Crypto's $17 Billion Problem: Why 2025's Biggest Losses Were About People, Not Code

Crypto Impact Hub

Crypto Impact Hub

10 min read
Crypto's $17 Billion Problem: Why 2025's Biggest Losses Were About People, Not Code

The industry spent billions on smart contract audits while attackers walked through the front door. It's time to rethink what we're securing.

The Audit Paradox

In 2025, the cryptocurrency industry lost approximately $17 billion to hacks, scams, and fraud—making it the worst year on record for crypto security. Yet here's the uncomfortable truth that few want to acknowledge: the smart contracts were fine.

The year's most devastating breaches didn't exploit reentrancy vulnerabilities or oracle manipulation bugs. They didn't leverage flash loan attacks or find edge cases in Solidity code. Instead, attackers did something far simpler: they targeted people.

Compromised private keys. Bribed customer support agents. Social engineering campaigns so sophisticated they fooled experienced executives. Supply chain attacks on trusted wallet interfaces. The $17 billion wasn't lost because the code was broken—it was lost because the humans managing that code could be manipulated, deceived, or simply paid off.

"Despite 2025 being the worst year for hacks on record, those hacks stem from Web2 operational failures, not onchain code," Mitchell Amador, CEO of blockchain security platform Immunefi, told CoinDesk in January 2026. "On-chain security is improving dramatically. With the code becoming less exploitable, the main attack surface in 2026 will be people."

This isn't a minor distinction. It's a fundamental misallocation of the industry's security resources. While projects proudly display badges from multiple auditing firms—spending $10,000 to $100,000 per audit—they often operate with call centers where employees can be bribed for a fraction of that cost. While smart contracts undergo formal verification, signing processes remain vulnerable to JavaScript injections in wallet interfaces.

We're auditing the wrong things. And until the industry confronts this reality, the losses will continue.

The February Wake-Up Call: $1.5 Billion in 12 Hours

On February 21, 2025, cryptocurrency exchange Bybit became the victim of the largest single theft in crypto history. Approximately 401,000 ETH—valued at $1.5 billion—vanished from the platform's cold storage in a matter of hours. The attack, later attributed to North Korean state-sponsored hackers, didn't exploit a single line of smart contract code.

Instead, the attackers compromised Safe{Wallet}, a widely-trusted multisignature wallet interface. Here's what happened:

On February 17, hackers injected malicious JavaScript code into Safe{Wallet}'s AWS repository. For four days, users interacted with the compromised interface without knowing anything was wrong. But the code was specifically designed to target Bybit—it contained an activation condition that only executed when transactions matched Bybit's contract addresses.

When Bybit's signers—multiple executives who all needed to approve major transactions—logged in to authorize what appeared to be routine transfers, the malicious code manipulated the signing interface. The signers saw legitimate transaction details on their screens. They saw familiar destination addresses. They approved what looked like normal business operations.

But beneath the surface, the code had silently replaced the actual transaction destination with attacker-controlled addresses. The multisig worked perfectly. The smart contracts executed flawlessly. Every piece of on-chain security functioned as designed. And $1.5 billion walked out the door.

"The recent hack highlights that multisig cold wallets are not secure if signers can be deceived," Check Point Research noted in their analysis. "This emphasizes the growing sophistication of supply chain and user interface manipulation attacks."

Bybit's smart contracts had been audited. Their cold storage architecture followed industry best practices. They used multisignature requirements. None of it mattered because the attack surface wasn't the code—it was the interface humans used to interact with that code.

The Coinbase Incident: When Trust Becomes a Vulnerability

In May 2025, Coinbase—the most regulated, most scrutinized cryptocurrency exchange in America—disclosed a data breach that would ultimately cost $400 million. The attack vector? Bribed customer support agents in an offshore call center.

Cybercriminals recruited a group of rogue support agents at a third-party business process outsourcing (BPO) firm that handled Coinbase customer service. These weren't sophisticated hackers with zero-day exploits. They were employees who were offered money to steal customer data.

The compromised data included account balances, government ID images, phone numbers, addresses, and masked bank account details—information for approximately 69,461 users. But the data theft was just the beginning. Armed with this information, criminals launched impersonation campaigns, posing as Coinbase employees to convince customers to transfer their cryptocurrency.

"Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks," Coinbase acknowledged in a blog post.

Let that sink in. A company with arguably the most robust compliance infrastructure in crypto, subject to SEC oversight and state-by-state licensing requirements, was compromised not through code exploitation but through human manipulation. The attackers didn't need to find a bug in Coinbase's systems—they just needed to find people willing to be paid off.

This incident illuminated a critical blind spot in crypto security: the further you move from the core protocol, the weaker the defenses become. Coinbase's smart contracts were secure. Their custody solutions were battle-tested. But their customer support was handled by a third party, and that third party employed humans with access to sensitive data.

The Numbers Tell the Story

Chainalysis data from 2025 paints a stark picture of how the attack landscape has shifted:

By the numbers:

  • Total crypto theft: Over $3.4 billion from hacks alone; $17 billion including scams and fraud
  • The Bybit hack accounted for 44% of all annual theft from services
  • The top three hacks represented 69% of all service losses
  • Wallet compromises caused approximately $1.71 billion in losses during H1 2025—69% of the total
  • Phishing attacks accounted for $410 million across 132 incidents
  • Q2 2025 breakdown by value: phishing ~49.3%, code vulnerabilities ~29.4%

That last statistic deserves emphasis. In Q2 2025, social engineering attacks like phishing were responsible for nearly half of all losses by value, while actual code vulnerabilities—the thing that smart contract audits are designed to catch—accounted for less than 30%.

The ratio between the largest hack and the median hack crossed 1,000x for the first time in 2025. Funds stolen in the largest attacks are now a thousand times larger than those in typical incidents. This isn't a story about widespread code vulnerabilities being exploited across hundreds of protocols. It's a story about concentrated, devastating breaches that targeted people, processes, and infrastructure.

The Private Key Problem

Beyond social engineering, 2025 exposed a fundamental weakness in how the industry manages private keys. Multiple major exchanges suffered catastrophic losses from compromised hot wallet keys:

Phemex (January 2025): $85 million stolen after attackers gained access to private keys controlling multiple hot wallets. The breach didn't exploit any smart contract vulnerability—it was pure key compromise.

Nobitex (June 2025): $82 million lost in a hot wallet attack attributed to private key exposure.

BtcTurk: Another major loss from compromised hot wallet keys.

In each case, the pattern was the same: attackers obtained private keys through means unrelated to smart contract security—malware on employee devices, social engineering, compromised key generation processes, or insider threats. Once they had the keys, no amount of code auditing could save the funds.

CertiK reported 15 incidents of private key compromise in Q1 2025 alone. These weren't obscure protocols—they were established exchanges with professional security teams. The industry has focused so intently on securing the code that it's neglected the fundamental truth: private keys are the actual attack surface, and humans control how those keys are generated, stored, and used.

North Korea: The $2 Billion Shadow

Any discussion of 2025's crypto security failures must acknowledge the elephant in the room: the Democratic People's Republic of Korea.

North Korean state-sponsored hackers stole at least $2.02 billion in cryptocurrency in 2025—a 51% increase year-over-year. This brings their cumulative all-time theft to approximately $6.75 billion. DPRK attacks accounted for a record 76% of all service compromises.

What makes North Korean operations particularly instructive is their evolution. According to Chainalysis analysis, DPRK hackers have moved beyond traditional exploit techniques to employ deeply sophisticated social engineering:

IT Worker Infiltration: North Korean operatives embed themselves as employees inside crypto services, gaining privileged access to enable large-scale compromises.

Reverse Recruitment: Instead of applying for jobs, DPRK actors now impersonate recruiters for prominent Web3 firms, orchestrating fake hiring processes that culminate in "technical screens" designed to harvest credentials and access.

Executive Targeting: Bogus outreach from purported strategic investors or acquirers uses pitch meetings and pseudo-due-diligence to probe for sensitive systems information.

These aren't code exploits. They're human exploits, targeting the fundamental trust relationships that make organizations function. North Korea has recognized what the broader industry has been slow to accept: when code becomes harder to exploit, people become the primary attack surface.

The FTX Lesson Unlearned

The comparison between Bybit and FTX reveals important distinctions in how crypto failures manifest.

FTX collapsed in November 2022 due to internal fraud—executives misappropriating customer funds. It was a failure of governance, ethics, and regulatory oversight. The lesson many drew was that centralized exchanges needed better transparency, proof-of-reserves, and regulatory scrutiny.

Bybit, by contrast, was an external attack. The exchange responded professionally—covering customer losses, maintaining solvency, and cooperating with security researchers. CEO Ben Zhou's transparent communication became a model for crisis response.

But both incidents share a common thread: they were people problems, not code problems.

FTX's smart contracts worked fine. Its matching engine performed as designed. The technology did exactly what it was programmed to do. The failure was that humans with access to customer funds chose to steal them.

Bybit's smart contracts worked fine too. The multisig protocol functioned correctly. The failure was that humans with signing authority could be deceived through a compromised interface.

The industry's response to FTX was to demand better audits of exchange reserves. Proof-of-reserves protocols proliferated. But reserve audits don't protect against bribed employees. They don't prevent supply chain attacks on wallet interfaces. They don't stop social engineering campaigns.

We learned half the lesson. We improved transparency for one type of people problem while remaining vulnerable to dozens of others.

The Case for Reallocation

So what should the industry actually be securing?

1. Employee Security Over Contract Audits

The average smart contract audit costs $10,000 to $100,000. For a fraction of that cost, an attacker can bribe an offshore support agent. The math doesn't favor code security—it favors human security.

Exchanges should invest in:

  • Rigorous background checks for all employees with system access
  • Compartmentalized access controls where no single employee can access sensitive data
  • Regular security awareness training specifically focused on crypto-relevant social engineering
  • Monitoring systems for unusual employee behavior
  • Above-market compensation to reduce financial vulnerability to bribery

2. Interface Security Over Protocol Security

The Bybit attack demonstrated that a compromised wallet interface can bypass all other security measures. Projects should:

  • Implement verification mechanisms that display transaction details through multiple independent channels
  • Use hardware devices that show transaction data on secure screens
  • Conduct regular security audits of wallet interfaces, signing processes, and developer infrastructure
  • Implement code signing and integrity verification for all client-side code

3. Supply Chain Security

Modern crypto infrastructure depends on countless third parties—wallet providers, signing interfaces, key management services, cloud providers, BPO firms. Each represents a potential attack surface.

  • Map all third-party dependencies
  • Conduct security assessments of critical vendors
  • Implement monitoring for unexpected changes to third-party code or infrastructure
  • Design systems that can detect compromised dependencies

4. Key Management Revolution

Private key security needs fundamental rethinking:

  • Hardware security modules (HSMs) for all institutional key storage
  • Multi-party computation (MPC) to eliminate single points of key exposure
  • Geographically distributed signing requirements
  • Time-delayed transactions for large transfers
  • Regular rotation of key material

Recommendations for Exchanges

Assume Compromise

Operate under the assumption that any employee, interface, or third party could be compromised. Design systems where compromise of any single element cannot result in catastrophic loss.

Implement Defense in Depth for Humans

The same principle that guides network security—multiple layers of independent defenses—should apply to human security. No single person should be able to authorize critical actions. No single interface should be trusted for transaction verification.

Invest in Detection, Not Just Prevention

The Coinbase breach continued for months before discovery. Implement behavioral monitoring that can detect unusual access patterns, data exfiltration attempts, or employees communicating with suspicious external parties.

Rethink Third-Party Relationships

If customer support is outsourced, treat the outsourcing firm as an extension of your security perimeter. Conduct regular assessments. Limit data access. Implement monitoring.

Create Secure Signing Environments

Transaction signing should occur on dedicated, air-gapped devices that cannot be compromised through browser-based attacks. Consider custom hardware solutions for institutional signing.

Recommendations for Individuals

Trust No Interface

Never assume the wallet interface you're viewing is legitimate. Verify transaction details through multiple channels. Use hardware wallets that display transaction information on their own screens.

Understand That Humans Are the Target

The most sophisticated attack you'll face probably won't be technical—it'll be social. Be suspicious of unexpected contact from exchanges, projects, or "support" personnel. Verify through official channels before taking action.

Compartmentalize

Don't keep all assets in a single wallet or with a single custodian. Distribute risk so that compromise of any single point doesn't result in total loss.

Use Hardware Security

Hardware wallets remain the gold standard for individual security—not because they're unhackable, but because they introduce physical barriers that remote attackers cannot easily overcome.

Stay Informed

The attack landscape evolves constantly. Follow security researchers, read post-mortems of major incidents, and adjust your practices accordingly.

The Path Forward

The cryptocurrency industry stands at an inflection point. On-chain security is genuinely improving—formal verification tools are more sophisticated, audit coverage is more comprehensive, and developer education has advanced significantly. The purely technical attack surface is shrinking.

But this progress has created a dangerous complacency. Projects celebrate their fifth smart contract audit while operating with minimal employee security. Exchanges tout their proof-of-reserves while outsourcing customer support to firms they've never audited. Individuals obsess over seed phrase storage while clicking links in DMs.

The $17 billion lost in 2025 wasn't lost because Solidity is insecure. It was lost because humans are predictable, manipulable, and often the cheapest attack surface available.

"With the code becoming less exploitable, the main attack surface in 2026 will be people," Amador predicted. "The human factor is now the weak link that on-chain security experts and Web3 players must prioritize."

The industry needs to redirect its security investments toward where the actual vulnerabilities lie. This means:

  • Recognizing that employee security is security spending, not HR overhead
  • Treating interfaces and signing processes as critical infrastructure requiring constant security attention
  • Acknowledging that third-party relationships create attack surface
  • Investing in detection and response capabilities, not just prevention
  • Building systems that assume human fallibility rather than human perfection

The code is getting stronger. It's time the industry around it caught up.

The cryptocurrency industry has spent billions proving its smart contracts are secure. Perhaps it's time to spend a fraction of that securing everything else.

Read more

🔐 Ready to secure your crypto? Start with Ledger — trusted by millions.

Ledger Nano S Plus