Despite ongoing cybersecurity measures in the crypto industry, protocols remain locked in a relentless battle with hackers, who continue to exploit the weakest links—often human behavior.
“The industry is fighting an uneven war against bad actors, who only need a single vulnerability to compromise a protocol,” said Ronghui Gu, Columbia University computer science professor and co-founder of blockchain security firm CertiK.
“So it’s an endless war.”
“But I fear that next year’s hacks could still reach the billion-dollar mark,” Gu said, noting that while both cybersecurity teams and cybercriminals are growing more sophisticated, attackers only need to exploit a single flaw among the millions of lines of code CertiK audits daily.
Crypto hacks and exploits caused $2.47 billion in losses during the first half of 2025, even though attacks declined in the second quarter. According to a CertiK report released Tuesday, over $800 million was lost across 144 incidents in Q2—a 52% drop in value compared to the previous quarter—accompanied by 59 fewer hacking incidents.
In the first half of 2025, hacks, scams, and exploits have resulted in over $2.47 billion in losses, nearly a 3% increase from the $2.4 billion stolen throughout all of 2024.
The majority of these losses stemmed from a single event: the $1.4 billion Bybit hack on February 21, the largest cyberexploit in crypto history.
Advances in blockchain cybersecurity will push hackers to exploit human behavior
According to CertiK’s Gu, the crypto industry’s constantly evolving cybersecurity is driving hackers to seek new weaknesses, often targeting loopholes in human behavior:
“Let’s say that your protocol or layer 1 blockchain becomes more secure. Then they may target human beings behind it. The people who have the private key and so on.”
In 2024, roughly half of the crypto industry’s security breaches were linked to “operational risks,” including private key compromises, Gu noted.
Hackers are increasingly exploiting weaknesses in human behavior, a trend underscored by this year’s resurgence of cryptocurrency phishing scams. These social engineering attacks trick victims into clicking fraudulent links to steal sensitive information, such as private keys to crypto wallets.
For example, on August 6, an investor lost $3 million after inadvertently signing a malicious blockchain transaction that drained the equivalent value in USDt from his wallet.
Like many investors, the victim probably verified the wallet address by checking only the first and last few characters before transferring $3 million to the attacker. The discrepancy in the middle characters—often obscured on platforms for visual clarity—went unnoticed.
In another case, a victim lost more than $900,000 in digital assets to a sophisticated phishing attack on August 3, 458 days after unknowingly approving a malicious transaction that eventually drained their wallet, according to reports.
