A new report by cybersecurity firm CertiK reveals that over $2.1 billion in crypto assets were stolen in the first five months of 2025—not through code exploits or smart contract bugs, but through human-focused attacks such as phishing, impersonation, and social engineering.
“We’re not losing billions to vulnerabilities in code. We’re losing it to vulnerabilities in people.”
— CertiK Security Report, June 2025
The Numbers: A Shift in Attack Strategy
According to CertiK, nearly 78% of crypto losses in 2025 came from social engineering schemes. This marks a dramatic shift in attacker priorities, with many choosing to bypass technical defenses entirely and instead target:
- Wallet seed phrases via fake websites and support agents
- Private keys through impersonated services and phishing emails
- DeFi platform admins via deepfake video calls or cloned Discord accounts
- Mobile users through fake apps on Android
Why Social Engineering Works
Attackers have moved beyond spammy scams to highly targeted, personalized approaches:
- Fake tech support chats that mimic official services
- LinkedIn messages from accounts posing as VCs or investors
- Deepfake video calls impersonating team members
- Sophisticated fake wallets, even in the Google Play Store
The key advantage? These attacks are cheap, scalable, and bypass technical audits entirely.
Prevention Starts With Awareness
For Individuals:
- Never share your seed phrase, even with someone claiming to be from a wallet provider
- Bookmark official websites – avoid clicking links in emails or DMs
- Use hardware wallets where possible
- Enable 2FA and withdrawal whitelists
For Organizations:
- Train team members in phishing detection and fake communication traps
- Use multi-sig wallets to prevent single-point compromise
- Monitor impersonation attempts across social platforms
“People are trusting logos and avatars over verification and process. That's the real exploit vector now.”
The Bigger Picture
While blockchain protocols continue to improve their security, humans remain the weakest link in crypto. Experts say the industry must invest more in security UX, education, and verification standards—or losses will continue to rise.
The report sends a clear signal: audited code is not enough. We need educated users.
Source
Full report: cybersecurity firm CertiK Blog (June 2025)
