Blockstream, an infrastructure and hardware wallet provider, issued a warning about a new email phishing campaign attempting to target Blockstream Jade hardware wallet users.
The company confirmed on Friday that it never sends firmware files through email and said that no data has been compromised in the attack.
Phishing attacks are designed to steal crypto and sensitive user information through seemingly legitimate communication. According to Blockstream, the email featured a simple message directing users to download the latest version of Blockstream Jade wallet firmware by clicking on a link, which was malicious.
Phishing scams cost crypto users over $12 million in August and affected over 15,000 victims — a 67% increase from July, according to anti-scam service Scam Sniffer.
As phishing campaigns and other crypto scams increase in complexity and diversity, crypto users must exercise a heightened sense of awareness and take online safety measures to protect their funds and sensitive information from theft.
Related: Crypto thefts hit $163M in August as hackers shift strategy
Staying safe amid a rising threat landscape
Crypto users lost over $3.1 billion due to scams and hacks in the first half of 2025, a sharp rise from 2024, according to a report from blockchain security firm Hacken.
Phishing scams are designed to catch users off guard by cloaking malicious links designed to steal data in messages disguised to look like they are from reputable crypto companies.
Typically, this involves a customer service email sent to the target warning of an imminent account closure, theft, cybersecurity breach or some other issue, and demanding a user’s private keys or passwords to fix the problem.
Users can avoid phishing scams by double-checking URL addresses to ensure that websites are legitimate.
Scammers will often create URLs that are nearly identical to legitimate crypto websites, with one or two small errors, such as including or excluding periods or substituting the letter “o” with the number zero and vice versa.
Users should also bookmark trusted pages instead of typing in the URL into the search bar manually or relying on search engines. Even paid advertisements thrust to the top of popular search engine sites like Google can be scams.
Other good practices include avoiding clicking links from unknown senders altogether, using a virtual private network (VPN) to mask IP addresses and locations, and checking emails and websites for spelling or grammatical mistakes.
Magazine: $55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec