According to ChainCatcher, market sources indicate that while 2025 was the worst year for hacking in the cryptocurrency world on record, most of the losses stemmed from Web2-style operational errors such as password leaks and social engineering, rather than on-chain code vulnerabilities.
Immunefi CEO Mitchell Amador pointed out that on-chain security is improving significantly, with the main attack surface shifting to the vulnerability of "humans." He believes that 2026 will be the best year for on-chain security as code becomes increasingly difficult to exploit, but this also means that attackers will turn to more sophisticated social engineering and AI-assisted fraud.
Chainalysis’ annual report also confirms this trend, with data showing that approximately $17 billion in cryptocurrency losses due to fraud and scams occurred in 2025. Impersonation scams increased by 1,400% year-on-year, while AI-driven scams were 450% more profitable than traditional methods.
Amador also warned that over 90% of projects still have critical exploitable vulnerabilities, and the adoption rate of industry protection tools is extremely low: less than 1% of industry participants use firewalls, and less than 10% use AI detection tools. He stated that AI will change the pace of both offense and defense in 2026, and the rise of on-chain AI agents will bring entirely new attack surfaces. How to properly protect these autonomous decision-making systems will become the main security challenge of the next cycle.
