Crypto hack counts fall but supply chain attacks reshape threat…

The crypto security landscape is evolving quickly. After a year where hackers pursued common code flaws with reckless ambition, the ledger is quieting on the software vulnerability front while attackers refocus on the arteries that feed entire ecosystems. New data from CertiK, shared with Cointelegraph, paints a nuanced picture: total losses in 2025 reached about $3.3 billion, yet the number of incidents declined sharply as miscreants shifted toward sophisticated supply-chain exploits. In plain terms, attackers are trading simple code bugs for high-value, infrastructure-level breaches that can ripple across multiple projects with fewer, bigger targets.

The evolving threat landscape: from code flaws to supply chain compromises

Why code vulnerabilities are no longer enough for attackers

In the early days of crypto exploits, a large share of the damage stemmed from discoverable code vulnerabilities. Flaws in smart contracts, wallet software, and network protocols offered attackers clear entry points. But as developers hardened these weaknesses—adding formal verification, better auditing practices, and more robust runtime protections—the payoff for chasing those bugs diminished. The CertiK report notes a decline in incident counts, suggesting a new tier of adversaries no longer relies on easy-to-find flaws that any attacker can replicate. Instead, they pursue higher-stakes, less-frangible moments in the supply chain, where even well-defended protocols can be disrupted by compromising a single upstream provider or platform dependency.

The rise of supply chain attacks as the most damaging threat

Supply chain compromises have marched to the forefront of crypto risk. In 2025, supply chain breaches emerged as the most damaging class of incidents, injecting $1.45 billion in losses across just two incidents. The most notable example, the Bybit hack in February, accounted for a staggering portion of that damage—nearly $1.4 billion. CertiK’s analysis describes this incident as a signal that highly capitalized, coordinated threat actors are increasingly active across the ecosystem and that the attack pattern is evolving. Rather than taking down a single project, attackers are targeting infrastructure providers, exchanges, and other critical nodes whose compromises can cascade across multiple platforms and users.

Decoding the numbers: what the data tells us

By the numbers: total losses, incident counts, and target profiles

According to CertiK’s findings, 2025 saw a total loss figure of about $3.3 billion due to crypto hacks, a steep figure even as the number of incidents declined. The decrease in incidents signals improving protocol-level security and more sophisticated attacker behavior that prioritizes higher-value targets over frequent, opportunistic breaches. The Bybit incident stands as a dramatic example: one massive breach can dwarf dozens of smaller events, skewing the total losses upward while the incident count shrinks.

Average vs. median losses: what the numbers tell us about risk distribution

The data reveal a meaningful divide between average losses and typical experiences. The average amount lost per hack rose to about $5.3 million in 2025, a 66% increase from the prior year. This jump underscores that when attackers do strike, they are often aiming for large-scale breaches that can reframe an ecosystem’s risk profile. Conversely, the median loss dropped to roughly $103,966—down about 36% from the year before. This divergence—higher highs but more moderate typical losses—indicates that while a minority of events are catastrophic, the everyday breach risk for most users remains relatively contained when viewed through the median lens.

Phishing and pig-butchering: the new frontiers of fraud in a more secure-looking space

If code-level vulnerabilities are waning, phishing and social-engineering scams are surging as the primary driver of losses for investors. CertiK’s data highlight phishing as the second-largest threat category, totaling $722 million across 248 incidents. Among phishing variants, pig-butchering scams—where con artists cultivate long-running romantic or trust-based relationships to coerce victims into transferring funds—have grown into a dominant pattern. In 2024, these scams cost the crypto industry about $5.5 billion across roughly 200,000 individual cases, according to Cyvers. The scale and tempo of these schemes underscore a shift from technical exploitation to human-driven manipulation—an area that remains stubbornly hard to police and educate against.

The phishing frontier: pig butchering and AI-enabled fraud

The anatomy of a pig-butchering scam

Pig-butchering scams typically begin with a seemingly innocent online relationship. Scammers invest time in grooming victims, often using sophisticated social-engineering scripts, persuasive narratives, and even AI-generated content to add layer after layer of credibility. Victims might be persuaded to link wallets, approve transactions, or transfer assets to what they believe is a trusted, high-potential investment vehicle. The emotional bond lowers analytical defenses, making it easier for the scammer to request staked funds, private keys, or soft-attempts to shift assets into “safe” or “rewarding” channels. The result is a dramatic drain on personal crypto holdings, sometimes wiping out retirement funds or life savings in a matter of days or weeks.

High-profile examples and regulatory responses

In a striking escalation, US authorities moved decisively in June with a DoJ seizure exceeding $225 million linked to pig-butchering scams. The message from law enforcement is clear: criminal networks connected to sophisticated online fraud are not beyond reach of the criminal-justice system, and large-scale crypto fraud can trigger coordinated, cross-border enforcement actions. While the seizures are a boon for deterrence and public confidence, they also reveal how deeply embedded these schemes have become in the crypto ecosystem, often hiding behind legitimate-looking investment funnels and social channels that misinform and manipulate unsuspecting investors.

Beyond the numbers: who is behind the major attacks and how they operate

Well-capitalized actors targeting infrastructure

The Bybit incident shows that threat actors with substantial resources prefer complex, multi-stage operations. Rather than a one-off leak, these actors exploit high-value vectors—such as security weaknesses in supply-chain software, third-party services, or infrastructure platforms that many projects rely on. Their playbook emphasizes scale, coordination, and a willingness to absorb significant upfront costs for longer-term gains. The ecosystem must recognize that the most dangerous adversaries are not always the loudest hackers in the room; often, they are orchestrators who map dependencies across multiple services, identifying choke points that, once breached, yield outsized returns.

Lazarus Group and the broader geopolitical dimension

Security researchers and industry trackers regularly connect high-profile crypto incidents to recognized state-backed or state-adjacent groups. The Lazarus Group, widely reported in relation to North Korea-linked cyber operations, is frequently cited as an example of a capable, persistent threat actor with the funds and expertise to execute large-scale breaches. While attribution in the crypto space remains challenging, the pattern is clear: adversaries are combining traditional cyberattack techniques with financial crime objectives, leveraging supply chains and infrastructure dependencies to maximize impact while distributing risk across platforms and users.

Practical defenses for individuals and organizations

What users can do to reduce risk

• Enhance phishing awareness: Treat every unexpected message with suspicion, verify URLs through direct typing rather than following links, and enable multi-factor authentication across wallets and exchange accounts.
• Guard your recovery data: Never share seed phrases or private keys. Store them offline in a secure location and consider hardware wallets for long-term holdings.
• Limit trust in external services: Be cautious when granting permissions to wallets or signing transactions in third-party apps. Regularly audit connected apps and revoke access that isn’t essential.
• Diversify storage: Don’t keep all assets on a single exchange or hot wallet. Use a mix of custody solutions, including cold storage for the majority of holdings.
• Monitor avatars and communities: Stay informed about active phishing campaigns and newly discovered scams within the communities you participate in, such as official project channels and trusted media outlets.

What exchanges and protocols can do to harden defenses

• Implement rigorous third-party risk management: Vet suppliers, auditing firms, and cloud providers. Demand transparency around subprocessor use and security posture.
• Hardening and verification: Adopt formal verification for critical smart contracts and ensure continuous runtime monitoring that can detect anomalies and potential breaches in real-time.
• Supply chain transparency: Publish SBOMs (software bills of materials) for core dependencies and provide clear incident response playbooks that outline steps post-breach.
• Frictionless but secure user experiences: Balance security controls with user-friendly recovery options, such as secure onboarding and robust incident response channels that don’t trap legitimate users in red tape.

Operational lessons for teams: incident response, auditing, and resilience

For organizations, the 2025 data emphasizes resilience over reaction. A robust incident response regimen should cover detection of unusual authentication patterns, sudden spikes in withdrawal activity, and cross-chain reconciliation inconsistencies. Regular tabletop exercises, where security teams simulate supply-chain breaches, help teams understand dependencies and decision-making processes under pressure. A mature security program integrates threat intelligence about supply-chain trends, enabling preemptive hardening where risk is highest.

Pros and cons of the new threat model

• Pros: The reduced number of low-sophistication incidents means security improvements at protocol and platform levels are paying off. The ecosystem is becoming more aware of the critical choke points and capable of quicker containment when breaches occur. This shift also spurs better collaboration among exchanges, auditors, and infrastructure providers, raising the overall baseline security across the space.
• Cons: The attacks that do land are bigger and more damaging, which can erode user trust and invite regulatory scrutiny. Supply chain attacks require coordinated defenses across multiple actors, making risk management more complex and resource-intensive. The rise of sophisticated phishing and pig-butchering scams exploits human psychology, a domain where technical safeguards alone cannot fully prevent losses.

The broader context: market resilience, regulation, and the future outlook

Market resilience remains a defining characteristic of the crypto space. Despite record losses in high-profile incidents, the industry’s capacity to rebound—through improved security practices, more rigorous auditing, and faster incident response—appears solid. Regulatory attention is intensifying, with lawmakers and law enforcement agencies seeking to curb fraud while maintaining space for innovation. The DOJ’s aggressive stance on pig-butchering scams signals a trend toward more proactive enforcement against well-funded fraud networks, potentially deterring future big breaches that rely on social engineering as a force multiplier.

Looking ahead, the ecosystem is likely to see continued investment in supply-chain security, emphasis on verifiable cryptographic primitives, and stronger governance around third-party dependencies. The Bybit incident serves as a case study in how attackers adapt to a more secure environment: they pivot to infrastructure-level weaknesses, where a single vulnerability can impact hundreds of users and projects. The takeaway for builders and users alike is clear—security is a shared responsibility that requires ongoing vigilance, collaboration, and investment in people, processes, and technology.

Conclusion: turning insights into action

The crypto security landscape is not static. It is a living, evolving field shaped by attacker ingenuity and defender ingenuity in turn. The decline in routine incident counts is a positive signal that protocol-level defenses are improving, but the surge in supply-chain-centric losses and sophisticated phishing campaigns reminds us that risk is moving, not disappearing. For professionals and ordinary users, the path forward is pragmatic: invest in defense-in-depth across people, processes, and technology; stay informed about the latest attack patterns; and commit to a culture of security that begins with everyday habits and ends with resilient, trustworthy systems. The Bybit hack is a stark reminder that the most formidable threats are often the ones you can’t see until it’s too late. Staying ahead means building smarter, more transparent security architectures and empowering users with the knowledge to protect their own assets.

FAQ

Q: What exactly is a supply chain attack in crypto?

A: In crypto, a supply chain attack targets the software, services, or providers that projects depend on—such as wallet libraries, auditing firms, cloud services, or third-party integrations. A compromise at any point in this chain can propagate to many users and projects, sometimes with devastating effects.

Q: How can I spot a pig-butchering scam?

A: Look for long, intense conversations that pivot toward investment opportunities and money transfers after gaining your trust. Be wary of links or requests to reveal private keys, and verify any investment claims through official channels rather than through messages from unknown contacts or social media.

Q: Why did the DoJ seize $225 million related to pig-butchering?

A: The DoJ actions reflect ongoing efforts to dismantle large fraud networks. Seizures in this space demonstrate that authorities can trace illicit crypto flows across exchanges, wallets, and messaging platforms, and that cross-border enforcement is increasingly effective against sophisticated fraud schemes.

Q: What can exchanges do to protect users?

A: Exchanges can adopt stronger third-party risk management, demand detailed SBOMs for critical dependencies, implement enhanced monitoring for unusual withdrawal patterns, and provide clearer, faster pathways for user recovery after suspected fraud. Transparent incident response communications also help maintain user trust during breaches.

Q: Are supply chain attacks inevitable in crypto?

A: Not inevitable, but highly plausible if ecosystems neglect security at key dependency points. The best defense is proactive risk assessment, continuous auditing, and a culture of security that treats every link in the chain as a potential point of failure—requiring constant vigilance and updates as the ecosystem evolves.

Q: What does CertiK’s analysis imply for the next 12–18 months?

A: It suggests a continued shift toward high-impact breaches centered on infrastructure and supply chains, with attackers refining their methods to exploit complex dependencies. For defenders, that means prioritizing supply chain risk management, formal verification of critical code, and user education to counter phishing and social-engineering threats.

As LegacyWire, we’ll keep tracking the threads behind these numbers—the people, the protocols, and the policies that shape the crypto security landscape. The lessons are clear: as defenses improve, attackers adapt. The best defense is a holistic approach that shields the code, the connections, and the people who rely on these systems every day.