The month of January 2026 marked a worrying escalation in the intensity and precision of cyber attacks in the cryptocurrency sector. Although the overall number of victims has slightly decreased, the effectiveness of the blows scored by cyber criminals has literally exploded, highlighting a transition towards much more targeted and devastating attack strategies.
The Explosion of "Signature Phishing"
According to the latest report by security firm blockchain Scam Sniffer, losses from so-called 'signature phishing' have soared, exceeding $6.3 million in January alone. Although the number of affected users dropped 11 per cent from the previous month, the total value of the stolen funds increased 207 per cent from December levels.
Someone lost $12.25M in January by copying the wrong address from their transaction history. In December, another victim lost $50M the same way.
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) February 8, 2026
Two victims. $62M gone.
Signature phishing also surged — $6.27M stolen across 4,741 victims (+207% vs Dec).
Top cases:
· $3.02M —… pic.twitter.com/7D5ynInRrb
This seemingly contradictory figure reflects a tactical paradigm shift. Criminals have abandoned mass campaigns aimed at small savers and have turned to 'whale hunting'. They are now targeting 'High-Net-Worth Individuals', individuals with extremely large portfolios who, with a single mistake, can secure multi-million dollar loot.
Two Victims Account for 65% of Losses
The effectiveness of this new strategy is demonstrated by the numbers: just two victims accounted for nearly 65% of all losses recorded for signature phishing in January. The most serious incident saw a single investor lose $3.02 million.
The theft occurred by subscribing to a malicious function called 'permit' or 'increaseAllowance'. These mechanisms, if unknowingly approved by the user, grant a third party indefinite access to move tokens from the wallet. The danger lies in the fact that, once the 'signature' has been obtained, the attacker can empty the fund without the owner having to approve each subsequent transaction.
The Scourge of Address Poisoning
In addition to signature phishing, another threat is plaguing the industry: address poisoning. In one emblematic case in January, an investor lost $12.25 million after sending funds to a fraudulent address.
This technique exploits users' wallet management habits. Hackers generate 'vanity' or 'lookalike' addresses, which mimic the first and last characters of a legitimate address in the victim's transaction history. The deception relies on distraction: the criminals hope that the user will copy and paste the address directly from the history without verifying the entire alphanumeric string.
The Warning from Safe Labs
The severity of these coordinated attacks has prompted Safe Labs (formerly known as Gnosis Safe), a leader in multi-signature wallets, to issue a global security alert. The company has identified a massive social engineering campaign using some 5,000 malicious addresses to target its user base.
We have identified a coordinated attempt by malicious actors to create thousands of similar ('lookalike') Safe addresses designed to trick users into sending funds to the wrong destination. This is social engineering combined with address poisoning, said the company in a post on X.
- Safe{Labs} (@SafeLabs_) February 6, 2026
The experts' recommendation is unambiguous: never trust the visual familiarity of the first few characters of an address. Before performing any high-value transfer, it is essential to verify every single character of the destination string. In a world where digital signatures are binding and irreversible, caution remains the only real barrier against elite cybercrime.
