Hardware-wallet impostor scam triggers one of the biggest crypto heists

The theft occurred around 11:00 p.m. UTC and targeted a wallet linked to 2.05 million LTC (about $153 million) and 1,459 BTC (roughly $139 million). According to on-chain reporting, the attacker immediately seized control of the wallet after the victim disclosed the recovery phrase to someone posing as Trezor support.

Blockchain investigator ZachXBT said the thief split and routed the assets across several networks in minutes. Portions of the haul were bridged via THORChain to move value between Bitcoin, Ethereum, Ripple and Litecoin, while large tranches were swapped into Monero through instant-exchange services, a pattern commonly used to hinder traceability. The Monero flows coincided with a sharp price spike in XMR. “It’s not North Korea,” ZachXBT wrote, dismissing speculation of state-sponsored involvement.

Some funds were intercepted. Security firm ZeroShadow said it flagged and helped freeze about $700,000 within approximately 20 minutes after being alerted by monitoring teams. The firm described the victim as an individual deceived by an actor masquerading as “Trezor ‘Value Wallet’ support,” emphasizing that the breach stemmed from social engineering rather than any compromise of wallet software or private-key infrastructure.

The case underscores how seed-phrase exposure can render all standard safeguards moot: once the phrase is revealed, an attacker can recreate the wallet, sign transfers and pivot across chains and liquidity venues without touching a centralized exchange. In this incident, peel-chain techniques, cross-chain bridges and privacy-focused swaps combined to fragment the trail within hours, complicating asset recovery and forensic work.

It is the second mega-scale social-engineering loss highlighted in recent months. Previously, there was a separate 2025 case in which an elderly U.S. holder lost more than $330 million in BTC after scammers coaxed access and then laundered the coins through exchanges and Monero. Together, the events point to a rising share of non-technical compromises in large crypto heists, where attackers bypass code defenses by exploiting user trust and support-channel workflows.

Investigators and wallet-security specialists recommend treating any unsolicited “support” outreach as hostile by default, never entering a seed phrase into a web form or chat, and verifying addresses end-to-end on trusted hardware displays. They also urge users to store recovery phrases offline, segment holdings across multiple vaults and consider plausible deniability schemes that keep minimal balances visible to an attacker during a coercive interaction. While those steps cannot retroactively recover lost funds, they reduce the blast radius of a single social-engineering success.