Funds stolen via phishing attacks fell 83% to $83.85 million in 2025, according to a report by SlowMist.
In 2024 the figure stood at $494 million. The number of affected users also decreased — 106,106 people fell victim, down 68% year on year.
Analysts identified a direct correlation between market activity and the success of attacks. The peak came in the third quarter, when Ethereum rallied. In August and September scammers stole about 29% of the annual total (over $31 million).
In the fourth quarter, as markets cooled, drainer activity fell to a low — losses in December were just $2.04 million.
Key attack methods:
- Permit signatures. They remain the primary tool for thefts, accounting for 38% of major incidents (losses above $1 million).
- EIP-7702. After the Pectra upgrade, a new threat vector emerged. Attackers began using account abstraction to bundle malicious operations.
The largest single theft of the year occurred in September — a user lost $6.5 million due to a forged Permit signature.
Experts cautioned that lower figures do not mean the threat has disappeared. The drainer ecosystem is evolving, splitting into mass phishing aimed at retail users and sophisticated targeted attacks on major projects.
“If markets recover, hacking activity will rise with them,” the researchers said.
Total losses rose 46%
Despite the downturn in phishing drainers, overall damage to the crypto industry rose sharply in 2025. SlowMist logged 200 security incidents with aggregate losses of $2.935 billion.
By comparison, 2024 saw twice as many attacks (410) but a smaller haul of $2.013 billion. The year’s pattern: fewer breaches, but larger average hauls and more severe fallout.
The most targeted ecosystem remained Ethereum ($183 million in losses), followed by Solana and Arbitrum with about $17 million each.
Centralised exchanges lost more than DeFi
In 2025 the focus of attacks shifted from decentralised protocols to large centralised platforms (CeFi).
The DeFi sector remained the leader by number of incidents (126 breaches, 63% of the total). However, total losses in the segment fell 37% to $649 million.
CeFi saw just 22 incidents, but the damage was colossal — $1.8 billion.
The year’s main “event” was the Bybit exchange hack, in which attackers withdrew $1.46 billion in assets. Experts linked the attack to North Korean hackers.
The top three incidents also included attacks on Cetus Protocol ($230 million) and Balancer V2 ($121 million).
Social engineering: fake employers and counterfeit wallets
Hackers increasingly forgo technical intrusions in favour of manipulating people. The report highlighted the main ploys:
- fake interviews: criminals search for developers on LinkedIn, posing as recruiters for well-known projects. Under the guise of a “test task” they ask candidates to download and run code containing hidden trojans to steal keys;
- bogus security experts: scammers build personas of white-hat hackers on social networks, offer to “audit” wallets and, under that pretext, obtain access to assets;
- hardware wallets: users buy devices from unofficial sellers. Such devices arrive already activated or with a pre-set seed phrase known to the attackers.
Supply-chain and browser-extension threats
Attackers target software supply chains to compromise many users at once:
- open-source poisoning: hackers upload malicious code to popular GitHub repositories, often masquerading as useful tools such as trading bots for Solana;
- dangerous extensions: in 2025, some popular browser plug-ins (for example, VPN services or tools for Web3) covertly collected user data, including AI chats and exchange cookies.
AI in hackers’ toolkit
Artificial intelligence has become a powerful instrument for fraudsters. Deepfake technology is used to create videos featuring well-known figures promoting scam projects.
There have been cases of corporate fraud: an employee of a Hong Kong firm transferred large sums after a video conference in which all his “colleagues” and “boss” were generated by a neural network in real time.
Hackers also use AI models (such as Gemini or Claude) to write and constantly modify malicious code to evade antivirus systems.
Earlier, Chainalysis estimated that since the start of the year hackers have stolen more than $3.4 billion in cryptocurrency.