On March 31, 2026, Eastern Eight District time, an unnamed Kraken user fell victim to a social engineering scam, being induced to transfer assets out of the exchange, ultimately losing about $18.2 million in a multi-chain diversion. Reports from various sources such as Rhythm, TechFlow, and Golden Finance highlighted two key stages in the attack path: first, the funds were initially transferred to a SafePal wallet, and second, the attacker utilized THORChain to cross-chain assets from Ethereum to the Bitcoin network, creating room for subsequent obfuscation. This incident, described by Rhythm as the "largest known individual user social engineering attack in 2026," quickly sparked debates within the industry: when decentralized cross-chain protocols transmit value in a "permissionless, borderless" manner, who should bear the cost of user protection and accountability, and where should the boundaries be drawn?

The flow of $18.2 million evaporating in an instant

From the available information, this attack resembles a carefully designed "escape route" for funds. On March 31, the attacker first breached the user's psychological defenses through social engineering, inducing the victim to transfer a large amount of assets from Kraken to a SafePal wallet address under their control, without revealing specific talking points or operational details. Once the funds left the centralized exchange, the attack truly entered a phase that was difficult to roll back.

After entering SafePal, the attacker did not linger on the Ethereum network for long, but quickly called upon THORChain's cross-chain functionality to exchange and migrate Ethereum-side assets to the Bitcoin network. THORChain is positioned as a cross-chain liquidity infrastructure, supporting the exchange and circulation of native assets between multiple chains. This feature greatly enhances capital efficiency in everyday scenarios, but in this case, it also provided the attacker with an efficient tool for "rerouting." Once the assets crossed out of the Ethereum ecosystem, the originally traceable path must switch between multiple chains, significantly increasing the difficulty.

According to the media's scale estimates, the loss of approximately $18.2 million is highly uncommon in recent years' social engineering attacks targeting individual users, far exceeding the typical scams in the range of tens of thousands to hundreds of thousands of dollars, and described by multiple organizations as the "highest amount in an individual user social engineering attack in 2026 to date." This gives the case a landmark significance: on the one hand, it raises the long-standing social engineering risk regarded as a "soft defensive line" to a new level of capital volume; on the other hand, it concretizes a disturbing fact with a substantial loss—if personal security awareness has a single fatal error, cross-chain and multi-wallet combinations can quickly complete capital flight and obfuscate paths.

The double-edged role of THORChain in high-frequency cross-chain

To understand the cross-chain aspect of this incident, THORChain needs to be re-examined in the context of the industry landscape. According to DefiLlama data, THORChain currently has an average weekly cross-chain volume of approximately $1.2 billion, serving as an important infrastructural role in the multi-chain capital mobility network, fulfilling the demand for cross-chain exchanges of a large amount of native assets. For ordinary users and institutions, it represents an efficient, multi-chain liquidity channel without the need for centralized intermediaries.

It is this "cross-chain native" design that significantly lowers the threshold for capital transfer in this case. The attacker does not need to navigate between multiple centralized platforms; they only need to control the SafePal wallet to access THORChain routing with one click, transferring Ethereum assets to the Bitcoin network. For participants familiar with these tools, this is routine; but for security teams and law enforcement collaboration, it means that tracking and analysis must occur simultaneously across multiple public chains and various asset forms, further compressing the time window.

There are voices in the market explicitly stating, "THORChain's cross-chain functionality objectively facilitates capital transfers." In a conventional context, this statement affirms the product's capabilities; however, in the scenario of a security incident, it mirrors a structural conflict: decentralized infrastructure inherently pursues minimal permissions and the lowest entry thresholds, while regulatory and accountability mechanisms require the power to "brake," "limit speed," or even "close roads." Currently, cross-chain protocols typically neither hold user KYC data nor set human approval thresholds, faithfully executing cross-chain commands from a technical perspective, but are thus caught up in debates about whether they build "highways for illegal funds."

From SafePal's old wounds to the normalization of social engineering offensives

Another focal point of discussion in this case is the position of the SafePal wallet within the entire path. As early as 2025, SafePal caused losses of about $3 million due to an API vulnerability incident, which sparked controversies regarding its security architecture and audit processes. Although the nature of that incident is not entirely the same as the Kraken user victim case, it has labeled SafePal with a "background of security controversies": when funds suffer significant losses within its wallet environment, the market naturally links to historical wounds.

However, according to current multi-source disclosures, the core of this $18.2 million loss event is more closely related to social engineering attacks, rather than systemic vulnerabilities at the wallet or protocol code level. ZachXBT has disclosed four individual cases of million-dollar-level social engineering attacks in the past three months, showing that social engineering attacks are evolving from sporadic incidents to a "sustained offensive": attackers are no longer targeting the technical flaws of a single platform, but rather the behavioral vulnerabilities and psychological weaknesses of users across multiple platforms and wallet combinations.

This also exposes a frequently overlooked fact: in the security landscape of the crypto world, "protocol code security" and "user operation security" are two relatively independent defensive lines. The former relies on formal verification, audit reports, and bug bounties, while the latter depends more on users' understanding and attentiveness to authorization, private key storage, and signature prompts. In this case, there is no evidence indicating that Kraken, SafePal, or THORChain have undisclosed systemic flaws at the code level; a more reasonable explanation is that the attacker bypassed the user's own security awareness boundaries through social engineering, using their proactive actions to complete asset transfer.

The boundary of the exchange: platform responsibility and user education dilemma

In the absence of confirmed systemic technical flaws, discussing the boundary of the exchange's responsibility becomes nuanced and sensitive. On one hand, the moment assets are withdrawn from a Kraken-related address on-chain, it formally completes the "user-initiated withdrawal"; on the other hand, large withdrawals and unusual outflows are often the focus of risk control systems. Since this case's scale reached $18.2 million, it naturally raises questions from the outside: in the face of rampant social engineering, has the platform fulfilled its "duty of reasonable care"?

Critical voices focus on several potential gaps. The first is that social engineering risk prompts often remain superficial; after completing KYC, users frequently receive reminders to "not disclose passwords and verification codes," but receive little systematic training on multi-signature wallets, hardware wallet binding, and authorization signature risks. The second is withdrawal risk control mechanisms: for ultra-large withdrawals, besides basic 2FA and email confirmation, should platforms introduce more behavioral analysis, address history analysis, and even manual review processes? The third concerns suspicious address marking and sharing—when certain addresses reappear in multiple cases, do exchanges have an obligation to update blacklists in real-time and display significant warnings before users transfer or withdraw?

However, even if all of the above measures are in place, social engineering may still penetrate through multiple defenses in the KYC era. The reason lies in the insufficient education of individual users and information asymmetry, which are deeper issues. For many newcomers, going through KYC does not necessarily mean they truly understand the risk model in a multi-chain environment; they often regard exchanges simply as a "crypto version of bank apps," completely unaware of concepts like cross-chain routing, signature authorization, and Approval permissions. In such cases, when they encounter attackers disguising as official customer service, risk control personnel, or representatives of projects, the true identity left by KYC may ironically serve as a tool to increase trust, making users more likely to become vulnerabilities.

The hidden front of on-chain tracking and anti-money laundering battles

From a technical perspective, tracking funds between multiple public chains like Ethereum and Bitcoin has developed into a fairly mature framework: on-chain analysis teams can reconstruct fund flows on transparent ledgers through methods such as transaction graph analysis, address clustering, and time series comparison. However, in real-world execution, many constraints remain clearly visible, especially in the absence of disclosing specific involved addresses, it becomes more difficult for outsiders to comprehensively review the flow paths of funds.

The combined use of cross-chain protocols and mixing tools significantly elongates the recovery chain. In this case, when assets are crossed from Ethereum to the Bitcoin network via THORChain, they can theoretically continue through multi-hop transactions, UTXO splits, and even further mixing services, cutting the original large capital into many small pieces, circulating across different addresses and time points. Each additional cross-chain or mixing link makes it a game of probability to "lock down suspicious funds," rather than a simple accounting operation.

Ironically, even when the ledger is entirely transparent, attackers can still leverage the "visible but hard to catch" paradox to gain advantages. Transparency allows everyone to see how large sums are split, crossed, and re-aggregated; but in the absence of immediate freezing rights and global collaborative action mechanisms, this information mostly remains at the level of post-factum evidence collection. The permissionless characteristics of cross-chain protocols mean they cannot deploy "emergency brakes" immediately after detecting high-risk flows like traditional financial channels. As a result, the anti-money laundering front has been forced to shift from "preventing funds from entering the channel" to "identifying and containing them as much as possible afterward," which is precisely the time gap and institutional void that attackers hope to see.

Will the next multi-million-dollar social engineering heist arrive even faster?

Returning to the $18.2 million social engineering heist itself, it exposes threefold contradictions in today's crypto world: the misalignment between cross-chain efficiency and accountability efficiency, with "funds able to move globally in minutes, but accountability taking weeks or even months"; the tension between wallet usability and security thresholds, where the closer the product experience nears "completing everything in a few steps," the more likely it dilutes user vigilance during key authorizations and signature stages; the blurred boundaries between exchange platform responsibility and user self-protection, with platforms not wishing to be seen as "overly controlling," while users tend to outsource their security bottom lines to unseen risk control systems.

It is foreseeable that with the escalation of public opinion surrounding such incidents, cross-chain protocols, wallet products, and centralized exchanges will all face stronger self-restraint and external regulatory pressures regarding compliance and risk control. Cross-chain protocols may be required to introduce more collaborative interfaces with compliance tool providers to facilitate the marking and analysis of high-risk traffic; wallets will need to strengthen "resistance to dangerous operations" at the interaction level, through multi-level prompts, risk scoring, and pre-signature education methods, enhancing users' security thresholds without sacrificing excessive experience; on the exchange side, risk control models around large withdrawals, cross-institution blacklist sharing, and continuous education regarding social engineering risks could all become high-frequency keywords in regulatory dialogues.

For ordinary users, a more realistic and urgent task is to establish a baseline security awareness: in the high-freedom on-chain world, elevating "preventing social engineering" to a primary survival skill, rather than merely a secondary reminder attached to "vulnerability prevention." Any instruction claiming to be from "official" sources, especially involving transfers, authorizations, exporting mnemonic phrases, or installing remote assistance tools, should automatically be regarded as high-risk situations; for large assets, learn physical isolation, multi-signature, and layered account management, avoiding concentration of all chips on a single erroneous action. The more complex the technical stack, the more attack surfaces there are; under this premise, maintaining a degree of "suspiciousness" and "hesitation" often proves more crucial in determining whether funds can survive the next heist than chasing after the latest cross-chain play.

Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX Welfare Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Welfare Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。