In the first half of 2025, the blockchain industry suffered more than $2.37 billion in losses from security incidents, making the Defi sector the most difficult. Scams targeting individual users are also growing, and AI is enabling more sophisticated schemes.
According to Slowmist’s mid-term Blockchain Security and AML Report, the blockchain industry saw a loss of approximately $2.37 billion in 121 security incidents in the first half of 2025. This represents an almost 66% increase in financial losses compared to the same period in 2024 despite a decline in the potential number.
Source: Blockchain Security and AML Report | slowmist.com
Defi remains the most targeted sector, accounting for 76.03% of all incidents and a loss of around $470 million. However, the CEX platform has experienced a loss of $1.883 billion from just 11 incidents, indicating a highly valuable target for the attacker.
Account compromise was the main cause of security incidents, followed by smart contract vulnerabilities.
You might like it too: AI deepfake is the biggest threat of cryptography: bitget, slowmist, oval warning
Beyond direct attacks on the project, Slowmist’s report highlighted several fraud tactics targeting individual users that characterized the first half of 2025.
Fishing using EIP-7702
The attacker is taking advantage of new features in the EIP-7702 contract delegation mechanism introduced in the Ethereum Pectra upgrade. On May 24, users lost $146,551 after falling victim to a phishing attack that misused MetaMask’s EIP-7702 delegation feature. The scam carried out by the Inferno Drainer Group tricked users into approving legitimate appearance contracts and misused bulk token approvals to consume funds.
Deepfake
Rapid advances in generating AI are ahead of the new wave of “trust-based fraud.” In early 2025, a fake Zoom meeting using deepfake led to the theft of all crypto assets of Hypersphere Ventures partner Mehdi Farooq after the attackers spoofed known contacts and fooled him into downloading malware. Other well-known cases include videos generated by Elon Musk and AI-generated by Singaporean officials, promoting fake investment schemes.
Telegram Fake Safeguard Scam
These scams trick users into running malicious code from the clipboard. The victim was seduced through a fake X account impersonating a crypto influencer, and then redirected to a telegram group linking the “tap to validate” link to activate the Trojan’s powershell command. These attacks create a complete device compromise and allow remote access tools to control their telegram accounts on wallet files, private keys, and even Windows and MacOS systems.
Malicious browser extensions
Utilizing “Web3 Security Tools” or an automatic update mechanism, these fake extensions hijack download links to install malicious software and steal mnemonic phrases, private keys, or login credentials. One well-known case involves the “Osiris” extension, where attackers hijacked legitimate developer Chrome webstore accounts through phishing-based OAuth Exploit, driving stealthy malicious updates to over 2.6 million users.
LinkedIn Recruitment Phishing
In 2025, LinkedIn-based phishing surged when attackers posed as blockchain startups and lured engineers to download malware disguised as technical tests. The scammers shared project briefs and design documents that looked professional, and ultimately sent the victims to a repository containing a critically encrypted, malicious payload. When executed, these backdoors steal host information, credentials, SSH private keys, and system keychain data.
Social Engineering Attacks
Social engineering scams surged in early 2025, with the most notable cases involving Coinbase. In this incident, the attacker leaked user data to overseas customer support staff, then used spoofed phone numbers and phishing messages to impersonate Coinbase personnel, seducing the victim and transferring funds to a controlled wallet. According to SlowMist, such a tuned attack led to a total user loss of over $100 million.
Backdoor supply chain attacks through low-cost AI tools
Developers seeking “unlimited access to Advanced AI models” via unofficial channels risk installing malicious NPM packages that tamper with local applications deeply. SlowMist has flagged cases where startups lost hundreds of thousands due to malicious code generated by such tools that installed backdoors via NPM packages. More than 4,200 developers, primarily targeting MacOS, were affected, and attackers allowed theft of their remote controls and qualifications.
Big unlimited language model
The Slowmist report highlights some LLMs that are “Jailbroken” to bypass the ethical limitations of the original version. Wormgpt specializes in generating malware-related content and phishing emails, but scams can create fake cryptographic project materials and clone phishing pages. Trained with Dark Web Data, Darkbert enables highly targeted social engineering campaigns. GhostGpt can create Deepfake Scams that are impersonating Exchange executives.
You might like it too: Coinbase hacks with S&P rising and investigators who saw it coming
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
