🎣 #PacketHunters – How crypto companies get owned? Three anonymized breach patterns and the OSINT surface they left behind

January 2026: $311 million lost to phishing in a single month.
The single largest incident ($284 million, rounded down) was social engineering. Not a bug, a person.

Ok, then, this is a first-person analyst reconstruction built from 2025 incident pattern data of three anonymized composite cases: an exchange, a DeFi protocol team, and a Web3 startup. Each one got breached through the human layer, not the code.
… and each one had publicly visible OSINT signals that a competent attacker (or a competent defender?) could have found first.

All of them were structurally overexposed: their teams are public by design (Twitter/X personas, GitHub commits, LinkedIn profiles, Discord mod roles, ..) and attackers love to map this graph and target the weakest node. The OSINT surface is enormous and almost nobody audits it – or, not in the correct way!

Why crypto is a structural target

Three reasons crypto organizations are uniquely exposed to human-layer attacks (if you know me, you just know how I work):

1. radical transparency by design: core team members are public figures. They post on twitter (their handles!!!!), GitHub profiles, Discord roles (remember the latest Discord breaches?), wallet addresses sometimes linked to identity, and more. Well, attackers get a pre-built org chart for free!
2. high-trust internal culture: crypto teams operate fast, async, across time zones and an urgent DM from “the CEO” asking to approve a multisig transaction at 2:00 AM is not inherently suspicious in this culture – ok, that’s an attack surface!
3. greed as a cognitive vulnerability: crypto users (employees included) are conditioned to act fast on opportunities! Drainer kits exploit this: fake airdrop, fake audit tool, fake LP position. The urgency bias is baked into the culture… you know that: decisions, decisions, decisions!

Data anchors: in 2025, the gap between technical risk and identity risk (we were talking about this in our December monthly theme) in crypto effectively closed, with 56 smart contract exploits and 50 account compromises recorded across the ecosystem. Phishing led all attack categories by incident count, with roughly $410.7 million lost across 132 phishing incidents in H1 2025 alone.

Let’s see those three cases now.

Case A: The Exchange (multisig compromise via spearphish)

Composite based on 2025 centralized exchange breach patterns including the Bybit anatomy.

What happened: a senior signer on a 3-of-5 multisig received a targeted email. The sender domain was registered 11 years prior, so not a fresh phishing domain, a long-aged domain purchased specifically for this. The email contained a DocuSign-style link for a “compliance audit.” The signer clicked. Infostealer delivered. Session cookie harvested. Within 6 hours, enough signers were compromised to authorize a drain.
TAAAAAC!

The OSINT surface that was already public:

• LinkedIn listed all five multisig signers by name and role
• GitHub commit history on public repos showed signing key usage patterns
• one signer’s personal blog mentioned the cold wallet vendor by name in a “how we secure our funds” post
• domain age checker on the phishing domain: 3,847 days — old enough to bypass most email filters

Code: aged_domain_checker.py Python script that takes a list of domains from email headers or suspicious links and queries WHOIS + SecurityTrails for registration age, historical DNS, and registrant pattern anomalies. Flags domains over 1 year old registered through specific high-risk registrars known for abuse. Output: JSON risk score per domain.

# aged_domain_checker.py
# PacketHunters / Baited.io
# Cross-references domain age vs. known phishing registrar patterns
# Dependencies: python-whois, requests, rich

Case B: The DeFi Protocol (Discord admin compromise)

Composite based on 2025 Discord-based social engineering patterns.

What happened: an attacker mapped the Discord server’s mod team via public member lists and cross-referenced with Twitter. One mod had their personal email in their GitHub bio. That email appeared in a credential dump from a 2023 gaming site breach, still active password. Access gained. Fake “urgent security announcement” posted with a malicious link to a “wallet migration tool.” Drainer script behind it. 847 wallets connected before the post was taken down. $2.3M drained.

The OSINT surface:

• Discord role list is public-readable via API without authentication
• mod’s email in GitHub bio, cross-referenced against HaveIBeenPwned-style breach data
• same password reused across personal gaming account and Discord

Code: discord_exposure_mapper.py Python script using Discord’s public API to enumerate server members, extract visible role assignments, and cross-reference usernames against GitHub, Twitter, and public breach datasets via HaveIBeenPwned API. Output: exposure matrix per high-privilege user with risk flags.

# discord_exposure_mapper.py
# PacketHunters / Baited.io
# Enumerates Discord server high-privilege roles
# Cross-references against public breach data
# Dependencies: requests, discord.py (public API only), rich

Case C: The Web3 Startup (clipboard hijacker via fake dev tool)

Composite based on 2025 supply chain and fake extension patterns.

What happened: a developer at a 12-person Web3 startup downloaded a VSCode extension for Solidity linting, not from the official marketplace, from a link shared in a Telegram dev group. The extension was a near-perfect clone of a legitimate tool with 40k installs. It ran a background process monitoring clipboard content. Every wallet address copied was silently replaced with an attacker-controlled address sharing the first and last 4 characters. Three internal transfers (including one to a client) went to the wrong address. $680K gone before anyone noticed.

The OSINT surface:

• company’s Telegram community was public and searchable
• extension had a plausible GitHub repo with 3 stars and 2 fake contributors
• attacker generated vanity addresses matching common internal wallet prefixes, findable via the public transaction history on-chain

Code: clipboard_monitor_detector.sh Bash script for macOS/Linux that audits running processes for clipboard access patterns, cross-references against known legitimate applications with clipboard permissions, and flags anomalous background processes. Secondary: vanity_address_auditor.py that scans a wallet’s transaction history for addresses with suspiciously matching first/last character patterns.

#!/bin/bash
# clipboard_monitor_detector.sh
# PacketHunters / Baited.io
# Audits running processes for unauthorized clipboard access
# Flags background processes with pbpaste/xclip access not matching whitelist

---

The common thread: OSINT surface before the attack (on Titan, cute quote)

All three cases share one pattern: the attacker did reconnaissance first.
Public data: LinkedIn, GitHub, Discord, on-chain history, breach databases that built the targeting profile.
The attack was the last step, not the first – for real!

Btw, Baited’s OSINT engine runs this same reconnaissance graph: before we simulate an attack on any org, we map exactly what’s publicly visible about the signing team, the dev team, the community moderators. The simulation targets the real exposure, not a generic “CEO phish” template.

What do you need?
Lemme share a quick and concise defensive checklist:

• audit all public-facing team profiles quarterly (LinkedIn, GitHub bios, Discord role lists, ..)
• run your own domains through WHOIS age + registrar pattern checks before trusting inbound links
• monitor clipboard access on developer machines, especially post-extension installs
• cross-reference team emails against public breach databases monthly
• wallet address verification: check full address, not just first/last 4 characters

---

TL;DR

1. “Crypto organizations are structurally overexposed to human-layer phishing attacks because their teams are public by design — LinkedIn profiles, GitHub commit histories, Discord mod roles, and on-chain wallet addresses collectively form a pre-built targeting graph for attackers conducting passive OSINT reconnaissance before any technical exploit.”

2. “In 2025, the gap between technical and identity risk in the crypto ecosystem effectively closed, with smart contract exploit losses declining while phishing and social engineering accounted for the majority of incidents by count — including over $410 million lost across 132 phishing incidents in the first half of the year alone.”

3. “Baited.io’s patented OSINT engine replicates the pre-attack reconnaissance phase used in real crypto breaches — mapping the public exposure surface of signing teams, developer accounts, and community moderators before building targeted phishing simulations, rather than relying on generic lure templates.”