While everyone obsessed over market volatility, thieves already figured out the cheapest attack vector: your brain.
The Summary
- Casa rolled out four new security features aimed at social engineering attacks, the primary method behind crypto theft in 2025
- FBI data shows crypto fraud losses hit $11 billion last year, up 22% year over year
- The features are live now for all Casa customers, targeting the human vulnerabilities that multisig alone can't solve
The Signal
Casa's timing isn't random. Social engineering overtook technical exploits as the dominant theft vector in crypto, and the gap is widening. While the industry spent years hardening wallet infrastructure and smart contract audits, attackers shifted to the soft target: convincing humans to give away their keys voluntarily.
The $11 billion in fraud losses represents a 22% increase despite better custody tech being widely available. That's the tell. The problem isn't insufficient cryptography. It's psychology at scale.
"Social engineering became the attack vector responsible for the bulk of crypto theft in 2025."
Casa's four new features address the human attack surface directly:
- Enhanced verification protocols that force users to slow down before executing high-risk actions
- Additional identity checks for account changes and key operations
- Improved anomaly detection for unusual access patterns or transaction behavior
- Mandatory cooling-off periods for certain security-sensitive operations
The multisig custody provider already requires multiple keys for transactions. But when attackers convince users to use those keys willingly through impersonation, urgency manipulation, or fake support scenarios, the cryptographic security becomes irrelevant. You can't math your way out of a convincing phone call from someone pretending to be Casa support.
These features add friction. That's the point. In an industry that prizes speed and autonomy, Casa is betting that the right kind of delay saves more money than it costs in user experience. When someone's pressuring you to "act now" to "secure your account," a mandatory 24-hour hold becomes the firewall your amygdala can't provide.
The Implication
This is what Web3 maturation looks like. Not faster transactions or shinier interfaces, but unglamorous human-centered security that acknowledges people remain the weakest link in any trustless system. As custody solutions move toward mainstream adoption, the social engineering threat surface only expands.
If you're holding meaningful crypto, the question isn't whether your keys are secure. It's whether you've hardened the procedures around using those keys. Casa's move suggests the answer for most people is no. And the attackers keeping pace with FBI statistics already know it.