Most crypto exploits in the approaching yr won't be brought on by a zero-day flaw in your favorite protocol, crypto security experts say. It is brought on by you.
Because the yr 2025 has shown that almost all hacks don't start with malicious code; They start with a conversation, Nick Percoco, chief security officer at crypto exchange Kraken, told Cointelegraph.
“Attackers don’t break in, they’re invited.”
Data from Chainalysis shows that the crypto industry experienced over $3.4 billion in theft from January to early December 2025, with the Bybit compromise in February accounting for nearly half of that total.
Over $3.4 billion was stolen by criminals this yr. Source: Chainalysis
During the attack, malicious actors gained access through social engineering and injected a malicious JavaScript payload that allowed them to change transaction details and siphon funds.
What is social engineering?
Social engineering is a cyberattack method that manipulates people into revealing sensitive information or taking actions that compromise security.
Percoco said the battle over cryptocurrency security will happen within the mind, not in cyberspace.
“Security is not any longer about constructing higher partitions, but about training the mind to acknowledge manipulation. The goal needs to be easy: Don't give out the keys to the lock simply because someone gives the look that they belong in it or since it causes panic.”
Tip 1: Use automation every time possible
Supply chain compromises have also emerged as a key challenge this yr, in line with Percoco, as a seemingly minor breach can later prove devastating because “it’s a digital Jenga tower and the integrity of each block counts.”
For the approaching yr, Percoco recommends reducing human trust points through measures resembling automating defenses where possible and verifying every digital interaction through authentication to “move from reactive defense to proactive prevention.”
“The way forward for crypto security might be characterised by smarter identity verification and AI-driven threat detection. We are entering an era where systems can detect abnormal behavior before the user and even trained security analysts may even detect that something is flawed.”
“Especially in cryptocurrencies, the weakest link stays human trust, reinforced by greed and FOMO. This is the loophole that attackers exploit each time. But no technology replaces good habits,” he added.
Tip 2: Silo-out infrastructure
Lisa, SlowMist's head of security, said malicious actors have increasingly targeted developer ecosystems this yr, which, combined with cloud credential leaks, have created opportunities to inject malicious code, steal secrets and corrupt software updates.
“Developers can mitigate these risks by keeping track of dependency versions, verifying package integrity, isolating construct environments, and verifying updates before deployment,” she said.
In 2026, Lisa predicts that the most important threats will likely come from increasingly sophisticated credential theft and social engineering operations.
“Threat actors are already using AI-generated deepfakes, tailored phishing and even fake developer recruitment tests to acquire wallet keys, cloud credentials and signature tokens. These attacks have gotten increasingly automated and convincing, and we expect this trend to proceed,” she said.
To ensure security, Lisa advises firms to implement strong access control, key rotation, hardware-assisted authentication, infrastructure segmentation, and anomaly detection and monitoring.
Individuals should depend on hardware wallets, avoid interacting with unverified files, confirm identities across independent channels, and treat unwanted links or downloads with caution.
Tip 3: Proof of personality within the fight against AI deepfakes
Steven Walbroehl, co-founder and chief technology officer of blockchain cybersecurity firm Halborn, predicts that AI-powered social engineering will play a serious role in crypto hackers' playbooks.
In March, at the least three crypto founders reported foiling an attempt by suspected North Korean hackers to steal sensitive data through fake Zoom calls that used deepfakes.
Walbroehl warns that hackers are using AI to create highly personalized, context-aware attacks that bypass traditional security awareness training.
To address this, he proposes implementing cryptographic identity proofing for all critical communications, hardware-based authentication with biometric binding, anomaly detection systems that assume normal transaction patterns, and establishing verification protocols using pre-shared secrets or phrases.
Tip 4: Keep your crypto to yourself
According to Bitcoin OG and Cypherpunk Jameson Lopps' GitHub list, wrench attacks or physical attacks on crypto holders were also a serious theme in 2025, with at the least 65 cases recorded. The last bull market peak of 2021 was the worst yr on record, with a complete of 36 attacks recorded
An X user under the pseudonym Beau, a former CIA officer, said in an
He also suggests becoming a “hard goal” through the use of data scrubbing tools to cover private personal information resembling home addresses and investing in defenses resembling surveillance cameras and alarm systems.
Tip 5: Don't skimp on proven safety suggestions
David Schwed, a security expert who worked at Robinhood as chief information security officer, said his best tip is to persist with reputable firms that show vigilant security practices, including rigorous and regular third-party security audits of their entire stack, from smart contracts to infrastructure.
However, no matter technology, Schwed says users should avoid using the identical password across multiple accounts, go for using a hardware token as a multifactor authentication method, and protect the seed phrase through secure encryption or offline storage in a secure, physical location.
He also recommends using a dedicated hardware wallet for giant holdings and minimizing holdings on exchanges.
“Security is dependent upon the interaction layer. Users must remain extremely vigilant when connecting a hardware wallet to a brand new web application and must thoroughly validate the transaction data displayed on the hardware device's screen before signing. This prevents the “blind signing” of malicious contracts,” Schwed added.
Lisa said her top suggestions are to only use official software, avoid interacting with unverified URLs, and separate funds into hot, warm, and cold configurations.
To combat the increasing sophistication of scams resembling social engineering and phishing, Kraken's Percoco recommends “radical skepticism” in any respect times by verifying authenticity and assuming that each message is a consciousness test.
“And one universal truth stays: No legitimate company, no legitimate service, and no legitimate opportunity will ever ask on your seed phrase or login credentials. Once they do, you're talking to a scammer,” Percoco added.
Walbroehl, meanwhile, recommends key generation using cryptographically secure random number generators, strict separation between development and production environments, regular security audits, and incident response planning with regular drills.
