesh, co-founder and CEO of GK8 by Galaxy: “Our research shows that crypto cybercrime has expanded into new areas of operation – from mass phishing attacks to sophisticated social engineering, based on targeted impersonation calls to executives with access to their organization’s digital assets.”
“In this reality, custody and management of digital assets must meet new standards: the majority of assets should be stored in an Impenetrable Vault, while only a small fraction remains in a hot MPC (Multi-Party Computation) wallet for daily operations. In addition to advanced technological protections, we recommend combining executive and employee training and simulations, since this combination is essential to protect customer assets against the sophisticated threats of the new generation.”
