Cold wallets are often considered one of the safest ways to store cryptocurrency. Since they’re not connected to the internet, they theoretically avoid the risk of hacker attacks. However, a recent Coindesk report revealed a shocking incident: A seasoned professional in the cryptocurrency industry had $400,000 worth of digital assets stored in a cold wallet, only to have it easily stolen by scammers. What’s even more surprising is that this wasn’t the result of hackers bypassing high-tech security; it was actually a carefully orchestrated social engineering attack.

You may not be familiar with social engineering attacks. In simple terms, it’s when a victim, without any technical weaknesses in their system, is deceived through a series of misplaced trust and decisions, ultimately losing their entire life savings.

Olivier Acuña, the Victim

The article doesn’t go into much detail about the scam itself, seemingly hiding some important aspects. After extensive research, I was able to uncover the full story, and I’ll share the details with you shortly.

You might be thinking, if even a veteran journalist can fall for a scam, how can the average person protect themselves? This could make you feel like the risks in the blockchain space are too high and you might decide to stay away from it. But if that’s your approach, you’ll let fear stop you from getting involved. In reality, avoiding scams is quite simple. By the end of this article, I’ll show you the easiest way to stay safe and make scammers powerless against you.

Let’s start by looking at who the veteran journalist is and how exactly he got scammed.

1. Veteran Journalist Scammed

The victim, Olivier Acuña, is a veteran journalist who previously investigated drug cartels and government corruption in Mexico. After decades in journalism, he transitioned into the cryptocurrency industry, becoming an experienced professional. He worked as the public relations director at the blockchain company IoTeX, where he managed the company’s external communications and promoted the use of blockchain technology.

Acuña’s salary and bonuses were paid in IoTeX’s token, IOTX, and stored in a Ledger hardware wallet. Known for its offline storage, this cold wallet added an extra layer of security. Acuña trusted blockchain technology, believing that its decentralized nature could fight corruption and censorship. However, his trust ultimately led him to let his guard down in the face of a scam.

1.1 The Problem

Acuña’s trouble began with a simple attempt to withdraw funds. After working at IoTeX for two years, he stored his IOTX tokens in a Ledger hardware wallet, which is considered a safe method of storing cryptocurrency due to its offline nature. However, when he tried to withdraw the funds — money he planned to use for his retirement — he encountered an issue with the wallet application.

Despite multiple attempts, Acuña couldn’t complete the withdrawal. Error messages kept appearing. As a non-technical person, he didn’t understand the cause of the problem, which led to growing frustration and anxiety. He urgently needed the money, but the wallet seemed to be an impenetrable barrier.

1.2 Seeking Help

At a loss, Acuña decided to seek external help. He posted a comment on the social media platform X (formerly Twitter), under a post about an update to the Ledger app, describing the issue and requesting official support.

Soon, a “savior” appeared — a blue-check verified account, claiming to be official Ledger customer service. They contacted Acuña privately, speaking in a professional and enthusiastic tone, saying they understood his issue and were willing to help.

They told Acuña that his problem was very common and could be fixed by updating the wallet app. They sent him a link to what they claimed was the “official repair tool.” The page looked extremely professional, perfectly replicating Ledger’s official website, from the layout to the icons. Acuña did not suspect anything and clicked the link, downloading the so-called repair tool as instructed.

Once installed, they guided him further, telling him that to verify his account, he would need to enter his mnemonic phrase. The mnemonic phrase is a crucial key for cryptocurrency wallets, consisting of 12 to 24 words used to recover or access assets in the wallet. They gently and firmly assured him that this was the last step to resolving the issue. However, the expected “issue resolved” message never appeared.

1.3 Getting Scammed

A few minutes later, when Acuña tried to access his wallet again, he found that the balance was empty. His $400,000 worth of IOTX tokens had been transferred almost instantly to an unknown address. He tried to track the funds via a blockchain explorer but saw that they had been quickly spread across multiple wallet addresses and eventually moved to Binance, the world’s largest cryptocurrency exchange.

Acuña immediately contacted Binance, hoping to freeze the funds, but the exchange stated that only police involvement could trigger action. He then reported the incident to the Spanish police, but their response time was far slower than the scammers’ ability to transfer the funds. By the time the investigation began, the tokens were long gone.

In this tragedy, Acuña managed to recover only a small portion — around $20,000 worth of stablecoins — while the remaining $400,000 worth of IOTX tokens were completely wiped out. This money, originally meant for his retirement, was now lost to scammers, a loss that could never be recovered.

2. What Went Wrong?

Acuña’s experience highlights the core mechanism of social engineering attacks: exploiting human weaknesses through psychological manipulation. Specifically, the success of this scam was not purely reliant on technical means but on several key mistakes Acuña made during the incident:

2.1 Exposing Personal Information Through Social Media Comments

Acuña publicly commented on social media platform X (formerly Twitter), describing the issue he encountered while attempting to withdraw his funds. While his intention was to seek help, this action effectively opened the door for scammers. By mentioning keywords like “hardware wallet,” “withdrawal failure,” and “token storage,” he unwittingly attracted the attention of scammers, especially in the crypto space, where scams are rampant.

Scammers used this information to identify Acuña’s predicament and disguised themselves as official customer service representatives. If Acuña had chosen to seek help through official channels or confined his communications to a private community, he might not have been targeted by the scammers.

2.2 Trusting the Blue-Check Verification and Misjudging the Situation

The scammer’s account was blue-check verified, which was one of the key reasons Acuña lowered his guard.

The blue-check verification was originally used by X (formerly Twitter) to mark trusted accounts, such as those of celebrities or organizations, helping users distinguish genuine accounts from fake ones. However, since the platform introduced a subscription service, anyone who paid a monthly fee could obtain a blue-check, which made the verification less trustworthy.

Scammers took advantage of this shift in the platform’s verification system, successfully posing as an official account. Acuña clearly didn’t recognize this change and failed to verify the account further. Had he checked the account’s tweet history or verified the customer service identity through official channels, he might have uncovered the scam.

2.3 Clicking a Link Provided by a Stranger

The link sent by the scammer was a meticulously crafted phishing website, fully replicating Ledger’s official site, from layout to icons, making it nearly indistinguishable from the real thing. Phishing websites are common tools in social engineering attacks, designed to deceive victims into thinking they are interacting with an official service.

Without further verification, Acuña clicked the link and downloaded the so-called “repair tool.” He then entered his mnemonic phrase, the critical key to his cold wallet. Once a mnemonic phrase is exposed, it gives scammers full control over the wallet, a significant security lapse in the crypto world.

If Acuña had realized that official customer service would never send links via social media direct messages, nor ask for mnemonic phrases, this tragedy could have been avoided.

2.4 Summary

Notice that the entire scam process was a carefully engineered sequence, where each step played a crucial role. We cannot blame Acuña for entering his mnemonic phrase carelessly, as it was on his local device. We also can’t fault him for seeking help on social media, as any normal person would do. We certainly can’t blame him for trusting the blue-check verification, as it was still a sign of trust to most users, and this change wasn’t widely known.

So, is there nothing we can do to prevent such scams? \
There is. Not only is there a way, but it’s also quite simple.

3. How to Avoid Getting Scammed?

In short: Never, under any circumstances, share your mnemonic phrase (or private key) with anyone—this includes all kinds of software and websites.

Why?

Because the mnemonic phrase (or private key) is the “lifeblood” of your digital assets. Once leaked, it’s like giving all the keys, passwords, and even the property deeds of your house to a stranger. They just need a few minutes to empty your “digital bank account.” And this process doesn’t require your signature, you don’t have to click any confirmation button, and there will be no chance for you to “take it back”—once a transaction happens on the blockchain, it’s irreversible.

Imagine you have a safe with all your life savings inside. The safe has only one key, and the mnemonic phrase is that key. Someone tells you, “Hey, let me fix your safe, don’t worry, just give me the key and I’ll take care of it!” What would you do? Would you casually hand over the key? In real life, you probably wouldn’t, because it’s an obvious risk. But in the digital world, this “key” is disguised as a set of seemingly harmless words (the mnemonic phrase), and many people let their guard down as a result.

Now, you should understand how serious the consequences are if your mnemonic phrase (private key) is leaked. It’s the absolute control over your digital assets. Once you lose it, you lose everything.

To ensure that you never leak your mnemonic phrase, here are 4 things you need to do:

1. Remember: Official sources will never ask for your mnemonic phrase. Anyone claiming to be official customer service or technical support, no matter how “professional” or “urgent” they sound, is 100% a scam if they ask for your mnemonic phrase. Remember, real customer service never needs your mnemonic phrase to resolve any issues.

2. Be cautious with links and avoid phishing sites. Never click on links sent by others, and definitely never enter your mnemonic phrase on unfamiliar websites. If you absolutely must enter your mnemonic phrase, make sure it’s in the official application of your hardware wallet and that it’s in an offline mode.

3. Store assets separately to avoid a single point of failure. Don’t store all your assets in the same wallet, especially one relying solely on a single mnemonic phrase. Multi-layered storage can effectively reduce the risk of loss.

4. Always store your mnemonic phrase offline. You can write it on paper or engrave it on a metal plate, but never store it on electronic devices. Hackers can remotely access information on electronic devices, but a piece of paper or metal plate is something they can’t touch. If your assets are Bitcoin, here’s a free tutorial on creating a cold wallet with no technical knowledge required.

In conclusion, just remember this in one sentence: Your mnemonic phrase is the “lifeblood” of your digital assets—never, ever give it to anyone.

Conclusion

The blockchain world is like an untamed wilderness, brimming with opportunities but also hidden with clever traps. Olivier Acuña’s story teaches us that, no matter how advanced the technology, human nature remains the biggest vulnerability. However, tragedy can be turned into a lesson, and that lesson can lead us toward a wiser future.

In this decentralized digital frontier, everyone is their own asset guardian and the first line of defense against risks. We can’t rely on others, but we can rely on rules and common sense. The key takeaway is: never, ever share your mnemonic phrase.

Scammers are evolving, and we must grow too. Only by sharpening our security awareness can we confidently navigate this digital wilderness. Blockchain’s value goes far beyond making money—it’s about a revolution of trust and freedom. Safeguarding your wealth is not just a basic skill for joining this revolution, but also the starting point for a brighter future.

Remember: your cold wallet might be “cold,” but your security awareness should always be “hot.”

Disclaimer:

1. This article was reposted from [Mirror], with copyright held by the original author [Daii]. If you have any concerns regarding the reposting, please contact the Gate Learn team, and they will address the matter following the appropriate procedures.
2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.
3. Other language versions of this article were translated by the Gate Learn team. The article may not be copied, shared, or plagiarized unless explicitly mentioned otherwise.