$282 million crypto theft: how a Portuguese hacker bypassed hardware wallet security

A Portuguese hacker managed to steal US$ 282 million in cryptocurrencies through a sophisticated social engineering attack, according to revelations by blockchain security researcher ZachXBT. The incident, which occurred on January 10, highlights a concerning trend for 2025: social engineering-based attacks have become the primary vector of intrusion in the crypto universe, surpassing traditional hacking methods.

The victim lost a total of 2.05 million litecoins (LTC) and 1,459 bitcoins (BTC), with the funds quickly converted into monero (XMR) through multiple instant exchanges. The speed of the operation was remarkable: the funds were moved within a few hours, demonstrating technical expertise or possible assistance from other interested parties.

The Incident: Million-Dollar Funds Stolen via Social Engineering

The attack took place precisely on January 10 at 23:00 UTC, against a victim using a hardware wallet to protect their assets. The Portuguese hacker managed to bypass security layers through psychological manipulation techniques. This type of attack typically involves impersonating trusted employees, building a trusting relationship with the victim, and then persuading them to disclose sensitive information such as private keys or access credentials.

The amount stolen is significant: 2.05 million LTC represents a critical mass capable of influencing markets. Combined with 1,459 BTC, the total reached proportions that drew the attention of the crypto security community. The rapid conversion into monero was not accidental—this privacy asset saw a 70% price increase in the four days following the theft, partly triggered by abnormal buying volumes.

Blockchain Tracking: The Journey of Funds via Thorchain

Not all of the amount was converted into monero. A substantial part of the bitcoin was transferred across multiple blockchains using the Thorchain protocol, passing through Ethereum, Ripple (XRP), and back to Litecoin. This “jump” between blockchains is a common tactic among malicious actors seeking to complicate forensic tracking.

ZachXBT, who led the investigation into the incident, was able to map much of this fund journey and stated categorically that there is no evidence indicating involvement of North Korean threat actors. This statement is relevant because state-sponsored hacking groups remain a significant threat in the crypto ecosystem, especially in large-scale thefts.

Social Engineering in 2025: The New Paradigm of Crypto Attacks

The incident reflects a strategic shift in the threat landscape of crypto. Unlike sophisticated technical attacks that exploit zero-day vulnerabilities, social engineering targets the weakest link: human behavior. A well-trained attacker can impersonate an exchange member, wallet developer, or even legitimate technical support.

It remains uncertain whether the victim was an individual investor or a corporate entity with significant exposure to cryptocurrencies. Regardless, the pattern is clear: 2025 marks the year when social engineering surpassed malware and code exploitation attacks as the main threat.

Ledger Data Leak: The Amplifying Context

Just five days before the theft, on January 5, the hardware wallet provider Ledger suffered a massive data leak. Personal user data—including names, contact information, and purchase details—were exposed through unauthorized access to the company’s servers. This leak created a list of potential targets for hackers, including individuals known to hold large amounts of cryptocurrencies.

The timing was no coincidence. Criminals often correlate leaked databases with public blockchain transaction histories to identify targets with high crypto holdings. The Portuguese hacker may have used this intelligence to select and conduct social engineering against the specific victim who held LTC and BTC in a hardware wallet.

Implications for Security and Future Outlook

The US$ 282 million incident illustrates that hardware wallets, while technically secure against remote attacks, remain vulnerable to human manipulation. No technical tool replaces constant vigilance, healthy skepticism, and operational security training.

By 2025, social engineering attacks in the crypto sector are expected to intensify. As technical defenses evolve, attackers shift to human targets. Users and companies should prioritize security education, robust multi-factor authentication, and compartmentalization of sensitive information as mitigation strategies.