Pi Network urgently shuts down payment feature: Over 4.4 million Pi Coins looted in a "legitimate" phishing scam

A carefully designed phishing scam is sweeping through the Pi Network community, resulting in over 4,400,000 Pi Coins being stolen. The scam does not exploit technical vulnerabilities but maliciously abuses the built-in “payment request” feature of the network, combined with the transparency of blockchain data, to conduct precise social engineering attacks on users.

Under the pressure of continuous community losses, the Pi Core Team has recently urgently suspended the “Send Payment Request” feature. This incident reveals a widespread industry dilemma on an astonishing scale: under the characteristics of blockchain “code is law” and irreversible transactions, how a normally functioning protocol feature can become an efficient tool for scammers, and the real risks faced by novice users entering the on-chain world.

A “Legal” Looting: How the Payment Request Function Is Twisted into a Scam Tool

For the majority of Pi Network’s “pioneer” users, 2025 should be a key period to witness the project’s progress, but a silent digital asset heist has caused panic in the community. According to widespread alerts from community users on the X platform, a new type of scam is massively stealing users’ wallets’ Pi Coin. Alarmingly, this scam does not use complex hacking techniques to breach the protocol but cleverly “legally” exploits a standard feature of the Pi Network wallet—the payment request.

The method is straightforward and efficient: scammers first use public tools like the Pi blockchain explorer to scan and filter wallets holding large Pi balances. Once targeted, they directly send a transfer request to that address via the wallet’s payment request feature. The key point is that when unsuspecting users see this request in the wallet interface, clicking “Approve” will cause the wallet to automatically sign and execute the transfer, instantly and irreversibly transferring assets to the scammer’s address.

Community opinion leader “Pi OpenMainnet 2025” clarified that this is not a system vulnerability. “Frankly, this is not a bug at all. The wallet is designed to work this way. The only way you lose Pi Coins is if you personally approve that transaction.” This characterization shifts the core issue from technical flaws to security awareness and social engineering attacks. Scammers often impersonate acquaintances, community admins, or even the official team, making the payment requests appear legitimate and tempting users to approve without verification. This attack method, like a blade forged from the protocol rules themselves, precisely targets users with insufficient awareness of on-chain transaction risks.

The Massive Industry Chain Behind the Numbers: Over 800,000 Pi Stolen Per Month in a “Business Model”

If sporadic scam cases are isolated incidents, the data exposed in this event reveals a scaled, ongoing black industry chain. According to on-chain data shared by community trackers like “Pi Network Update,” a specific wallet address has become the core fund collection pool for this scam.

This address GCD3SZ3TFJAESWFZFROZZHNRM5KWFO25TVNR6EMLWNYL47V5A72HBWXP has been continuously receiving large amounts of illicit funds over several months. Data shows that the monthly inflow of Pi Coin is astonishingly stable: approximately 877,900 Pi in July 2025, 743,000 Pi in August, 757,000 Pi in September, 563,000 Pi in October, 622,700 Pi in November. More worryingly, during December, when the scam was widely exposed, the inflow increased to over 838,000 Pi. This indicates that in just the past six months, this single address has accumulated over 4,400,000 Pi.

This cold data paints a clear picture: this is not a random individual scam but an organized, highly efficient criminal operation. Scammers seem to have established a standardized process—from target screening and phishing request sending to fund collection. The steady and large monthly inflows suggest their “business” covers a vast and continuously “hooked” user base. The surge in December may indicate an upgrade in scam strategies or further expansion of attack scope. Such industrialized scams pose serious trust and security challenges to an ecosystem still in early development, with many blockchain newcomers.

Key Data of the Large-Scale Scam Chain

Core involved wallet address:

GCD3SZ3TFJAESWFZFROZZHNRM5KWFO25TVNR6EMLWNYL47V5A72HBWXP

Monthly illicit fund inflow data (2025):

July: approximately 877,900 Pi

August: approximately 743,000 Pi

September: approximately 757,000 Pi

October: approximately 563,000 Pi

November: approximately 622,700 Pi

December: approximately 838,000 Pi (continuing to rise)

Total loss: over 4,400,000 Pi

Nature of the scam: social engineering attack abusing legitimate features, with obvious characteristics of industrialized operation.

Emergency Stop and Fundamental Contradictions: Pi Team’s Response and the Eternal Challenge of Web3

In response to the growing panic and ongoing losses in the community, the official Pi Network team took the most direct but also most helpless measure—an emergency pause. According to community channels like “Pi Network Alerts,” the team has temporarily disabled the wallet’s “Send Payment Request” feature. This decision is undoubtedly a “surgical” intervention aimed at cutting off the scammers’ attack vector at the source, buying time to evaluate and deploy more comprehensive security measures.

However, this stopgap also highlights a fundamental contradiction in decentralized ecosystems: how to effectively protect inexperienced users from harm while ensuring transparency, permissionless access, and user autonomy (core principles of Web3). The payment request feature of Pi Network itself is neutral; it simplifies the process of initiating transactions between users and is part of a good user experience. But the complete transparency of blockchain (anyone can view address balances) combined with the convenience of features has led to disastrous consequences when maliciously exploited.

The Pi team describes this suspension as a temporary measure to limit losses, not a permanent solution. Future solutions may include: introducing a whitelist mechanism for requests, adding mandatory secondary confirmation and risk warning labels to payment requests, or implementing a reputation-based request filtering system. However, each approach may sacrifice some convenience or introduce centralized review, requiring a difficult trade-off between security and user experience, decentralization and protection. The community’s current guidance is very clear: before functions are restored, no payment requests from any source should be approved, whether they appear to come from friends, family, or official accounts.

Industry-Wide Issue Revealed by the Pi Incident: Social Engineering Is the Achilles’ Heel of Web3 Security

The crisis faced by Pi Network is not an isolated case. It exposes once again the most vulnerable link in the blockchain industry in an extreme way: no matter how solid the protocol layer, the end-user can still be the weakest link in the entire security chain. Looking at the history of crypto assets, from early “fake exchange customer service” scams to the current proliferation of “fake airdrops” and “authorization phishing,” the largest asset losses are often caused not by smart contract vulnerabilities but by social engineering attacks targeting human nature.

This incident serves as a wake-up call for all blockchain projects, especially those with large user bases and high proportions of newcomers. It raises several critical questions:

1. Where is the bottom line of user education? Are project teams merely informing users about “the importance of private keys,” or should they make “how to identify and respond to various social engineering attacks” a mandatory course?
2. Can product design be more “foolproof”? For key operations (such as approving transactions or authorizing assets), can more prominent risk prompts, operation delays, or increased complexity (even at the expense of user experience) create a safety buffer?
3. How can community governance play a role? Can a decentralized “risk address tagging” or “fraud alert” network be established, allowing community efforts to become part of security defense?

After the incident was exposed, Pi Coin’s market price seemed unaffected, rising slightly by nearly 1% in year-end trading, hovering around $0.20381. This perhaps indicates that the market views this more as a localized operational security incident rather than a fundamental devaluation of the project. However, for millions of Pi community users, this event is undoubtedly a profound and costly security lesson. It brutally reminds every participant: in a world of “Not your keys, not your crypto,” true control also means full responsibility. The ultimate line of defense for asset security is your own cautious judgment. For projects like Pi Network, on the path to mainnet deployment and realizing grand visions, building a system that can resist external attacks while guiding countless new users safely through internal navigation will be a challenge even greater than technical development.