- Crypto-related hacks and scams caused around $76 million in losses in December 2025, a sharp 60% drop from November.
- Two incidents – an address poisoning scam and a compromised multi-signature wallet – accounted for most of the monthly damage.
- Wallet-draining phishing scams and new techniques such as EIP-7702 attacks declined in volume but remain a persistent and evolving threat.
- Despite fewer incidents overall, 2025 still saw record on-chain losses, highlighting how a handful of large breaches can reshape crypto security risk.
After a turbulent year for blockchain security, December 2025 closed with a surprisingly calm picture in terms of crypto hack losses. While a few headline-grabbing incidents still made waves, the total amount stolen through major exploits fell sharply compared with the previous month.
Security firms tracking on-chain activity report that attackers shifted from frequent small exploits to fewer, high-impact operations focused on critical points of the crypto ecosystem. That shift means users saw fewer hacks in December, but the industry continues to grapple with sophisticated scams, social engineering and structural weaknesses in key infrastructure.
December’s crypto losses drop 60% as mega-breaches dominate the numbers
According to blockchain security company PeckShield, about $76 million in crypto assets were lost across 26 major security incidents in December 2025. That marks a steep decline of around 60% compared with the roughly $194.27 million drained in November, pointing to a relatively quieter month in aggregate terms.
Despite the lower total, two large-scale incidents were responsible for the majority of December’s losses. In the largest case, a single wallet address lost roughly $50 million in an address poisoning scam. In another high-profile breach, a compromised multi-signature wallet led to approximately $27.3 million in stolen funds, underscoring that even advanced key management setups can fail when basic security controls break down.
PeckShield’s figures indicate that the remaining incidents – including those linked to projects like babur.sol, Trust Wallet and the Flow ecosystem – together only accounted for a fraction of the monthly damage. Around $22 million in losses were tied to babur.sol, about $8.5 million to Trust Wallet users, and close to $3.9 million to a breach involving Flow, highlighting how browser-based and software wallets remain an attractive target due to their constant connectivity.
In other words, a relatively small number of high-value hacks continues to shape the overall risk landscape. While December looked calmer on paper, the concentration of losses in a few events shows that a single misstep can still translate into tens of millions of dollars gone in an instant.
Address poisoning and leaked keys: user-side risks take center stage
The largest December exploit hinged on address poisoning – a technique that abuses how users handle wallet addresses rather than attacking protocol-level code. In this type of scam, the attacker sends tiny transactions from a wallet that visually mimics a victim’s genuine address. When the victim later copies an address from their transaction history, they can easily pick the fake one by mistake, sending funds straight to the attacker.
These schemes rely on visual similarity and user inattention rather than complex smart contract bugs. Typically, the first and last characters of the fake address are identical to the real one, making it difficult to spot the difference at a glance. Because blockchain transfers are irreversible once confirmed, even a single mistaken paste can result in a permanent, unrecoverable loss.
The second-largest December incident revolved around a leaked private key affecting a multi-signature wallet. Multi-sig configurations are designed to require several approvals before funds can move, but they still depend on the secrecy and integrity of the keys involved. When any of those keys is exposed – through malware, phishing, poor storage practices or internal mishandling – the added security benefits of multi-sig can be effectively neutralized.
Together, these cases highlight a blunt reality: user-side security failures, from mishandled keys to inattentive address checks, now drive a considerable share of on-chain losses. Even as smart contract standards improve, attackers increasingly look for ways to trick, pressure or deceive individuals rather than break cryptographic primitives.
Wallet-draining phishing scams see steep yearly drop but remain a serious nuisance
Beyond December’s snapshot, broader 2025 data on wallet-draining scams paints a more nuanced picture. Research by phishing analytics platform Scam Sniffer shows that total losses from wallet drainer phishing schemes reached about $83.85 million in 2025, a sharp fall from nearly $494 million estimated for 2024.
That year-on-year decline of roughly 83% was accompanied by a significant drop in the number of victims, from well over 300,000 in 2024 to around 106,000 in 2025. That 68% reduction suggests not only fewer successful campaigns but also lower overall exposure for users across the crypto ecosystem, possibly helped by better awareness, improved wallet warnings and more aggressive takedowns of malicious infrastructure.
Even so, wallet drainers remained a persistent and adaptable threat through 2025. Scam Sniffer’s data shows that phishing activity often tracked market sentiment: periods of intense trading volumes and strong price rallies, especially around major assets like Ethereum, produced more opportunities for scammers to lure users with fake airdrops, bogus approvals or malicious links.
One telling example came in the third quarter of 2025, when the most powerful Ethereum price rally of the year coincided with the highest quarterly wallet-drainer losses, totalling around $31 million. High returns and fear of missing out can make users more willing to click, sign and approve quickly, precisely the behaviour that phishing operations exploit.
On a monthly basis, wallet-drainer losses fluctuated widely throughout 2025. December stood out again as the quietest month for this specific threat type, with about $2.04 million lost, while August was the peak month, clocking roughly $12.17 million in stolen funds. Taken together, August and September alone accounted for around 29% of yearly wallet-drainer losses and hit more than 30,700 users.
Evolving phishing methods: Permit approvals, EIP-7702 and large-scale scams
While raw numbers dropped, phishing techniques themselves continued to evolve during 2025. Scam Sniffer’s analysis underscores that Permit and Permit2 approvals persisted as a favourite weapon. These methods allow attackers to obtain powerful token-spending permissions with a single signature, often presented to users as harmless confirmations.
In fact, Permit and Permit2-based attacks were responsible for roughly 38% of the largest wallet-drainer losses recorded in 2025. The most damaging single phishing incident of the year involved a malicious Permit-style signature in September, which ended in around $6.5 million being drained – well below one devastating $55.48 million case seen in 2024, but still a major event by any reasonable standard.
A newer technique also surfaced after the Pectra network upgrade introduced EIP-7702. Shortly after the upgrade, attackers began experimenting with EIP-7702 to package multiple malicious operations inside a single transaction signature. In the most serious documented incidents, just two EIP-7702-based attacks in August 2025 led to about $2.54 million in aggregate losses.
Even with these innovations, large-scale phishing campaigns became less frequent compared with 2024. Only 11 phishing events in 2025 resulted in losses above $1 million, down from around 30 such high-value cases the previous year. At the same time, the average loss per victim tumbled from roughly $1,488 in 2024 to around $790 in 2025.
Those trends suggest that phishing activity is shifting away from a handful of extremely large, headline-grabbing operations toward a wider base of smaller, more targeted attacks. For individual users, that change may feel like good news, but it also means scammers are refining their playbooks to extract consistent, repeatable returns from a large pool of potential victims.
Beyond phishing: a turbulent 2025 for blockchain security
Looking beyond wallet drainers, 2025 as a whole was anything but quiet on the blockchain security front. SlowMist’s Blockchain Security and AML Annual Report for 2025 logged about 200 separate security incidents across the industry, roughly half of the 410 events recorded in 2024.
However, the financial impact moved in the opposite direction: total reported losses climbed to around $2.935 billion in 2025, up sharply from about $2.013 billion the previous year. With fewer incidents overall but much larger average damage, the arithmetic is stark – the average cost per event effectively tripled, rising from roughly $5 million to nearly $15 million.
This shift in scale reflects a broader change in attacker strategy. Rather than spreading efforts across many small or mid-sized targets, sophisticated groups homed in on deep liquidity pools and centralized chokepoints. The defining episode of 2025 was not a niche DeFi exploit but a huge $1.46 billion theft from Bybit, one of the highest-volume centralized exchanges.
That incident, widely attributed to highly organized, possibly state-backed actors, reframed the perception of risk across the industry. The Bybit hack illustrated that even top-tier, well-capitalized exchanges can be hit for ten-figure sums – and that, for some adversaries, the cost and complexity of mounting such an operation is worth the potential payout.
Sector breakdowns in SlowMist’s research show that DeFi protocols experienced 126 separate incidents resulting in about $649 million in losses, including the GMX breach. By contrast, centralized exchanges suffered only 22 tracked incidents but absorbed around $1.809 billion in damage, most of it concentrated in a few colossal breaches, with the Bybit case alone accounting for $1.46 billion.
Organized crime, state-linked groups and the industrialization of crypto attacks
The profile of the typical crypto attacker continued to evolve throughout 2025. The classic image of a lone hacker gave way to organized criminal networks and nation-state-linked groups, particularly those associated with North Korea, which have been frequently cited in previous high-profile crypto thefts.
These actors typically execute multi-stage operations that span reconnaissance, initial intrusion, lateral movement, laundering and cash-out. They blend technical exploits with social engineering, supply chain compromises and abuse of legitimate infrastructure, making it harder for defenders to spot and contain attacks before the damage is done.
Behind the scenes, a thriving underground economy supports this wave of professionalized crypto crime. Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) offerings lower the barrier to entry by renting out tools, hosting, exploit kits and laundering pipelines. Wallet-drainer kits, phishing frameworks and pre-built scam templates are often sold or leased, enabling less skilled operators to launch polished campaigns at scale.
Supply chain attacks have added another layer of complexity. Malicious code can be inserted into libraries, plugins or tools that developers and traders routinely rely on. Once these compromised components are integrated into wallets, dApps or browser extensions, thousands of downstream users can be silently exposed to credential theft, seed phrase capture or rogue transaction prompts.
Browser extensions with extensive permissions are particularly attractive targets. Once compromised, they can log keystrokes, capture screenshots or directly intercept sensitive data such as seed phrases and private keys. For attackers, these vectors offer a subtle but powerful way to bypass sophisticated on-chain defenses and go straight after user identities and credentials.
Engineering social trust: scams, deepfakes and targeted Coinbase users
As core protocol code hardened over time, attackers doubled down on the human layer – the people operating wallets, exchanges and infrastructure. In 2025, a leaked key, an intercepted signature or a malicious update could be just as devastating as a smart contract flaw.
Data from multiple security sources show that on-chain exploits and account takeovers ran almost neck and neck. Around 56 incidents centered on smart contract vulnerabilities, while roughly 50 major cases stemmed from compromised accounts, stolen credentials or manipulated user behaviour. That narrowing gap underscores how identity and access management have become critical choke points.
Artificial intelligence has quietly become one of the most potent force multipliers for scammers. Attackers now use AI-generated text, cloned voices, realistic images and even deepfake videos to impersonate support staff, project founders, recruiters or journalists. Phishing no longer arrives only as a poorly written email; it can come as a convincing live call, a video message or an interactive support chat that looks and feels legitimate.
A separate case highlighted in December involved U.S. prosecutors charging a Brooklyn resident, Ronald Spektor, over an alleged $16 million scam targeting Coinbase users through social engineering. According to authorities, Spektor allegedly posed as a Coinbase employee and contacted victims, warning that their funds were at immediate risk. Under that pressure, the victims reportedly transferred assets to wallets under his control, believing they were following legitimate security instructions.
Incidents like this illustrate how big-name brands and trusted platforms can be weaponized as part of sophisticated impersonation schemes. Instead of hacking Coinbase’s infrastructure, the alleged scam focused entirely on exploiting the trust users place in the exchange’s brand and customer support channels.
Regulatory pushback, stablecoin freezes and containment of stolen funds
The magnitude of recent crypto thefts has spurred a more assertive response from regulators and law enforcement. Authorities increasingly focus on the infrastructure that facilitates criminal cash flows, from mixing services and darknet markets to lightly regulated exchanges.
Investigations have turned toward networks and platforms suspected of helping launder stolen crypto, and some exchanges have faced sustained enforcement pressure. Rather than targeting individual hackers alone, regulators are moving to disrupt the broader financial plumbing that allows illicit funds to move and be cashed out.
Stablecoin issuers have emerged as key players in this containment strategy. Tether reportedly froze USDT associated with 576 Ethereum addresses, while Circle froze USDC linked to 214 addresses, in response to various incidents tracked during 2025. Across 18 security events, around $387 million of the roughly $1.957 billion stolen was either frozen or recovered – about 13.2% of the total.
That recovery rate may appear modest, but it shows that the ability to pause or claw back a portion of stolen funds is now a live factor in crypto crime calculations. For attackers, routing proceeds through assets and venues insulated from such interventions becomes more important; for defenders, centralized stablecoin issuers and compliant platforms have become critical allies.
The broader message for exchanges, custodians and infrastructure providers is clear: robust AML, KYC, custody controls and on-chain monitoring have shifted from competitive differentiators to basic survival requirements. As regulators widen their scope to include wallet providers, bridges and other key services, operational resilience and security governance are increasingly non-negotiable.
Users caught between falling losses and rising sophistication
Viewed together, the data tell a mixed story. December 2025 saw a sharp month-on-month decline in losses from crypto hacks and major incidents, and wallet-drainer phishing scams dropped significantly across the year. Fewer victims lost smaller amounts, and mega-phishing events became less common.
At the same time, overall yearly losses climbed to record levels, driven by a handful of massive breaches against centralized exchanges and high-value targets. Well-organized criminal syndicates and state-linked groups refined their methods, leveraging AI, supply chain compromises and multi-stage operations to go after deep liquidity pools.
For everyday users, that means the surface area of risk has shifted rather than disappeared. Practical precautions – double-checking wallet addresses character by character, treating unsolicited support contacts with suspicion, storing keys offline and limiting approvals – matter more than ever. Protocol security has improved, but attackers increasingly focus on the human element and the infrastructure around it.
As the industry moves into a new cycle, the contrast between calmer months like December and the scale of 2025’s largest hacks underscores how fragile apparent stability can be. A quiet period in terms of aggregate losses does not necessarily signal that threats are fading; instead, it may simply reflect that major attackers are regrouping, recalibrating and waiting for their next opportunity.
