Complexity and Strategy: The Emerging Threat Landscape in Crypto Security

What new security challenges did cryptocurrency projects face during the first half of 2025, and how should both professionals and everyday users respond to these challenges? Read about it in the interview with Grigory Osipov, Director of Investigations at Shard, featured in the July issue of FLMonthly.

Grigory: Hacker activity has significantly increased compared to last year. The number of incidents is rising, and more individuals are becoming victims of attacks and scams.

If we look at the figures from the first half of the year, the damage to the crypto industry, including the impact from Bybit, has reached approximately $2.1 billion, equating to the total for all of 2024. So far, we have documented around 200 relatively significant hacks.

Excluding Bybit (~$1.4 billion), the figures for the previous and current years would be roughly equal. However, this incident has set a precedent and significantly increased the stakes.

The number of victims has also comparably risen. It’s important to note another aspect: many hacks today remain latent.

Numerous platforms and projects that have experienced attacks are reluctant to disclose these incidents. The community often learns about them through blockchain detectives, which poses reputational and economic risks. This means that clients, realizing a service is insecure, are unlikely to return.

Grigory: Attacks have become more sophisticated and methodical, with the tools used by attackers also evolving, particularly with the help of artificial intelligence.

Currently, the most common type of attack involves social engineering combined with phishing. This entails manipulating employees of crypto services or company workers to infiltrate vulnerable systems, blending social tactics with traditional hacking methods.

Smart contract vulnerabilities come next, affecting decentralized services.

Thirdly, the use of liquidity in projects for market manipulation is significant. Lastly, there are vulnerabilities in multisig wallets, which are partially related to the Bybit hack.

In summary, 2025 is characterized by an intensified focus on social engineering. Rather than merely attacking a service, there is now thorough information gathering about the service, training of personnel, exploration of the information landscape, and even the creation of deepfakes.

Grigory: A trend has emerged where groups are increasingly dominating over individual “enthusiasts.” This is primarily due to the scale of operations.

The hacks of Bybit, Femex, and the Iranian Nobitex exchange are all substantial and planned. Such operations require high-level skills and coordination across various areas, as well as access to technical tools and funding. This implies a necessary budget.

While individual hackers still exist, we see a clear trend towards organized group hacking.

Regarding the “evolution” of attacks, as I mentioned, social engineering has become more prevalent. Hackers now study victim profiles first, utilizing hacked accounts for phishing emails, giveaways, and fake tokens.

They also compromise accounts of public figures to launch scam tokens or airdrops. There was a recent phishing attack against CoinMarketCap where the frontend was compromised. This indicates that even large services are vulnerable to hacks.

Insider threats are also on the rise, involving individuals planted within companies to gain access to internal systems or cryptographic keys. DeFi is also experiencing this issue.

There are attacks directed at employees, where a deceptive file, such as a “test task” containing malicious code, is sent, creating a security breach.

When it comes to AI, the hype is likely much higher than its actual utility. Many analytical reports tout artificial intelligence as a tool that hackers regularly use to conduct attacks. Fortunately, the reality is somewhat different.

It’s clear that neural networks are utilized for crafting phishing emails or creating fake websites. However, this merely serves as a preparatory tool. The number of hacks fully executed with the help of AI remains at zero.

Grigory: It seems to me that this narrative is also blown out of proportion. In a way, the argument goes that your equipment could be exploited for mining, and you don’t even realize it while your computer is slowed down.

This was indeed relevant in 2017-2018 when mining was possible on a CPU or home graphics card. Now, this method is not very effective, and making a profit from it is practically impossible.

Today, it’s far more interesting for hackers to gather information from a victim’s computer regarding crypto addresses and access keys, rather than engaging in so-called cryptojacking.

Grigory: The rise of state-sponsored hacker groups is also a developing trend. The Lazarus Group has been around for quite some time and is a prominent example of this type.

As cryptocurrency continues to integrate into the global economy, we can expect to see an increase in such groups. It’s more advantageous for government entities to control and utilize these groups for their own purposes than to dismantle them.

This essentially represents a facet of information warfare. The hack of Nobitex by an Israeli team underscores this reality. Here, we clearly see manipulative hacking aimed not at enrichment but at inflicting damage on Iranian infrastructure.

What happens if each state assembles its own “army of hackers”? Likely, this would further the ongoing cyber information war. New battlegrounds will emerge, prompting countries to adopt innovative strategies and develop cyber weaponry.

Naturally, the more economically powerful a state is, the more it will invest in the training and establishment of cyber groups.

It’s hard to predict who will comprise these groups and on what basis. However, this world awaits us if the realm of digital payments continues to evolve. As the internet and digital technologies become more prevalent in our lives, the fight will shift there, and such groups will represent the interests of specific parties.

Clearly, elements of chaos will emerge. We will see groups arise that are governmental, intergovernmental, ideological, and possibly even religious.

Grigory: These are risks of various orders. From a user’s perspective, decentralized finance appears particularly vulnerable. There is no regulation, and DeFi protocols have consistently ranked high in terms of hacks compared to other platforms.

Most attacks arise from vulnerabilities in smart contracts or through oracle manipulations. Furthermore, errors can also be made by representatives of decentralized platforms themselves.

With centralized exchanges, the situation is different. Besides the risk of a cyber attack, regulatory factors must be considered. The latter is often linked to users’ desire to remain independent and confidential, while processes like KYC interfere with this.

There have been numerous instances where clients on centralized exchanges had their assets frozen, which could only be “unlocked” with legal assistance.

In conclusion, risks exist everywhere, so caution is necessary when interacting with both CeFi and DeFi.

Grigory: Yes, unfortunately, a significant number of hacks and frauds are committed by individuals posing as official representatives of services. Hackers and wrongdoers actively exploit this mechanism to convince users to provide their keys or click on dubious links.

The proliferation of such incidents is alarming. We recently had a case where an individual seeking employment in Germany was asked to produce a certificate from Bybit via email to verify income, after which their account access and funds were stolen.

To draw an analogy: crypto services are akin to banks or similar institutions that will rarely contact you out of the blue. Essentially, exchanges will not reach out to you asking you to click on links.

The general principle of safety is that if you receive an email from the platform asking you to take any action, you should verify this information through official support channels.

Grigory: I don’t want to sound clichéd, repeating the need for strong passwords and two-factor authentication, nor about creating and securely storing keys and seed phrases.

One of the best ways to secure crypto assets is to use a separate phone or device exclusively for handling them. Nowadays, a smartphone is the central storage location for coins for most of us.

If you are not selecting a cold wallet for storing cryptocurrency, then opt for a separate mobile phone designated for this purpose. Avoid using crypto applications on personal devices, as they may have other, less secure programs.

Additionally, it’s crucial to regularly update your software and maintain good cyber hygiene, including the installation of firewalls and antivirus programs. There are now protective programs that defend against dust attacks that substitute addresses with similar ones.

Often, users falter in terms of digital hygiene. Do not take photos of or store passwords or seed phrases in notes.

Nonetheless, all these precautions may become meaningless when an individual falls under the psychological manipulation of scammers. If they get hooked, the majority of their security measures may be breached due to pressure.

Grigory: Their protective measures are indeed robust. Among all asset storage methods, this one is probably the safest.

However, in pursuit of affordability, individuals may make mistakes. Counterfeit or modified devices that steal your funds often appear on marketplaces. Aim to purchase cold wallets only from official suppliers.

Grigory: We’ve already established that there are two camps. Centralized crypto exchanges are subject to regulatory oversight and implement compliance policies for client identification verification.

A large exchange no longer provides the same level of access as it did three or four years ago. And wrongdoers are well aware of all the nuances. It’s evident that from a paranoid standpoint, we’re all being chipped and identified, with all our data going into registries, and controlling bodies knowing how much income we have and how we use it.

However, to put it simply, criminals realize that withdrawing funds to a centralized exchange necessitates identification. Even if drop accounts are used there, information on IP addresses remains and can lead to identifying the person.

Thus, engaging with services that comply with such procedures significantly reduces money laundering risks, while AML systems can identify addresses linked to criminal activity.

The idea is quite noble. The question remains as to how it is implemented considering the issues in international relations and the lack of regulation.

On the flip side, criminals who understand that they cannot use centralized exchanges for cashing out will rarely resort to them. Instead, mixers and DEX are predominantly used.

Grigory: It’s probably difficult to offer a single piece of advice. For users, it’s important to DYOR — do your own research. No platforms or services are invested in this like you are.

Everyone is looking to earn and entice users. While services certainly consider security and reputation, individuals ultimately choose where to invest their funds.

For projects and platforms, my recommendation is to implement systematic data protection. Cybersecurity is advancing to a new level. It’s no longer sufficient to set up some protection and conduct an audit.

Active and systematic protection is vital, as threats are continually evolving. Consequently, countermeasures must remain on an appropriate level.