“Attacks have become more complex, attacks have become more deliberate”

What new security challenges did crypto projects face in the first half of 2025, and how should not only professionals but ordinary users respond? Read our interview with Grigory Osipov, director of investigations at Shard, first published in the July issue of FLMonthly.

ForkLog: As a cybersecurity specialist, did your workload increase in 2025?

Grigory: Hacker activity has increased significantly compared with last year. The number of requests is rising, and more people are becoming victims of attacks and fraud.

Preliminarily, including the Bybit incident, losses inflicted on the crypto industry in the first six months of 2025 are on a par with the full year 2024 — roughly $2.1bn. Around 200 more or less major breaches have been recorded so far.

Excluding Bybit (~$1.4bn), last year’s and this year’s figures would be roughly comparable. But, naturally, that episode set the tone and raised the stakes considerably.

The number of affected users has similarly grown. Another factor is that many of today’s breaches are latent.

Many platforms and projects that are attacked are slow to disclose incidents. The community learns about them from blockchain sleuths. That entails reputational and economic risks. Once clients realise a service is unreliable, they are unlikely to return.

ForkLog: How would you characterise the current crypto-security threat landscape? Which attack types are most common and dangerous?

Grigory: Attacks have become more complex, more deliberate, and the attackers’ tools have also grown more sophisticated, including with the help of artificial intelligence.

The most common vector today is social engineering plus phishing — manipulating staff at crypto services or company employees to penetrate vulnerable systems. In effect, it blends social and traditional hacking methods.

Second are smart-contract vulnerabilities — essentially all attacks that target decentralised services.

Third is probably exploiting project liquidity to manipulate markets. And the last of the main types are vulnerabilities in multisig wallets. That is partly related to the Bybit breach.

Overall, 2025 is defined by a strengthened social-engineering vector. It is not just a direct attack on a service: attackers first gather information about the target, probe employees, study the information space and even create deepfakes.

ForkLog: How are attackers “evolving,” and how much more coordinated have hackers become?

Grigory: Compared with earlier periods, groups now dominate over lone “enthusiast individuals.” Scale is one reason.

The breaches at Bybit, Femex and the Iranian crypto exchange Nobitex are all large and planned. Such operations demand high skills and coordination across different fronts, plus access to technical tools and financing — in other words, a budget.

The era of solo operators is not over, but the trend is towards organised group hacks.

As for “evolution,” I already mentioned social engineering. Hackers now study victims’ profiles and use compromised accounts for phishing mailings, giveaways, fake tokens and so on.

They also compromise accounts of public figures to launch scam tokens or airdrops. Recently they carried out a phishing attack against CoinMarketCap — they replaced the frontend. That shows even large services can be breached.

“Insider threats” are also on the rise — planting people inside companies to access internal systems or encryption keys. This is present in DeFi as well.

There are also attacks on employees that involve sending a fake file — for example, a “test assignment” with malicious code that opens a breach in the security system.

As for AI, the hype is probably far ahead of real-world use. Many analytical reports lionise artificial intelligence as a tool hackers constantly wield to execute attacks. Fortunately, reality is a bit different.

Yes, neural networks are used to draft phishing emails or spin up fake sites. But that is just a preparatory tool. So far, the number of breaches carried out entirely with AI is zero.

ForkLog: Where did cryptojacking go?

Grigory: That, too, seems more like hype: your hardware could be used for mining, your resources generate someone else’s cryptocurrency, you do not even know, and your computer slows to a crawl.

It was relevant in 2017–2018, when you could mine on a CPU or a home GPU. Today it is hardly viable and almost impossible to monetise.

It is now far more interesting for a hacker to harvest information from a victim’s computer about crypto addresses and access keys than to bother with so‑called cryptojacking.

ForkLog: State-backed hacker groups like Lazarus are increasingly implicated in major attacks. How dangerous is this long term? What happens when every state has its own “hacker army”?

Grigory: The emergence of state hacker groups is a new trend of sorts. Lazarus Group has existed for quite a while and is a prominent example.

The more cryptocurrency integrates into the global economic system, the more of these groups will emerge. For governments it is more advantageous to control and use them in their own interests than to shut them down.

In essence this is part of information warfare, and the Nobitex breach by a pro‑Israel team highlights the point. In that case it was clearly a manipulative hack aimed not at enrichment but at damaging Iranian infrastructure.

If every state assembles a “hacker army,” we will likely see a continuation of information cyberwar. A new field of activity will open, so countries will resort to new ploys and create cyberweapons.

Accordingly, the stronger a state is economically, the more it will invest in training and building cyber groups.

Who will join them and on what basis is hard to say. But that is the world awaiting us if digital payments continue to develop. As the internet and digital technologies pervade our lives, the struggle will shift there, and such groups will simply become units representing one side’s interests.

Elements of chaos will inevitably appear: there will be state, inter‑state, ideological and possibly even religious groups.

ForkLog: Where are the main risks concentrated now — in CeFi or DeFi?

Grigory: They are different kinds of risks. From a user’s perspective, decentralised finance seems more vulnerable. There is no regulation, and DeFi protocols have long topped the breach rankings compared with other platforms.

Most attacks stem from smart‑contract vulnerabilities or oracle manipulation. In addition, decentralised platforms’ own teams can make mistakes.

With centralised exchanges, there is a different story. Beyond cyberattack risk, regulation must be considered. The latter is more about users’ desire to remain independent and private, which procedures like KYC hinder.

There have been many cases where clients’ assets on centralised exchanges were frozen and could be “unlocked” only with legal assistance.

In short, risks exist everywhere, so approach both CeFi and DeFi with caution.

ForkLog: What should you do when a “letter from Ledger” arrives? Offline scams seem new to many crypto users.

Grigory: Unfortunately, a large number of hacks and frauds are now carried out in the name of official service representatives. Hackers actively use this mechanism to convince users to hand over their keys or follow a link.

Such cases are only increasing. We recently saw one: a person wanted a job in Germany, was asked to provide an income statement from Bybit via an email request, and then had their account access and funds stolen.

Think of crypto services like banks and similar institutions: they will contact you on their own initiative only in very rare cases. An exchange will almost never write to you and invite you to click links.

A general safety rule: if you receive an email in which a platform asks you to perform certain actions, verify it through official support channels.

ForkLog: What basic but critical security measures should every crypto holder follow?

Grigory: I do not want to be trite by talking about strong passwords, two‑factor authentication, and creating and storing keys and seed phrases.

One of the best ways to secure cryptoassets is to use a separate phone or device for working with them. Today the smartphone is the main place where most of us keep our coins.

If you do not opt for a cold wallet to store cryptocurrency, choose a separate mobile phone for that purpose. Do not use crypto apps on your personal device, as it may host other, less secure software.

Also remember to update software regularly and maintain cyber hygiene, including installing a firewall and antivirus. There are now protection programs that work against dust attacks with substitution of the address to a look‑alike.

Most user mistakes are precisely in digital hygiene. Do not photograph or store passwords or seed phrases in notes.

But all of this pales when a person falls under scammers’ psychological pressure. Once on the hook, they will themselves override most security measures under duress.

ForkLog: How reliable are hardware wallets?

Grigory: Their protection level is indeed high. Of all storage methods, this is probably the safest.

However, in the pursuit of low prices, people can make mistakes. Marketplaces often feature counterfeit or modified devices that steal your funds. Try to buy cold wallets only through official suppliers.

ForkLog: Do regulatory measures help ensure cybersecurity (AML/KYC/licensing)?

Grigory: As we said, there are two camps. A centralised crypto exchange depends on the regulator and applies its compliance policies to verify client identity.

A major exchange no longer grants full access as it did three or four years ago. Attackers understand the nuances, too. From a paranoid perspective, we are all being chipped and identified, all our data will be entered into registries, and authorities will use various services to learn how much we earn and how we use it.

Putting it simply, attackers understand that withdrawing funds to a centralised exchange means being identified. Even if drop accounts are used, IP addresses and other traces remain that can be used to identify a person.

Therefore, using services that follow such procedures reduces money‑laundering risks globally, and AML systems can label addresses linked to crime.

The idea is sound. The question is how it is implemented, given problems in international relations and the lack of harmonised regulation.

On the other hand, attackers who realise they cannot use centralised exchanges to cash out will go there only rarely. Mostly they use mixers and DEX.

ForkLog: Share the single most important security tip for 2025.

Grigory: A single tip is hard to give. For users, it is DYOR — conduct your own investigation. No platform is interested in this except you.

Everyone wants to earn and attract users. Services do care about safety and reputation, of course, but people still choose where to put their funds.

For projects and platforms, my recommendation is systemic data protection. Cybersecurity is reaching a new level. It is no longer a matter of installing some protection, running an audit and calling it a day.

Active, systemic defence is crucial, because threats constantly evolve. Countermeasures must keep pace.