Crypto Endless War Human-Centric Attacks Drive 2.47B Losses in H1 2025
Introduction
This report synthesizes recent industry analysis that frames 2025 as a pivotal year in crypto security. Key voices including CertiK co founder Ronghui Gu and market analytics from AInvest indicate a shift in attacker focus from code level exploits to human centric manipulation. Hacking, phishing, social engineering and operational mistakes contributed to roughly 2.47 billion dollars in losses in the first half of 2025. The largest single event was the Bybit breach on February 21, 2025, which accounted for approximately 1.4 billion dollars of the total. This article unpacks the timeline, the tactics used, the actors involved, and the defensive implications for exchanges, wallets, auditors and investors.
Executive snapshot Executive snapshot the “endless war” and the scale of 2025 losses
Key points at a glance
- Endless war concept: Ronghui Gu frames the security landscape as an ongoing asymmetric struggle where defenders must secure many code paths while attackers need only one vulnerability to succeed.
- Scale of losses: Total reported losses in H1 2025 reached about 2.47 billion dollars across hacks, scams and exploits.
- Largest incident: The Bybit breach on February 21, 2025 is reported as the largest crypto hack to date at roughly 1.4 billion dollars and heavily shaped the period total.
- Quarterly movement: CertiK data show a 52 percent decline in total dollar losses from Q1 2025 to Q2 2025 with Q2 totaling around 800 million dollars but still registering 144 incidents.
- Concentration of risk: Fewer incidents in Q2 did not translate to negligible losses, underscoring concentration of value in high severity events.
What happened incidents scale and notable examples
Shift in attack focus
- Phishing and social engineering emerged as dominant vectors in 2025 as attackers targeted wallets, private keys and approval flows.
- Operational risks such as private key compromise accounted for approximately half of 2024 incidents and continued to drive losses into 2025.
Notable examples
- An investor lost about 3 million dollars in USDT after signing a malicious transaction following a deceptive prompt.
- A wallet draining event produced nearly 900 thousand dollars in losses from a malicious approval that was signed 458 days earlier and exploited long tail risk.
- A Reddit user reported a 16 thousand dollar loss from a compromised account despite multiple security layers, highlighting how social engineering can circumvent robust controls.
- The Bybit breach on February 21, 2025 totaled roughly 1.4 billion dollars and remains the largest single exploit recorded in crypto.
Who is involved key actors and stakeholders
Actors cited in the reporting
- Ronghui Gu Professor of computer science at Columbia University and CertiK co founder who coined the phrase endless war to describe persistent attacker adaptation.
- CertiK Blockchain security firm offering audits and monitoring that produced the quarterly perspective on incidents and losses.
- Bybit Centralized exchange that experienced the large February incident and serves as an example of how high value venues remain attractive targets.
- Investors and wallet holders Typical victims of phishing links, malicious approvals and key mismanagement.
- Security analysts and data firms Organizations such as Nansen and other analytics providers that trace flows and help attribute activity.
When and where timing scope and cross border risk
Timeframe and chronology
- Focus period first half of 2025 with the Bybit event on February 21, 2025 as a pivotal moment.
- Q2 2025 statistics show about 800 million dollars lost across 144 incidents, representing a 52 percent decrease in dollar value from Q1 2025 but continued high incident counts.
Geographic scope
- Incidents affected exchanges wallets and individual users worldwide.
- Phishing and social engineering operate across borders making attribution and containment more complex.
Why this shift matters the role of human behavior in security
Core dynamics
- As protocol code and audits improve, attackers pivot to the human operators who authorize transactions and manage private keys.
- Human centric vulnerabilities include mistaken approvals superficial address validation and susceptibility to personalized social engineering.
- The economic calculus favors attackers who can induce a single erroneous approval to realize outsized gains.
How attacks are evolving and what it implies for defense
Evolving attacker tactics
- Primary vectors include phishing social engineering malicious approvals wallet draining and misuse of private keys.
- Attackers are increasingly using AI assisted personalization to craft more convincing lures and prompts.
- Long tail exploitation occurs when a prior approval or compromise is leveraged months or more later for theft.
Defensive implications
- Stronger multi factor authentication MFA and enhanced behavioral analytics are necessary but not sufficient.
- User education must be continuous and practical focusing on common cognitive shortcuts such as verifying only the first and last characters of an address.
- Layered approval processes and delayed or staged transaction confirmation can reduce single point failures for high value transfers.
- Incident detection and response should better integrate forensic analytics to spot anomalous approvals and abnormal flow patterns early.
Implications and conclusions what this means for the crypto security landscape
High level implications
- Human factor security will remain the primary battlefield even as cryptography and code audits improve.
- The industry must complement technical controls with a people centered security posture including education MFA and behavioral monitoring.
- Exchanges developers custodians and individual investors must plan for resilience because attackers adapt rapidly.
Operational recommendations
- Implement rigorous approval policies for high value actions requiring multiple independent confirmations.
- Invest in continuous user awareness programs and simulated phishing drills.
- Use behavioral analytics to flag unusual signing patterns and automate containment when suspicious activity is detected.
Key quotes and supporting data
"As long as there is a weak point or some vulnerabilities out there, sooner or later they will be discovered by these attackers. So it is an endless war" Ronghui Gu CertiK co founder and Columbia University professor
H1 2025 losses about 2.47 billion dollars Bybit breach about 1.4 billion dollars largest crypto hack to date Q2 2025 about 800 million dollars across 144 incidents roughly 52 percent down from Q1 2025
Approximately half of 2024 security incidents were due to operational risks such as private key mismanagement Phishing and social engineering drive much of the 2025 risk
Detailed Analysis Expanded analysis CertiK survey and AInvest synthesis
Survey of reporting
- Both CertiK and AInvest portray an environment in which technical auditing and improved protocol design have not eliminated systemic risk because attackers are shifting toward human centric targets.
- The endless war metaphor captures the iterative nature of improvement and exploitation where attackers require a single failure point to cause major damage.
Drivers behind the pivot
- Increased security at protocol and contract layers pushes attackers to lower friction high yield approaches targeting human behavior.
- Widespread adoption of wallets and on chain approvals creates many daily decision points where cognitive errors can be induced.
- AI tools enable attackers to scale personalized social engineering campaigns at low cost.
What the loss figures imply
- The first half total of 2.47 billion dollars nearly matches 2024 full year totals suggesting escalation in value targeted or concentrated successful attacks.
- A large single event can skew totals showing that high value guardianship is a systemic vulnerability for the ecosystem.
Future attack strategies
- Expect more AI assisted spear phishing targeted at institutional custodians and high net worth investors.
- Attackers will continue to exploit approval flows and third party signing patterns that rely on superficial visual checks.
Key data points chronology and timeline
- February 21 2025 Bybit breach roughly 1.4 billion dollars largest recorded crypto hack
- First half of 2025 total losses about 2.47 billion dollars across hacks scams and exploits
- Q2 2025 roughly 800 million dollars lost across 144 incidents representing a 52 percent reduction in dollar value from Q1 2025 while incident counts remain high
- August 6 2025 an investor lost about 3 million dollars in USDT after signing a malicious transaction
- August 3 2025 wallet approval exploitation produced nearly 900 thousand dollars in losses traced back 458 days to the original fraudulent approval
Structural elements stakeholders and references
Stakeholders
- Ronghui Gu CertiK co founder and Columbia University professor
- CertiK blockchain security audits monitoring and analytics
- Bybit exchange example of centralized venue impacted by a major event
- Individual investors and wallet holders often targeted by phishing and malicious approvals
- Security researchers forensic analysts and analytics providers tracing and reporting incident flows
Primary references
- CertiK analysis and public statements summarizing H1 2025 incident data and commentary
- AInvest reporting on the 2.47 billion dollars figure and the trend toward human centric attacks
- Cointelegraph coverage of CertiK comments and Bybit incident analysis
Themes patterns and implications
Themes
- Human centered risk is paramount even as audits and code improvements advance
- Attackers pursue the weakest operational link whether that link is a single approval or a compromised key
- AI enhanced social engineering amplifies the effectiveness of phishing and tailored scams
Patterns
- Losses concentrate in a few very large incidents while many smaller events persist
- Operational risk remains a durable root cause across years and requires people centered mitigation
- Visual and cognitive shortcuts such as superficial address verification remain a common exploitation path
Implications for stakeholders
- Exchanges custodians and auditors must embed user awareness and behavioral monitoring into security operations
- Individuals must adopt strong MFA careful approval practices and skepticism toward unexpected prompts
- Industry standards may evolve to formalize procedures for high value approvals and multi party confirmations
SQ3R applied section by section paraphrase
- Survey The focus is a shift from code exploits to human targeting combined with large scale losses in H1 2025.
- Question Why are attackers pivoting to human error and what do current loss figures mean for defenders and users.
- Read Reporting shows CertiK and AInvest data focusing on Bybit the rise of phishing and examples of wallet approval abuse.
- Recite The ecosystem faces a persistent asymmetric battle where human error is the most exploitable surface.
- Review H1 2025 totals and incident examples support an urgent need to integrate human centered defenses into technical security programs.
Fact checking and references
- CertiK official site https://certik.com
- Cointelegraph crypto coverage https://cointelegraph.com
- AInvest reporting and analysis hub https://ainvest.com
- Nansen analytics https://nansen.ai
- Bybit exchange https://bybit.com
Use these sources to verify figures event dates and quoted remarks.
Engaging summary
This analysis presents a clear narrative for 2025: crypto security is an ongoing asymmetric conflict where defenders improve code and audits while attackers concentrate on human centric vulnerabilities. With first half losses at about 2.47 billion dollars and a single Bybit event accounting for roughly 1.4 billion dollars the period demonstrates the disproportionate impact of high value breaches. Phishing social engineering malicious approvals and private key mismanagement are now primary vectors. The path forward requires integrating technical hardening with sustained user education robust MFA and behavioral analytics to detect anomalous approvals before funds move.
Question for readers What practical changes would your organization prioritize to harden human touch points such as wallet approvals and custodial workflows in light of the patterns shown in H1 2025
Links events and further reading
- CertiK reports and commentary https://certik.com
- Cointelegraph coverage of crypto security trends https://cointelegraph.com
- AInvest synthesis on H1 2025 losses https://ainvest.com
- Nansen blockchain analytics https://nansen.ai
Fact checking note Verify incident dates quoted above and the aggregated loss figure of 2.47 billion dollars against primary reporting from CertiK Cointelegraph and AInvest to confirm context and attribution.