Cryptocurrency hacking losses hit a record high, with the true culprit being "human error" rather than code vulnerabilities

2025 is a heavy year for the cryptocurrency industry. According to authoritative industry data, losses caused by various security incidents reached a record high, costing the entire sector a painful toll. However, a deeper investigation into the root causes of these hacking events reveals an unexpected truth: the main drivers of losses are not hidden code vulnerabilities in smart contracts, but human errors and a lack of security awareness.

$17 Billion Losses from Hacks in 2025, Scams Become the Biggest Threat

According to Chainalysis’s annual security report, the cryptocurrency sector suffered approximately $17 billion in losses from scams and fraud in 2025. Behind this figure lies a concerning trend: traditional scam methods are evolving. Data shows that impersonation scams increased by 1,400% over the past year, and AI-driven scams are 450% more profitable than conventional tactics. These numbers indicate a fundamental shift in hacking methods—from complex technical exploits to more deceptive and targeted schemes.

Seemingly “low-level” attack methods like password leaks, account thefts, and social engineering scams have become the leading causes of major losses. These are classic Web2 security issues, not blockchain-specific on-chain code vulnerabilities. This suggests that many projects and users overlook basic protective measures when facing hacking threats.

From Code Vulnerabilities to Human Weaknesses: How Attack Surfaces Are Changing

Mitchell Amador, CEO of Immunefi, points out that the security defenses of on-chain systems are improving significantly. After years of iteration and optimization, the security level of smart contracts has steadily increased, making “hard” code vulnerabilities harder to exploit. However, this does not mean the threat of attacks is diminishing; instead, attackers have identified new entry points—vulnerabilities in human defenses.

This shift reflects a core reality in blockchain security: as code becomes more difficult to breach, attackers naturally target the most vulnerable factor—people. No matter how perfect the code, a weak password, a careless click, or a carefully crafted fake message can lead to the loss of entire projects or user assets.

Low Adoption of Protective Tools, Industry Faces a Dilemma in Defense

Worse still, the current state of industry defenses is concerning. Amador’s data shows that over 90% of projects still have exploitable critical vulnerabilities, indicating a lack of emphasis on security. Regarding the use of protective tools, the situation is even more bleak: less than 1% of industry participants deploy firewalls, and fewer than 10% use AI detection tools.

These figures imply that most projects remain reactive rather than proactive in defending against hacking. The extremely low adoption rate of security tools makes the industry particularly vulnerable to social engineering and scams. With constantly evolving hacking techniques, existing defenses are far from sufficient.

The New Battlefield in 2026: AI-Driven Scams and Autonomous Agents as Dual Threats

Looking ahead, Amador believes that 2026 will be the best year for on-chain smart contract security—reducing the likelihood of code breaches further. However, behind this “good news” lie even more serious challenges.

Future attacks will become more sophisticated and covert. Hackers will turn to more precise social engineering scams, leveraging AI technology for large-scale, high-accuracy fraud. Meanwhile, with the rise of on-chain AI agents and autonomous decision-making systems, these new applications will themselves become new attack surfaces. Protecting these systems, which can independently make transactions, from hacking or manipulation will be a core security challenge in 2026 and beyond.

In this process, defending against attacks will require not only more advanced technical solutions but also a fundamental shift in industry awareness and tool deployment. Otherwise, even the most secure on-chain code cannot withstand threats from the “weakest link”—human factors.