← Back to all campaigns

X Thread: Humans Are the New Attack Surface

platform: X format: thread (7 tweets) hook: February 2026 hack losses dropped 87%. That sounds like good news. It's not. Here's what actually happened. proof: PeckShield data ($26.5M vs $385M), bonk.fun domain compromise, sillytuna $24M physical attack, 75% increase in physical attacks (CertiK), XBOW CVSS 9.8 discovery hashtags: #DeFiSecurity #CyberSecurity #Web3 #ThreatIntel #OpSec #SecurityTrends review-notes: All data from public sources. Do not share sillytuna wallet addresses (investigation ongoing). Defensive tone.

---

Thread

1/7 (Hook)

February 2026 hack losses dropped 87%.

$385M in January. $26.5M in February.

That sounds like good news.

It's not. Attackers didn't stop. They shifted. 🧵

2/7 (The Shift)

Smart contract exploit losses are falling because smart contract security is improving.

But look at what's rising:

  • Social engineering: up 250% since 2024
  • Physical attacks on crypto holders: up 75% (CertiK)
  • Infrastructure attacks: domain hijacking, team account compromise

    • Attackers go where the defenses aren't.

    3/7 (This Week's Proof)

    bonk.fun (March 12): Attackers compromised a team member's account, hijacked the domain, deployed a wallet drainer on the website. No smart contract vulnerability involved.

    sillytuna (March 5): ~$24M AUSD. Conflicting reports between physical coercion and on-chain poisoning attack. Both attacker wallets are under active monitoring.

    4/7 (The Pattern)

    Recent high-value attacks increasingly combine multiple vectors:

  • Poisoning + Physical (sillytuna)
  • Social engineering + Smart contract (Step Finance)
  • Infrastructure + Wallet drainer (bonk.fun)

    • Single-layer defenses are not enough. Multi-stage attack chains are the new normal.

    5/7 (AI Enters the Chat)

    Meanwhile, XBOW (an autonomous AI vulnerability discovery platform) just found a CVSS 9.8 RCE in Microsoft products without access to source code.

    FIRST projects 59,000 vulnerabilities will be discovered in 2026.

    AI is accelerating discovery on both sides of the fence.

    6/7 (What This Means)

    The smart contract security industry solved the easy problems.

    What remains:

  • Economic design flaws (oracle manipulation, reward logic)
  • Human layer attacks (phishing, social engineering, physical)
  • Infrastructure security (DNS, domain, team accounts)
  • Multi-stage chains combining all of the above

    • 7/7 (What To Do)

    If you hold significant crypto: 1. Multi-sig wallets (2/3 or 3/5) 2. Time-locks on large withdrawals 3. Never publicly display wallet addresses or wealth 4. Dedicated devices for high-value transactions 5. Treat unsolicited 2FA codes as attack indicators

    The attack surface is you now, not your contract.

    ---

    CTA: Audit your operational security, not just your smart contracts. The threat shifted.