Hackers in the cryptocurrency space are shifting their focus from traditional smart contract flaws to manipulating individuals through social engineering tactics, as per Web3 security firm CertiK. The company reports that over $2.1 billion has already been lost to crypto-related attacks in 2025.
Most of the damage stems from wallet breaches, which far outpace all other attack vectors in terms of losses.
Wallet Compromises Inflict Most Damage
The report revealed that despite accounting for only 23 reported incidents, wallet compromises led to a whopping $1.6 billion in losses, making it the most damaging category by far. In comparison, phishing incidents were the most frequent, with 114 cases resulting in approximately $401.5 million in losses.
Next up was code vulnerabilities, which were nearly as common, with 100 incidents leading to $281.6 million in losses, highlighting the continued threat posed by insecure smart contracts and flawed implementations.
Interestingly, access control issues were reported 19 times but caused relatively lower financial damage at $14.1 million, while exit scams, despite being notoriously difficult to track and recover from, totaled just 9 incidents and $1.6 million in losses.
Price manipulation attacks were similarly limited in scope, with 15 cases and $8.1 million in damages. The stark contrast between the frequency and financial impact across incident types indicated a critical insight: while phishing and code vulnerabilities are more common, wallet compromises result in disproportionately higher losses. This suggests that attackers are increasingly targeting high-value wallets.
Crypto Attacks Claimed $140M in May
In May alone, the total amount lost to a combination of exploits, hacks, and scams came down to approximately $140.1 million after $162 million in assets linked to these incidents was successfully frozen. Sui-based decentralized exchange, Cetus, topped with $225 million in losses.
Of the total losses, Code vulnerabilities and phishing emerged as two major threat vectors during the month, accounting for roughly $230 million and $47.6 million in stolen funds, respectively. Meanwhile, around $8.5 million resulted specifically from wallet-draining attacks.
