The rapid evolution of artificial intelligence has brought remarkable advancements, but it has also introduced new risks—especially within the cryptocurrency ecosystem. Among the most concerning developments is how Large Language Models enable cybercriminals to craft highly personalized spear-phishing messages based entirely on a user’s social media footprint.
This is no longer classic “spray-and-pray” phishing.
This is AI-powered spear phishing—targeted, psychologically engineered, and frighteningly believable.
Large language models can process a lot of social media data, monitor users' behavior, imitate writing styles, and thus produce tailored messages aimed at the very interests, habits, fears, or preferences of the victim. By nature, crypto users share updates, opinions, portfolio moves, and experiences online, thus unintentionally creating a digital footprint that can be used by the attackers.
This article will discuss how LLMs make phishing truly personalized, how attackers build and utilize social media data, why crypto users are prime targets, and what individuals can do to stay protected.
What Is Different About LLM-Driven Spear Phishing?
Traditional phishing relied on generic messages such as:
“Your account has been compromised. Click here.”
LLM-driven spear phishing is entirely different:
Grammatically polished and natural
References your personal interests
Reflects your recent posts or activities
Creates emotional connection
Appears relevant, timely, and urgent
This shift makes AI-powered spear phishing extremely dangerous—especially for crypto users, where a single mistake can lead to irreversible financial loss.
How Cybercriminals Mine Social Media Data Using LLMs for Spear Phishing
Cybercriminals do not need to hack your account to analyze your behaviour. Most information is publicly accessible, and AI tools make it easy to extract.
What Data They Scrape
Attackers feed various data points into an LLM to build a psychological and behavioural profile:
Public social media posts
Captions
threads
tweets
Comments
Story highlights
Reels and video descriptions
Personal information
First and Last Names
Nicknames
Age (approximate)
Location
Job role
Company name
Hobbies
Travel news/updates
Daily routines
Crypto-related signals
Exchanges you follow -Coinbase, Binance
Wallets (Metamask, Phantom, Ledger) you mention
Communities you are part of, whether that be through r/CryptoCurrency, or through groups on Telegram.
Coins or tokens you publicly discuss
Scammers you forewarn others about
Behavioural and psychological patterns
Writing tone: formal, casual, humorous, emotional
Posting frequency
Times you are most active online
Accounts you interact with, or friends
Emotional posts include anger, celebration, frustration.
All of this then becomes training material.
The LLM then turns these signals into a highly accurate profile of who you are, what you care about, and how you communicate.
How LLMs Turn That Data Into Personalized Spear Phishing Messages
Once attackers have substantial data, LLMs take over.
Here is the full expanded process:
Step-by-Step Explanation
1. Data Extraction
Attackers use scraping tools to automatically capture public activities from Instagram, X, Facebook, Telegram, and LinkedIn.
These tools collect hundreds or thousands of data points in a few minutes.
2. Data Organization
The LLM processes this information to identify:
Themes: travel, fashion, crypto, gaming
Tone: Friendly, direct, or emotional
Personal interests: NFTs, trading, DeFi, staking
Security habits-oily? Careless? Vocal?
Specific trusted contacts: colleagues, friends, platforms.
This allows the model to understand what type of message the user is most likely to trust.
3. Persona Creation
The LLM emulates a social schema of the target.
This includes:
Personality traits
Shared vocabulary
Style of communication
Social patterns
Potential insecurities
Financial interests
This persona allows AI to compose messages that strike an emotional chord.
4. Message Generation
Then, based on these personas, LLM creates customized phishing content.
The message can sound like:
Customer support
Known Influencer
A crypto project you follow
A friend or colleague
A brand you mentioned
A system you have used recently
Because it is in a tone you expected, you are more inclined to trust it.
5. Emotional Engineering
AI improves messages by using psychological manipulation.
Urgency ("Action required in 30 minutes")
Relevance: “Regarding your recent trade on Bitget…
Familiarity (“As we discussed in comments yesterday…”)
Authority: Ledger Support ID #A37F91
6. Omnichannel Delivery
The phishing message may arrive through:
Direct message
Email
Telegram
WhatsApp
A sham support chat
A cloned website
An attacker will use whichever platform the user is most active on.
7. Dynamic Conversation
The LLM keeps going with the conversation if the victim responds.
It adjusts for tone based on:
Confusion
Hesitation
Questions
Complaints
This creates an interaction much like that of customer service-real and reliable.
Why Personalized Phishing Works So Well
Personalization bypasses suspicion. When a message includes information you recognize, your brain lowers its guard.
Here is a list of psychological triggers:
Emotional Triggers
Fear of losing funds
Urgency to act quick
Excitement about a reward or airdrop
Anxiety of account suspension
Curiosity about opportunities
Confidence in seeing familiar names or brands
Cognitive Biases
Authority bias: Trust in platform messages
Confirmation bias: Believing information that matches your expectations
Familiarity bias: trusting a tone that “feels right
Scarcity bias: Quickly respond to time-limited notifications
Crypto-Specific Weak Points
Irreversible transactions
Unstable market conditions encourage panic.
reliance on virtual communities
Regular exposure to new platforms
All these factors also make the users more susceptible to well-crafted phishing.