2025 Becomes Worst Year for Hacking Losses in Crypto, but Human Error, Not Smart Contracts, is Main Culprit

According to ChainCatcher, despite 2025 becoming the year with the highest recorded losses from hacking in the cryptocurrency industry, most of the losses stemmed from Web2-style operational errors such as password leaks and social engineering, rather than on-chain code vulnerabilities. Mitchell Amador, CEO of Immunefi, noted that on-chain security is significantly improving, and the primary attack surface has shifted to the "human" weak link. He believes that as code becomes increasingly difficult to exploit, 2026 will be the best year for on-chain security, but this also means attackers will turn to more sophisticated social engineering and AI-assisted scams. Chainalysis' annual report also confirms this trend, with data showing that approximately $17 billion in cryptocurrency was lost to fraud and scams in 2025. Impersonation scams increased by 1,400% year-over-year, and AI-driven scams generated 450% more profit than traditional methods. Amador also warned that over 90% of projects still have critical exploitable vulnerabilities, and the adoption rate of industry protection tools remains extremely low: less than 1% of industry participants use firewalls, and fewer than 10% use AI detection tools. He stated that AI will change the pace of both offensive and defensive operations in 2026, and the rise of on-chain AI agents will introduce a completely new attack surface. How to properly protect these autonomous decision-making systems will become the main security challenge in the next cycle.