In the first half of 2025, the blockchain industry suffered more than $ 2.37 billion in losses due to security incidents, the DEFI sector has reached the hardest. Scams targeting individual users have also proliferated, AI allowing increasingly sophisticated patterns.
According to the mid year of Slowmist “Blockchain and LMA security report“The blockchain industry experienced around $ 2.37 billion in losses out of 121 security incidents in the first half of 2025. This represents an increase of almost 66% of financial losses compared to the same period in 2024, despite a drop in the number of incidents.
DEFI continues to be the most targeted sector, representing 76.03% of all incidents and around $ 470 million in losses. However, CEX platforms have undergone $ 1.883 billion losses of only 11 incidents, indicating high-value targets for attackers.
Account compromises were the main cause of security incidents, followed by intelligent contract vulnerabilities.
Beyond the direct attacks on projects, the Slowmist report highlighted several fraud tactics targeting individual users who characterized the first half of 2025:
Phishing using EIP-7702
The attackers exploit new features of the EIP-7702 contract delegation mechanism which was introduced with the upgrading of Pectra d’Ethereum. On May 24, a user lost $ 146,551 after being the victim of a phishing attack which abused the Metamask EIP-7702 delegation function. The scam, produced by the Inferno Raileur group, prompted the user to authorize a legitimate appearance contract, which then exploited the approvals of loose tokens to drain the funds.
Deep in depths
The rapid advancement of the generative AI inaugurated a new wave of “confidence -based scams”. At the beginning of 2025, a false zoom meeting using Deepfakes led to the theft of all the cryptographic assets of Mehdi Farooq, a partner at Hypersphere Ventures, after the attackers put the identity of known contacts and cheated it to download malware. Other high -level cases include videos generated by Elon Musk AI and Singapore officials promoting false investment plans.
Telegram false backup scams
These scams encourage users to execute malicious code from their clipboard. The victims were attracted to false accounts x imitant cryptographic influencers, then redirected to telegram groups where orders “press to check” the activated links of PowerShell. These attacks have led to a complete compromise on the device, allowing remote access tools to steal wallet files, private keys and even control telegram accounts on Windows and MacOS systems.
Malicious browser extensions
Disguised as “Web3 safety tools” or by using automatic update mechanisms, these false extensions divert download links to install malware and steal mnemonic sentences, private keys or connection identification information. A high -level case involved the “Osiris” extension, where the attackers diverted the Chrome store account from a legitimate developer via a phishing -based oauthing, pushing a furtive malicious update to more than 2.6 million users.
Linkedin recruitment phishing
In 2025, Linkedin -based phishing jumped while the attackers pretended to be blockchain startups to attract engineers to download malware disguised as technical tests. The crooks shared professional project memories and design documents, finally sending victims to benchmarks containing highly encrypted malicious charges. Once executed, these baths fly the host information, identification information, SSH private keys and system keychain data.
Social engineering attacks
Social engineering scams jumped at the beginning of 2025, with the most prominent case involving Coinbase. In this incident, the attackers welded customer support staff abroad to disclose user data, and then pretend to be Coinbase rehearsals using usurped phone numbers and phishing messages to attract victims to transfer funds to portfolios controlled by crooks. According to Slowmist, such coordinated attacks have resulted in more than $ 100 million in total user losses.
Attacks on the stolen door supply chain via low -cost AI tools
Developers looking for “unlimited access to advanced AI models” via unofficial channels may install malicious NPM packages that have deeply altered local applications. Slowmist reported a case where a startup has lost hundreds of thousands due to a malicious code generated by such a tool, which has installed deadlines via NPM packages. More than 4,200 developers, mainly on MacOS, have been affected, allowing attackers to control and identifying theft.
Large -language models without restriction
The Slowmist report highlights several LLMs which have been “jailbreake” to bypass the ethical restrictions of their original versions. Wormgpt specializes in the generation of content linked to malware and phishing emails, while Fraudgpt can produce false crypto project materials and phishing pages. Darkbert, trained on Dark web data, allows very targeted social engineering campaigns. GHOSTGPT can create Deepfake Identity Escraies of Exchange Identity, among other malicious uses.
