2025 Cryptocurrency Security Incident Report: Loss of $2.9 billion, AI Deepfake Becomes New Weapon for Hackers

SlowMist Technology’s annual report shows that although blockchain security incidents decreased from 410 in 2024 to 200 in 2025, the total losses surged by 46% to $2.935 billion. CEX hacks accounted for $1.46 billion, leading the list. AI deepfake technology has tricked KYC processes, becoming a new threat. North Korea’s Lazarus Group stole $1.645 billion in the first nine months. Cambodia’s Huione Group was sanctioned by the US for facilitating money laundering.

CEX $1.46 Billion Hack Breaks Loss Records

The most shocking security incident of 2025 was the CEX hack, with a single loss of $1.46 billion setting a new record. The hackers are suspected to have exploited Safe Wallet multi-signature permissions to launch the attack. This precise targeting of multi-signature mechanisms exposed governance vulnerabilities even in top-tier exchanges.

Ben Zhou, CEO of CEX, recalled that the attack occurred in the early hours of the weekend. The team responded within hours by freezing suspicious addresses, activating backup funds, and collaborating with on-chain analysis firms to trace the flow of funds. However, the $1.46 billion loss far exceeded what a single company could bear, prompting a comprehensive reflection on the security of centralized custodial exchanges.

Other major loss events include Cetus Protocol losing $230 million due to smart contract vulnerabilities, which caused an 83% drop in Sui ecosystem TVL after the attack. Balancer V2 lost $121 million due to errors in Stable Pool swap path calculations. The complexity of DeFi protocols once again became a security risk. Iran’s Nobitex exchange was attacked by Israeli-affiliated hackers, destroying about $100 million in assets. This incident extended geopolitical conflicts into the crypto space.

AI Deepfake and Social Engineering: Deadly Combination

The most notable change in attack methods in 2025 was the deep penetration of AI technology. Hackers used deepfake techniques to impersonate corporate executives’ voices and images during video conferences. An employee of Hong Kong-based multinational architecture firm Arup was deceived into transferring large sums under the “CEO’s” video instructions. Even more frightening, hackers used AI-generated fake identities to bypass KYC checks at cryptocurrency exchanges, rendering the traditional first line of anti-money laundering defenses—identity verification—virtually useless.

Six New Attack Techniques in 2025

1. AI Dynamic Malicious Code Generation

· Uses AI models to generate variants of malicious code in real-time

· Evades traditional signature-based security software detection

· Each attack’s code fingerprint is unique

2. Recruitment and Interview Scams

· Pretends to be a Web3 company recruiting engineers

· Induces targets to download backdoored code repositories or test projects

· Steals private keys and sensitive information from developers’ computers

3. Clickfix Phishing Attacks

· Tricks users into executing malicious commands on systems

· Impersonates tech support or system updates

· Bypasses browser security warnings to execute commands directly

4. Solana Permission Tampering

· Changes account owner permissions to hacker-controlled addresses

· Prevents users from controlling assets even with private keys

· Exploits the unique design of Solana’s account model

5. EIP-7702 Authorization Abuse

· Exploits new Ethereum account abstraction features

· Massively steals assets from wallets authorized under EIP-7702

· WLFI investor wallets were drained as a result

6. Supply Chain Poisoning Attacks

· Inserts backdoors into popular open-source tools on GitHub

· Targets high-traffic projects like Solana trading bots

· Uses NPM package updates to automatically infect developer environments

Social engineering attacks have a much higher success rate than exploiting technical vulnerabilities. Many victims are not compromised due to smart contract bugs or brute-force private key attacks, but because of carefully crafted scripts and fake identities. When hackers can use AI to instantly mimic anyone’s voice or produce realistic videos, traditional “seeing is believing” methods are no longer effective.

Supply chain poisoning attacks are even more covert. Hackers do not attack targets directly but poison the tools and libraries developers rely on. When thousands of developers update NPM packages or clone GitHub repositories, malicious code can automatically enter their environments. The frightening part is that victims often do not realize they have been compromised until assets are stolen, by which time it is too late.

North Korean Hackers and Cross-Border Money Laundering Networks

North Korea’s Lazarus Group remains the biggest security threat in 2025, stealing approximately $1.645 billion in just the first nine months. This amount exceeds the GDP of many small and medium-sized countries, demonstrating the terrifying capabilities of state-sponsored hackers. Lazarus Group’s money laundering process has become industrialized, transferring illicit funds across chains via bridges, using mixers like Tornado Cash to obscure sources, and laundering funds across multiple incidents to increase traceability difficulty.

Cambodia’s Huione Group was sanctioned by the US Office of Foreign Assets Control (OFAC) for allegedly assisting large-scale scam fund flows. This marks a move into international law enforcement for anti-money laundering efforts. Southeast Asia was previously seen as a gray area for crypto regulation, with many laundering nodes established there. However, US extraterritorial jurisdiction has cut off these organizations from the global financial system, severely impairing their operations.

SlowMist’s summary indicates that in 2025, attack systems are becoming more professional, criminal networks more covert, and regulatory enforcement more aggressive. Security and compliance are no longer just protective measures but essential thresholds for business survival. The future vitality of the Web3 industry will depend on establishing stronger internal security controls and transparent fund governance models.