The FBI’s Internet Crime Complaint Center recorded $11.36 billion in cryptocurrency fraud losses in 2025, a 22% increase from the year before. Hackers stole another $3.4 billion through direct exploits, with North Korean state actors responsible for $2.02 billion of that total. Combined, these figures represent the worst year on record for cryptocurrency security.
The data below covers cryptocurrency security statistics across hacking, fraud, scams, ransomware, DeFi exploits, and regulatory enforcement, drawn from the FBI, Chainalysis, TRM Labs, and other primary sources.
Key Takeaways
- The FBI recorded $11.36 billion in crypto fraud losses in 2025, up 22% year over year, with investment scams accounting for $7.23 billion of that total.
- Off-chain attacks (compromised credentials, social engineering, supply chain manipulation) caused 76% of all hack losses ($2.2 billion), marking a clear shift from code-based exploits to human targeting.
- North Korean hackers stole $2.02 billion in 2025, a 51% increase, and accounted for 76% of all service compromises worldwide.
- Ransomware payments dropped 8% to $820 million in 2025, even as claimed attacks rose 50%, suggesting improved victim resilience.
- Q1 2026 hack losses fell 88% year over year to $168.6 million, though a single large exploit could reverse that trend.
- Law enforcement recovered roughly $2.4 billion in 2024, while illicit crypto addresses received $158 billion in 2025, a ratio that highlights the scale gap between enforcement capacity and criminal activity.
Editor’s Choice
- Total cryptocurrency hack losses reached $3.4 billion in 2025, the worst year on record for direct theft.
- Illicit crypto addresses received $158 billion in 2025, a 145% increase from 2024, though this represented only 1.2% of total on-chain volume.
- Crypto scam losses hit an estimated $17 billion in 2025, with AI-enabled schemes showing roughly 500% higher profitability than traditional scams.
- The Bybit hack in February 2025 resulted in $1.5 billion stolen, the largest single crypto theft in history.
- The crypto security market reached $6.79 billion in 2026, projected to grow to $26.92 billion by 2032.
- Carnegie Mellon researchers identified 270 million address poisoning attempts targeting 17 million potential victims.
- The FBI logged 181,565 cryptocurrency-related fraud complaints in 2025, averaging $62,604 per complaint.
Recent Developments
- Chainalysis released its 2026 Crypto Crime Report in February 2026, finding that illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% year-over-year increase.
- Crypto theft reached $3.4 billion in 2025 per Chainalysis, with the February 2025 Bybit exchange hack alone accounting for $1.5 billion of the annual total.
- In February 2026, Chainalysis reported that DPRK-linked actors stole $2.02 billion in cryptocurrency during 2025, responsible for 76% of all service compromises.
- Impersonation scams showed 1,400% year-over-year growth in 2025 per Chainalysis, with total scam and fraud losses reaching $17 billion.
- TRM Labs published its 2026 Crypto Crime Report in March 2026, documenting illicit flow typologies and reinforcing that nation-state actors drove the largest single-source compromise category.
Cryptocurrency Hack Losses by Year
- Hackers stole $3.4 billion in cryptocurrency during 2025, up from $2.2 billion in 2024, a 55% year-over-year increase.
- The top 3 hacks in 2025 accounted for 69% of all service losses, showing how a small number of large exploits drive annual totals.
- North Korean state-sponsored groups were behind $2.02 billion of the 2025 total, their highest annual figure ever.
- Hack totals remain highly volatile because one or two mega-exploits can set records for any given year.
- The 2025 figure surpassed the previous record of $3.8 billion set in 2022 during the Terra/Luna and FTX era.
- TRM Labs tracked nearly 150 incidents in 2025, with an average loss of $19.5 million per incident and a median of $1.3 million.
- The top 10 incidents in 2025 represented 81% of annual losses, an extreme concentration of damage.
- CoinLaw’s data-first approach reveals a pattern that narrative coverage often misses: annual hack totals tell less about systemic security than the ratio of large-to-small incidents, which has grown steadily since 2021.
| Year | Total Hack Losses | Notable Incident | Incident Count |
| 2019 | $0.29 billion | Cryptopia ($16M) | 11 |
| 2020 | $0.52 billion | KuCoin ($280M) | 15 |
| 2021 | $3.2 billion | Poly Network ($611M) | 250+ |
| 2022 | $3.8 billion | Ronin Bridge ($625M) | 220+ |
| 2023 | $1.7 billion | Mixin Network ($200M) | 180+ |
| 2024 | $2.2 billion | DMM Bitcoin ($305M) | 160+ |
| 2025 | $3.4 billion | Bybit ($1.5B) | ~150 |
Source: Chainalysis, TRM Labs
Crypto Fraud Losses in the United States
- The FBI’s IC3 recorded $11.36 billion in cryptocurrency-related fraud losses in 2025, up 22% from $9.3 billion in 2024.
- Investment fraud generated $7.23 billion in losses, the largest single category, with complaints rising 48% year over year.
- Recovery scams (impostors offering to retrieve stolen funds) added $1.4 billion in losses, often re-targeting previous victims.
- Americans aged 60 and older lost $4.43 billion across 44,555 complaints, the highest of any age group.
- The average loss per complaint reached $62,604, reflecting the high-value nature of crypto fraud schemes.
- Crypto-related ATM fraud generated $389 million in losses across 13,460 complaints, a 58% increase in dollar losses.
- FBI’s Operation Level Up notified 8,000 potential victims and prevented over $500 million in losses, including $225.9 million in 2025.
- Crypto fraud accounted for more than half of the FBI’s total $20.877 billion in reported cybercrime losses for 2025.
| Year | FBI Reported Crypto Losses | Complaints | Top Category |
| 2021 | $1.6 billion | 34,202 | Investment fraud |
| 2022 | $2.57 billion | 52,089 | Investment fraud |
| 2023 | $5.6 billion | 69,468 | Investment fraud |
| 2024 | $9.3 billion | 122,803 | Investment fraud |
| 2025 | $11.36 billion | 181,565 | Investment fraud |
Source: FBI Internet Crime Complaint Center
Types of Cryptocurrency Attacks
- Infrastructure attacks (compromised keys, supply chain manipulation) caused $2.2 billion in losses, representing 76% of all hack-related damage in 2025.
- Smart contract exploits accounted for the remaining 24%, a reversal from 2021 when code-based bugs drove the majority of losses.
- The Bybit hack exploited a supply chain vulnerability in Safe{Wallet}’s signing infrastructure rather than any flaw in Bybit’s own smart contracts.
- Off-chain incidents made up 56.5% of all DeFi attacks historically, per Halborn’s analysis of the top 100 hacks.
- Input verification failures caused 34.6% of direct smart contract exploitation cases.
- Compromised account credentials led to 47% of total historical DeFi losses.
- The “people, not code” shift is the defining trend of 2025: crypto’s largest vulnerability is no longer software but human operators. Our coverage of crypto exchange market data shows a similar pattern, with the largest exchanges investing heavily in operational security over smart contract audits.
- AI-powered social engineering amplified the human attack vector, with deepfake impersonation tactics showing 1,400% year-over-year growth.
By the numbers: According to TRM Labs, infrastructure attacks targeting compromised keys, social engineering, and supply chain manipulation caused $2.2 billion in crypto losses during 2025, representing 76% of all hack-related damage. This marks a reversal from 2021, when code-based smart contract bugs drove the majority of exploits. Attackers now target human operators over protocol code.
DeFi Exploit Statistics
- Total DeFi hack losses from the top 100 incidents between 2014 and 2024 reached $10.77 billion, per Halborn’s analysis.
- Only 20% of hacked DeFi protocols had undergone security audits, yet audited protocols accounted for just 10.8% of total value lost.
- Flash loan attacks made up 83.3% of eligible exploits in 2024, up from lower levels in prior years.
- Just 19% of exploited protocols used multi-signature wallets, and only 2.4% relied on cold storage solutions.
- DeFi security showed signs of improvement in late 2025: total value locked recovered from 2023 lows, but hack losses did not follow, suggesting better protocol-level defenses.
- The Cetus Protocol exploit in May 2025 drained $223 million through a mathematical error in liquidity calculations.
- Market manipulation attacks dominated 2021 at 32.1% of incidents, while governance attacks comprised 5.6% of exploits in 2024.
- DeFi market statistics show TVL has rebounded above $100 billion, yet the improved security posture suggests the industry is maturing beyond its “move fast and break things” phase.
Crypto Exchange Security Breaches
- Approximately 39% of cryptocurrency exchanges experienced a data breach in 2024, primarily from inadequate security protocols.
- The global average cost of a data breach in the crypto sector reached $5.3 million, a 15% increase from 2023.
- The Bybit hack in February 2025 (a $1.5 billion loss) stands as the largest exchange security failure in history, accomplished through compromised signing infrastructure rather than a direct network breach.
- Only 40% of crypto exchange users enable two-factor authentication on their accounts, leaving the majority vulnerable to credential theft.
- Wallets secured with multi-factor authentication show a 62% lower incidence of compromise compared to unprotected accounts.
- Phishing attacks targeting exchange users led to over $1.1 billion in wallet-related thefts in 2025.
- The top 3 exchange hacks in 2025 accounted for 69% of all service losses, demonstrating how concentrated the risk remains among a small number of incidents.
- Exchange cold wallet reserves and proof-of-reserves reporting increased throughout 2025, with major platforms publishing attestation reports quarterly.
Phishing and Address Poisoning Statistics
- Carnegie Mellon CyLab researchers identified 270 million address poisoning attempts targeting 17 million victims between July 2022 and June 2024, with confirmed losses of $83.8 million.
- Blockaid flagged over 65.4 million address poisoning transactions since January 2025, averaging more than 160,000 per day.
- Poisoning attempts surged from 628,000 in November 2025 to 3.4 million in January 2026, a 5.5x increase.
- A single address poisoning attack in December 2025 resulted in $50 million in USDT losses when a victim copied a spoofed address just 26 minutes after a test transaction.
- In January 2026, a crypto holder lost 4,556 ETH (approximately $12.4 million) after an attacker dusted their wallet for over two months.
- Sophisticated attackers now monitor the mempool for “test” transactions, the exact security practice users are taught to follow, and plant poisoned addresses in response.
- Overall, crypto phishing attack volume dropped 83% in 2025 by some measures, though the per-incident damage grew substantially.
- Social platform phishing (fake moderator accounts, impersonation of support staff) became the primary entry vector for exchange-related credential theft.
| Period | Poisoning Attempts | Confirmed Losses | Notable Incident |
| Jul 2022 – Jun 2024 | 270 million | $83.8 million | Multiple wallet drains |
| Jan 2025 – Dec 2025 | 65.4 million+ (flagged) | $50 million (single) | $50M USDT theft (Dec 2025) |
| Nov 2025 | 628,000 | N/A | Baseline before spike |
| Jan 2026 | 3.4 million | $12.4 million (single) | 4,556 ETH stolen |
Source: Carnegie Mellon CyLab, Blockaid
Cryptocurrency Scam Statistics
- Chainalysis estimated crypto scam losses at $17 billion in 2025, while TRM Labs recorded $23 billion in verified fraud and an additional $12 billion in community complaints.
- Pig butchering scams extracted $2.1 billion in the first half of 2025 alone, with the average scam payment rising 253% to $2,764.
- Impersonation scam tactics grew 1,400% year over year, often leveraging AI-generated deepfakes of exchange CEOs and crypto influencers.
- AI-enabled scam operations proved roughly 500% more profitable than traditional schemes, per Chainalysis estimates.
- Stablecoins dominated illicit transactions, accounting for 84% of verified fraud proceeds in 2025, up from roughly 70% in 2024.
- Investment scams remained the single largest fraud category, generating $7.23 billion in FBI-reported losses in the United States alone.
- Over 62% of meme coins launched in 2025 were flagged as potential rug pulls within 30 days of creation.
- Americans aged 60 and older were the most affected demographic, losing $4.43 billion to crypto scams and fraud in 2025.
| Scam Type | 2025 Losses (Est.) | YoY Change | Key Metric |
| Investment fraud | $7.23 billion (US) | +25% | 48% more complaints |
| Pig butchering | $2.1 billion (H1) | Rising | $2,764 avg payment |
| Impersonation | N/A (subset) | +1,400% | AI deepfakes |
| Recovery scams | $1.4 billion (US) | Rising | Re-targets prior victims |
| AI-enabled schemes | N/A (subset) | +500% profitability | Deepfake-driven |
Source: Chainalysis, FBI IC3, TRM Labs
Ransomware and Cryptocurrency Payments
- Total on-chain ransomware payments fell 8% to $820 million in 2025, the second consecutive year of payment stagnation.
- Claimed ransomware attacks rose 50% year over year, the most active year on record, yet fewer victims paid the ransom.
- The median ransom payment grew 368% to approximately $60,000, indicating attackers are demanding more per victim.
- The divergence between rising attacks and falling payments suggests improved backup strategies, incident response plans, and organizational resilience.
- Ransomware groups increasingly demanded payment in privacy coins and stablecoins rather than Bitcoin, complicating tracking efforts.
- Law enforcement takedowns of major ransomware groups in late 2024 disrupted several prominent gangs, contributing to the payment decline.
- The pattern we’ve documented across 18 regulatory events holds here too: major ransomware incidents (Colonial Pipeline in 2021, Change Healthcare in 2024) trigger policy responses within months.
- Despite the payment decline, the economic damage from ransomware (including downtime, recovery costs, and reputation losses) remained substantial.
| Year | Ransomware Payments | Claimed Attacks (YoY) | Median Payment |
| 2021 | $765 million | Baseline | $12,000 (est.) |
| 2022 | $457 million | +35% | $18,000 (est.) |
| 2023 | $1.1 billion | +45% | $15,000 |
| 2024 | $890 million | +30% | $12,800 |
| 2025 | $820 million | +50% | $60,000 |
Source: Chainalysis
Rug Pull and Exit Scam Data
- Rug pull incidents fell 66% in early 2025, with only 7 major incidents compared to 21 in the same period of 2024.
- Total rug pull losses surged despite fewer incidents, driven by larger individual events and the OM token collapse.
- The average amount stolen per rug pull rose to roughly $510,000 in 2025, reflecting a shift toward bigger, more sophisticated schemes.
- Hard rug pulls (where developers remove liquidity and disappear) made up 55% of cases, while soft rug pulls (gradual abandonment) accounted for 45%.
- Soft rug pulls grew 35% between 2024 and 2025, outpacing hard rug pulls in growth rate.
- Over 62% of meme coins launched in 2025 were flagged as potential rug pulls within their first 30 days.
- Improved smart contract vetting tools and community due diligence have contributed to the decline in incident count, though the remaining schemes are harder to detect.
- Industry experts project rug pulls will account for less than 40% of all crypto scams by 2027 as auditing and on-chain monitoring tools mature.
| Year | Major Rug Pulls | Total Losses | Largest Incident |
| 2021 | 100+ | $2.8 billion | Squid Game Token |
| 2022 | 85+ | $2.1 billion | FTX (debated) |
| 2023 | 45+ | $1.3 billion | Various DeFi |
| 2024 | 21 (H1) | $0.8 billion | Various |
| 2025 | 7 (H1) | $0.5 billion+ | MetaYield Farm ($290M) |
Source: DappRadar, Chainalysis
Crypto Theft Recovery Rates
- Recovery rates vary drastically by theft size: small wallet compromises see 60 to 80% recovery, while large exchange hacks achieve recovery rates below 1%.
- FBI’s Operation Level Up has prevented over $500 million in losses to date, with $225.9 million saved in 2025 alone by notifying 8,000 potential victims.
- Law enforcement seizures totaled $2.4 billion in 2024, a 17% increase from the prior year.
- The UK Metropolitan Police secured convictions leading to the world’s largest confirmed crypto seizure: over 61,000 Bitcoin (valued at roughly $5 billion).
- Interpol’s Operation HAECHI VI resulted in 1,800 arrests and $439 million in recoveries across multiple countries.
- China shut down 3,200 crypto fraud networks in 2025, reclaiming approximately $2.1 billion.
- The recovery paradox is stark: illicit crypto addresses received $158 billion in 2025 while global enforcement recovered roughly $2.4 billion in the prior year, a ratio of roughly $1 recovered for every $65 lost.
- Reporting within 24 to 72 hours of a theft dramatically increases recovery chances, as delays allow funds to move through mixers and cross-chain bridges.
| Recovery Channel | Amount Recovered/Prevented | Period | Success Metric |
| FBI Operation Level Up | $500 million prevented | 2023-2025 | 8,000 victims notified |
| Global law enforcement seizures | $2.4 billion | 2024 | 17% YoY increase |
| UK Met Police (Wen Jian case) | 61,000 BTC (~$5 billion) | 2025 | Largest confirmed seizure |
| Interpol HAECHI VI | $439 million | 2025 | 1,800 arrests |
| China fraud network shutdowns | $2.1 billion | 2025 | 3,200 networks closed |
Source: FBI, Interpol, Chainalysis
Key finding: According to Chainalysis, illicit crypto addresses received $158 billion in 2025 while global law enforcement recovered roughly $2.4 billion in 2024, a ratio of about $1 recovered for every $65 lost. This gap highlights the scale mismatch between criminal inflows and enforcement capacity, though early victim reporting within 72 hours improves recovery odds substantially.
North Korea and State-Sponsored Crypto Theft
- North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024, pushing their all-time total to $6.75 billion.
- DPRK-linked attacks accounted for 76% of all service compromises worldwide, making North Korea the dominant state-level crypto threat actor.
- The February 2025 Bybit hack ($1.5 billion) was executed by the Lazarus Group using a supply chain attack on Safe{Wallet}’s signing infrastructure after socially engineering a developer.
- The FBI designated this campaign “TraderTraitor,” describing North Korea’s approach of embedding IT workers inside crypto companies and impersonating executives to gain access.
- North Korean groups show clear preferences for Chinese-language money laundering services, with a typical 45-day laundering cycle following major thefts.
- The US government identified Cambodia-based Huione as a critical laundering node, processing at least $4 billion in DPRK-linked crypto between 2021 and 2025.
- North Korea achieved larger thefts with fewer incidents in 2025, a pattern of “big game hunting” that targets centralized services with the highest asset concentrations.
- Crypto adoption rates by country data show that the countries most targeted by DPRK hackers tend to have the largest centralized exchange user bases.
| Year | DPRK Crypto Theft | % of Global Hacks | Notable Target |
| 2021 | $0.43 billion | 14% | Various DeFi |
| 2022 | $1.65 billion | 43% | Ronin Bridge ($625M) |
| 2023 | $1.0 billion | 59% | Various exchanges |
| 2024 | $1.34 billion | 61% | DMM Bitcoin ($305M) |
| 2025 | $2.02 billion | 76% | Bybit ($1.5B) |
Source: Chainalysis, FBI, TRM Labs
Crypto Crime by Geographic Region
- California led all US states with $2.099 billion in crypto-related fraud losses in 2025, followed by Texas at $1.016 billion and Florida at $914.5 million.
- New York reported $593.4 million in crypto fraud losses, placing it fourth nationally.
- Total US crypto fraud losses ($11.36 billion) represented approximately 33% of the estimated global total.
- TRM Labs tracked $158 billion in illicit crypto flows globally in 2025, with sanctioned entities accounting for the largest share.
- Chinese escrow and money laundering services processed $103 billion in crypto in 2025, up from $123 million in 2020.
- Iran’s total crypto activity reached approximately $10 billion in 2025, with $580 million (5.9%) tied to illicit activity.
- The geographic concentration of crypto crime mirrors the concentration of crypto adoption: the US, East Asia, and Europe account for both the highest legitimate volumes and the highest fraud losses.
- State-level enforcement varies widely across the US, with California, New York, and Texas leading in both complaints filed and investigative capacity.
Regulatory Enforcement Actions
- The SEC reported total monetary penalties of $17.9 billion in fiscal year 2025, though crypto-specific enforcement declined sharply under new leadership.
- Beginning in February 2025, the SEC dismissed 7 major crypto enforcement cases, including actions against Coinbase, Consensys, Binance, and Kraken (Payward).
- The DOJ issued its “Ending Regulation by Prosecution” memo in April 2025, announcing it would focus on prosecuting individuals who victimize digital asset investors rather than imposing regulatory frameworks through enforcement.
- Globally, 21 crypto-related sanctions designations were issued across the US, UK, and EU in 2025, with 16 including specific cryptocurrency addresses.
- Tornado Cash became the first sanctioned crypto entity to be delisted in March 2025, following legal challenges and policy review.
- FinCEN and DOJ took parallel enforcement actions against Paxful, a peer-to-peer trading platform, assessing a $3.5 million penalty for AML program failures.
- The EU’s Markets in Crypto-Assets (MiCA) regulation entered full enforcement in December 2024, creating the first comprehensive crypto regulatory framework in a major jurisdiction.
- The regulatory pivot from enforcement-first to legislation-first represents what we’ve documented across 18 regulatory events: the crisis-to-license pattern, where enforcement surges after major failures and then transitions to licensing frameworks.
| Agency/Body | Action | Year | Impact |
| SEC | Dismissed 7 crypto cases | 2025 | Ended “regulation by enforcement” |
| DOJ | “Ending Regulation by Prosecution” memo | 2025 | Focus shifted to victim protection |
| EU | MiCA full enforcement | 2024-2025 | First comprehensive crypto framework |
| FinCEN/DOJ | Paxful enforcement | 2025 | $3.5M penalty for AML failures |
| US/UK/EU | 21 sanctions designations | 2025 | 16 included crypto addresses |
| OFAC | Tornado Cash delisted | 2025 | First crypto sanctions reversal |
Source: SEC, DOJ, European Council
Cryptocurrency Security Market Size
- The crypto security market reached an estimated $6.79 billion in 2026, up from $5.42 billion in 2025.
- Industry projections place the market at $26.92 billion by 2032, with a compound annual growth rate of 25.7%.
- The blockchain security market specifically was valued at $5.38 billion in 2025, with projections reaching $128.19 billion by 2032 at a 57.3% CAGR.
- Institutional custody requirements from traditional financial firms (BlackRock, Fidelity, ICE) entering the crypto market have driven enterprise-grade security spending.
- MiCA’s enforcement in the EU created mandatory security compliance requirements for all crypto asset service providers operating in Europe.
- Venture capital investment in crypto security startups remained strong through 2025, with firms focusing on transaction monitoring, wallet security, and on-chain forensics.
- The growth in security spending reflects a market reality: as the total value secured in crypto grows, the incentive for both attackers and defenders increases proportionally.
- Bug bounty programs across major protocols exceeded $100 million in total payouts cumulatively, creating financial incentives for white-hat researchers.
| Year | Crypto Security Market | Blockchain Security Market | Key Driver |
| 2024 | $4.3 billion (est.) | $3.4 billion | ETF institutional demand |
| 2025 | $5.42 billion | $5.38 billion | MiCA enforcement, exchange hacks |
| 2026 | $6.79 billion | $7.1 billion (est.) | Institutional custody standards |
| 2030 | $18 billion (est.) | $60 billion (est.) | Global regulatory frameworks |
| 2032 | $26.92 billion | $128.19 billion | Full market maturity |
Source: company filings, public data
Frequently Asked Questions (FAQs)
How much cryptocurrency was stolen in 2025?
Hackers stole <strong>$3.4 billion</strong> in cryptocurrency through direct exploits in 2025, per Chainalysis. The FBI separately recorded <strong>$11.36 billion</strong> in crypto fraud losses reported by US victims. Combined global losses from scams, hacks, and fraud are estimated at <strong>$17 billion</strong>.
What is the most common type of crypto attack?
Infrastructure attacks (compromised private keys, social engineering, and supply chain manipulation) caused <strong>76%</strong> of hack losses in 2025. Smart contract code exploits, once the dominant attack vector, now represent a smaller share as attackers target human operators rather than protocol code.
How much cryptocurrency has North Korea stolen?
North Korean state-sponsored hackers have stolen a cumulative <strong>$6.75 billion</strong> in cryptocurrency. In 2025 alone, DPRK-linked groups stole <strong>$2.02 billion</strong>, including the <strong>$1.5 billion</strong> Bybit hack attributed to the Lazarus Group by the FBI.
What percentage of stolen crypto is recovered?
Recovery rates depend heavily on theft size. Small wallet compromises see <strong>60 to 80%</strong> recovery, while large exchange hacks typically recover less than <strong>1%</strong> of stolen funds. Globally, law enforcement seized approximately <strong>$2.4 billion</strong> in crypto assets in 2024.
Are crypto hacks increasing or decreasing?
Annual hack totals fluctuate based on whether a mega-exploit occurs. Q1 2026 losses fell <strong>88%</strong> year over year to <strong>$168.6 million</strong>, but a single large hack could reverse that trend. The long-term pattern shows improving DeFi security alongside growing state-sponsored threats.
Conclusion
The FBI’s $11.36 billion in reported crypto fraud losses for last year underscores the scale of the security challenge facing the cryptocurrency industry. Hackers stole $3.4 billion through exploits, scammers extracted an estimated $17 billion, and North Korean state actors continued to escalate their operations to $2.02 billion in a single year.
The data reveals two defining patterns. First, crypto security’s primary vulnerability has shifted from code to people: off-chain attacks, social engineering, and compromised credentials caused 76% of hack losses, a trend that no amount of smart contract auditing alone can address. Second, the recovery paradox persists, with law enforcement recovering roughly $1 for every $65 lost to crypto crime, though early reporting and improved blockchain forensics are narrowing that gap.
Crypto investors, exchange operators, security professionals, and regulators can use these statistics to benchmark risks, allocate security budgets, and shape policy. Q1 this year data (an 88% decline in hack losses) offers cautious optimism that improved auditing, proof-of-reserves reporting, and institutional-grade custody standards are producing measurable results. Whether that trend holds through the rest of this year will depend on whether the industry can address its most persistent weakness: the humans who operate the systems.
