The Shifting Risks in Crypto Security: From Hacks to Sophisticated Scams

The cryptocurrency ecosystem has long grappled with security threats, but the landscape is evolving rapidly. In 2025, the world witnessed a surge in high-profile hacks, with North Korean actors stealing $2.02 billion in a single year-a 51% increase from 2024. However, by 2026, the narrative has shifted. Scams, once considered less sophisticated than technical breaches, now outpace hacks in both frequency and financial impact. For institutional investors, this transition demands a reevaluation of risk management strategies, insurance models, and due diligence frameworks.

The 2025 Hacking Surge: A False Sense of Security

In 2025, the crypto sector faced a wave of catastrophic breaches. The Bybit hack in February 2025 alone accounted for $1.5 billion in losses, representing 44% of the year's total $3.4 billion in stolen funds. These incidents were characterized by their scale and the involvement of state-sponsored actors, who exploited vulnerabilities in centralized exchanges and private key systems. North Korean hackers, in particular, demonstrated advanced tactics, including embedding IT workers within crypto firms and using AI-driven social engineering to impersonate executives.

While these hacks dominated headlines, they also created a false sense of security. Institutional investors focused heavily on fortifying infrastructure-improving encryption, deploying multi-signature wallets, and enhancing exchange security-while underestimating the human element. Yet, as 2026 data reveals, the real threat has shifted from technical vulnerabilities to psychological manipulation.

The 2026 Scam Explosion: A New Era of Deception

By 2026, scams had eclipsed hacks as the primary vector of financial loss. Global scam-related thefts are projected to exceed $5 billion, with the U.S. alone reporting $5.2 billion in losses. Unlike hacks, which often target centralized systems, scams exploit individual and institutional trust through social engineering, fake platforms, and AI-generated deepfakes.

Consider the case of AstraX, a fraudulent trading platform that defrauded a California resident of $5,000 by fabricating a margin call. Or b2c2-amm.com, a scam site that lured victims into joint-investing schemes before vanishing with their funds. These examples illustrate a broader trend: scammers are no longer reliant on technical exploits. Instead, they weaponize human psychology, leveraging AI to create hyper-realistic phishing campaigns, fake customer support interactions, and even AI-generated voices to mimic trusted contacts.

The financial impact is staggering. In 2026, scams accounted for 60% of all crypto-related losses, surpassing the $5 billion mark. Meanwhile, hack losses-though still significant-declined by 60% in December 2025 to $76 million, driven by improved infrastructure security. This does not signal a reduction in overall risk but rather a strategic pivot by cybercriminals toward softer targets: individuals and institutions ill-prepared for social engineering attacks.

Implications for Institutional Investors

For institutional investors, the rise of scams necessitates a paradigm shift in risk management. Traditional approaches focused on securing infrastructure-such as cold storage, multi-factor authentication, and smart contract audits-are insufficient against scams that bypass technical defenses entirely.

1. Revisiting Due Diligence

Institutional investors must adopt a "zero-trust" mindset when evaluating partnerships or investments. For example, the 2025 rug-pull scam, which saw losses of nearly $6 billion, exploited weak governance in decentralized finance (DeFi) protocols. Investors now need to scrutinize not only codebases but also the teams behind projects, their communication channels, and the authenticity of their claims.

2. Enhancing AML/KYC Frameworks

Regulatory bodies are tightening Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements, but compliance alone is not enough. Institutions must integrate AI-driven tools to detect anomalies in transaction patterns, such as sudden large withdrawals or transfers to known scam addresses. The U.S. GENIUS Act of 2026, which established a regulatory framework for stablecoins, is a step in the right direction but must be paired with proactive due diligence.

3. Insurance and Risk Transfer

The insurance sector is lagging behind the pace of scam innovation. While traditional cyber insurance covers data breaches and ransomware, it often excludes losses from social engineering or phishing. Institutions must push insurers to expand coverage to include scam-related losses, particularly those involving AI-generated fraud. For instance, the $16 million phishing scam targeting CoinbaseCOIN-- users in late 2025 highlights the need for policies that address human error.

4. Education and Awareness

Finally, institutions must prioritize education. Employees and stakeholders must be trained to recognize AI-generated deepfakes, phishing attempts, and fake customer support channels. The rise of "wrench attacks"-physical threats to coerce private key disclosure-further underscores the need for holistic security training.

The Road Ahead: Adapting to a Human-Centric Threat

The 2026 data is clear: scams are now the dominant threat in crypto security. While technical hacks remain a concern, their frequency has declined as infrastructure improves. Scams, by contrast, exploit the weakest link in any system: human psychology.

For institutional investors, this means rethinking risk management from the ground up. The tools and strategies that worked in 2025-fortifying exchanges, improving encryption-are no longer sufficient. The future belongs to organizations that treat scams as a systemic risk, investing in education, AI-driven detection, and robust compliance frameworks.

As the crypto ecosystem matures, so too must its defenses. The question is no longer whether scams will outpace hacks-it already has. The real challenge lies in adapting to a threat landscape where the enemy is not just code, but trust itself.