Mid-Year 2025 Crypto Crime Report

1. Introduction

The first half of 2025 has proven challenging for the blockchain and cryptocurrency ecosystem, characterized by fewer but significantly more devastating security incidents. Although the number of crypto crime incidents slightly decreased compared to previous years, financial losses have surged dramatically, reaching an unprecedented total of approximately $2.4 billion (Reflecting only major hacks, exploits, and large-scale breaches). APT (Advanced Persistent Threat) groups and organized cybercriminal networks have employed advanced and modular attack techniques, resulting in substantial asset losses and significantly impacting user trust and confidence.

This evolving threat landscape has been marked by increasingly complex scams, phishing, social engineering attacks, and other exploitative tactics. Notable emerging threats include deepfake-enabled fraud, targeted social engineering scams, and highly sophisticated "address poisoning" attacks, underscoring the adaptability and innovation of malicious actors within the crypto space.

In response to these rising security challenges, Blockscope has established itself as an essential ally to law enforcement, regulatory bodies, exchanges, and individual investors. With cutting-edge blockchain forensics, real-time transaction monitoring, and its advanced AI Investigator platform, Blockscope significantly enhances the ecosystem's capabilities to swiftly identify, investigate, and mitigate emerging threats.

This report utilizes Blockscope’s analytical insights to deliver a comprehensive overview of the crypto crime and blockchain security landscape, providing industry stakeholders with critical intelligence and actionable recommendations to protect digital assets and uphold ecosystem integrity.

2. State of crypto crime in 2025

The first half of 2025 has been challenging for crypto and blockchain security, with losses due to hacks, exploits, and security incidents spiking to nearly $2.4 billion. Although the second quarter witnessed a decline in the number of hacks, the financial severity of these incidents remained high. Ethereum experienced the largest share of these losses, amounting to approximately $1.7 billion, largely driven by the Bybit breach in February.

Phishing remained a prominent threat in 2025, resulting in approximately $420 million in losses from over 130 major incidents. Additional fraudulent activities, such as Social Engineering Attacks, Address Poisoning, Deepfakes, ATM Scams, and Pig Butchering schemes, continued to significantly impact both novice and seasoned crypto users, highlighting the evolving tactics employed by malicious actors.

First six months losses in 2025 due to Crypto Exploits

2.1 Crypto Exploits in the First Half of 2024 vs 2025

The first half of 2025 marked a significant and concerning escalation in cryptocurrency-related losses. While H1 2024 saw approximately 223 incidents resulting in around $1.43 billion in losses, H1 2025 recorded fewer major incidents (around 120-144, though total security incidents were higher at 344), yet the total financial impact surged to approximately $2.47 billion. This represents a staggering 65% increase year-over-year and highlights a trend towards fewer but substantially larger "whale" hacks, with the average loss per incident jumping from about $3.1 million in H1 2024 to $7.18 million in H1 2025.

The dramatic increase in 2025's losses was primarily driven by two colossal breaches: the unprecedented Bybit hack in February, which alone accounted for roughly $1.4 billion in stolen assets (making it the largest crypto theft ever and likely tied to the Lazarus Group), and the Cetus Protocol incident in May, involving a $225 million loss (though $162 million was recovered).

Metric
H1 2025
H1 2024

Total Incidents

~120-140

~223

Total Losses

$2.4 billion

$1.43 billion

Largest Exploit

Bybit Hack (~$1.4 B)

DMM Bitcoin (~ $304 M)

Attack Vectors

Wallet Compromise,

Phishing Attacks

Private Key Compromises, Phishing Attacks

3. Key Trends and Analysis

In the first half of 2025, the cryptocurrency ecosystem witnessed a notable shift in attack patterns. Decentralized Finance (DeFi) protocols continued to be a frequent target, accounting for approximately 92 reported incidents and around $470 million in losses. This highlights persistent vulnerabilities within smart contracts, governance mechanisms, and the need for more rigorous security audits in the DeFi space. However, Centralized Exchanges (CEXs), despite experiencing fewer incidents (around 11 reported cases), suffered disproportionately higher financial losses, totaling approximately $1.88 billion. This indicates that while CEXs might be harder to breach, successful attacks on these platforms yield significantly larger payouts due to their vast liquidity and centralized infrastructure, making them high-value targets for sophisticated actors, including state-sponsored groups.

The most financially impactful attack type was wallet compromises, which alone resulted in approximately $1.7 billion in stolen assets across 34 incidents. These breaches often stem from compromised private keys or inadequate wallet management practices. Phishing and other social engineering-based attacks continued to affect users heavily, reinforcing the human vulnerability in crypto security.

Furthermore, new social engineering techniques like "ClickFix" attacks (A phishing tactic where users are tricked into clicking a fake “fix” button, which silently grants hackers access to their wallet or tokens) saw a rapid surge, becoming a significant threat alongside other persistent fraudulent activities such as rug pulls, ATM scams, and pig butchering schemes. This evolving threat landscape emphasizes the critical need for both robust technical security and enhanced user education.

3.1 Major Exploits and Security Incidents

As previously mentioned, while DeFi protocols experienced the highest number of incidents, centralized exchanges (CEXs) were responsible for the largest share of total losses. The Bybit cold wallet breach in February 2025 alone accounts for approximately 60% of all losses so far this year, representing a single-point failure that dramatically influenced the overall numbers. The second largest exploit was the Cetus Protocol breach, which occurred in May 2025 and resulted in an estimated loss of $223 million. Blockscope conducted thorough investigations into both the Bybit Hack and the Cetus Protocol Exploit.

Blockscope Tracer visualizing the May 2025 Cetus Protocol exploit, showing the exploiter receiving bridged funds from SUI to ETH.

Without these two significant incidents, total losses for 2025 would stand at around $690 million, indicating that the broader trend may not be as severe as the headline figures suggest. Together, the top 10 largest attacks of H1 2025 collectively caused approximately $2.02 billion in losses, highlighting the outsized impact of high-profile breaches on the ecosystem’s overall security posture.

Top 10 Crypto Exploits in H1 2025 (Ranked by Funds Lost)

3.2 Rare and Unique Exploits

Beyond the high-value incidents, H1 2025 also saw several unique and noteworthy exploits that highlight emerging vulnerabilities and sophisticated attack methodologies.

1. The SIR Protocol Exploit was a rare incident stemming from the improper handling of transient storage, specifically leveraging nuances within EIP–1153. This technical vulnerability allowed attackers to manipulate temporary data storage, leading to unauthorized operations and highlighting the complexities of new EIP implementations.

The attacker exploited the improper handling of Transient Storage (EIP-1153) of the SIR Vault
Blockscope Cluster Analysis shows various tokens and contracts being created and controlled by the Exploiter

2. The Nobitex Hack in June 2025 stands out due to its geopolitical nature, as an Israeli hacker group Gonjeshke Darande attacked Iran's largest crypto exchange, Nobitex, resulting in an estimated $82 million loss. This incident involved not only financial theft but also a breach of the exchange's infrastructure, highlighting a new dimension of state-affiliated cyber warfare in the cryptocurrency space.

Hackers exploited Nobitex across multiple chains using vanity addresses. Blockscope Tracer visualizes the token transfers on multiple networks in a single unified graph.

3. A sophisticated EIP-7702 Phishing Attack on May 24, 2025, led to a user loss of $146,551, orchestrated by the Inferno Drainer group. This rare phishing method exploited the EIP-7702 contract delegation mechanism by tricking users into authorizing a legitimate MetaMask EIP-7702 Delegator. This allowed for bulk token approval phishing operations, bypassing many traditional anti-phishing tools focused on transfer blocking, and revealing new risks associated with delegation, such as private key leakage and multi-chain contract code inconsistencies.

4. Crypto Crime Tactics

Beyond large-scale hacks and exploits, scams aimed at deceiving individual users remain a persistent and rapidly evolving threat in 2025. Throughout this year so far, a range of sophisticated fraud tactics has continued to drain millions in user funds by exploiting gaps in knowledge, trust, and digital security habits. From address poisoning to romance scams and deepfake-driven tricks, these scams show how quickly crypto criminals adapt. The following sections highlight the most notable fraud methods shaping the crypto crime landscape in the first half of 2025.

4.1 Address Poisoning

Address poisoning is a scam tactic where attackers send zero-value transactions from wallet addresses that closely resemble a victim’s trusted recipient address, often differing by just a few characters. These spoofed addresses appear in the wallet’s transaction history, tricking users into mistakenly copying and sending funds to the attacker’s address. This method has remained a persistent and costly scam in 2025, exploiting user habits and transaction history features across blockchains like Ethereum. Recent on-chain research and security reports estimate that address poisoning has led to over $83 million in reported losses so far this year, affecting both individual users and institutional wallets.

In May 2025, a significant address poisoning case came into light where a trader (0x86c0…) accidentally transferred approximately $2.6 million to a scammer address due to multiple spoofed zero-value transactions. The fraudster generated numerous vanity addresses similar to the intended recipient’s, flooding the victim’s transaction history to confuse the sender. Using Blockscope’s Tracer tool, our team mapped the victim’s transaction flow, revealing a clear pattern of spoofing and redirection that made the scam possible.

Blockscope Tracer visualizes the incident, clearly showing how the scammer received the $2.6M instead of the genuine recipient.
Blockscope Wallet Profiler detects multiple vanity addresses used to spoof and confuse victims.

X Red flags

Unexpected zero-value transactions to lookalike addresses appearing in wallet histories.

Solutions

To prevent this type of fraud, Blockscope recommends verifying recipient addresses carefully before signing transactions. Our Wallet Profiler can flag suspicious recipient wallets and provide risk scores, while our Transaction Simulator helps institutions test and confirm transaction paths before funds are released. As always, crypto users should double-check copy-pasted addresses and avoid relying solely on transaction history when sending high-value transfers.

Wallet Profiler provides you with the risk score of a wallet, frequently interacted counterparties' information, along with all transaction history and holdings.

4.2 Pig Butchering

Pig butchering, or "Sha Zhu Pan," is a hybrid romance and investment scam and one of the most common crypto crime strategies being used today. It is often run by organized syndicates, who pose as romantic partners to lure victims into fake crypto "investments." According to the UNODC 2025 report, the scam has spread far beyond Asia and fuels an estimated $64 billion in global losses each year.

Source: FBI

New FTC data shows reported fraud losses in the US jumped to $12.5 billion in 2024, with investment scams - mainly crypto pig butchering - being the top category for consumer financial losses. Early 2025 figures show the trend remains strong, with victims being groomed for weeks through dating apps and "wrong number" messages, only to lose everything when fake investment sites block withdrawals and demand fake "taxes."

The rise of AI and deepfake technology has made scams like pig butchering, impersonator scams, and fraudulent investment schemes much easier for criminals to execute. Use of AI deepfake generators, deepfake video calls, AI-generated KYC documents, etc., has contributed a lot to these scams.

Scammers now use deepfakes to impersonate public figures or officials—like fake FBI agents or Elon Musk videos, defrauding millions every year.

Increasingly, these scams are used in combination—for example, pig butchering often leads victims to invest in fake crypto projects or Ponzi schemes. Deepfake video calls and realistic AI-generated personas can convince victims they are speaking with a real person, strengthening trust and making romance scams even more convincing and difficult to detect.

Initiatives like Operation Level Up by the FBI and Operation Shamrock by ex-law enforcement professionals help educate the public on how to spot scams and where to report them. As per the FBI, Operation Level Up, which started in January 2024, has so far notified nearly 6000 victims about the investment fraud, and as per an estimate in April 2025, has saved nearly $359 million in losses.

X Red flags

Indicators for pig butchering include sudden unsolicited messages from strangers who quickly become friendly and romantic, then pitch crypto or investment opportunities. Watch for new users sending large payments to unknown wallets, or small returns that mimic genuine profits. Also, be wary of any destination wallet connected to known laundering hubs like Huione Pay, Haowang Guarantee, or other scam-linked services.

A random email or a DM on Telegram or WhatsApp can often be the entry point for a pig butchering scam. Being part of an “investment group” that repeatedly asks for taxes or fees to release your funds is another major red flag.

Solutions

The best solution is awareness, helping people recognize these scams and spot red flags early. Companies like Blockscope play a vital role by detecting suspicious transaction patterns and tracing address histories linked to known fraud clusters. If someone interacts with an entity directly or indirectly connected to an illicit network, Blockscope’s analytics tools can alert users and institutions in real time.

In addition, public scam URL repositories like Better Business Bureau, ScamSmart, Chainabuse, and ScamShield provide up-to-date lists of fake sites, making it easier for users and investigators to block scams before funds are lost.

4.3 Social Engineering

In the first half of 2025, social engineering attacks remained one of the biggest threats to crypto security, proving once again that no sophisticated technology can fully protect against the “human factor.” From high-profile incidents like the Bybit cold wallet breach to the recent Coinbase data leaks, many of this year’s largest losses have roots in well-planned social engineering campaigns.

A striking example is the wave of attacks targeting Coinbase users. Attackers bribed overseas customer support contractors to leak KYC information, including names, addresses, and emails—data that later enabled precise, highly realistic scams. Victims received calls from spoofed official numbers, fake support emails, and SMS messages pushing them to transfer assets into “secure wallets” allegedly for protection. The twist: scammers often provided pre-set wallet seed phrases, tricking users into building new wallets secretly controlled by criminals. By mid-2025, the FBI and DOJ confirmed that Coinbase users had lost over $100 million through this single chain of attacks, many traced back to organized groups connected to Indian fraud networks and COM sphere actors.

An example of a fake Coinbase support email, along with Coinbase’s official response addressing the incident

Similarly, the massive Bybit hack also points to social engineering as a root cause. Early reports suggest that attackers exploited a developer’s machine, gaining internal access privileges and insider connections to bypass security barriers and extract private key fragments, resulting in the theft of over $1.4 billion in cryptocurrency in one of the largest single-exchange breaches ever recorded.

Safe Wallet confirmed that the Bybit hack began with a compromised signing machine exploited via social engineering. Source: @Safe

A typical attack of this kind targets the social surface - the human factor. Even with the best cybersecurity systems and due diligence programs, people remain one of the most vulnerable points, making these attacks possible.

X Red Flags

Unexpected calls, emails, or DMs claiming your account is at risk and pushing you to act quickly—especially if they tell you to transfer funds or share seed phrases—are clear warning signs. Any message that asks for pre-set wallets or private keys is always a scam. Be extra cautious with emails, too: during the Coinbase data leaks, scammers used emails verified by Google to appear legitimate, showing that individual caution and scrutiny are still your strongest defense.

Solutions

For individual users, the best defense is awareness: any official support of an exchange or custodian will never ask for keys or direct wallet transfers.

On the institutional side, unchecked staff access to customer data remains a major vulnerability. Firms must tighten internal permission controls, monitor employee access, and train teams to recognize bribery attempts and suspicious outreach. Leveraging AI-driven phishing detection and stronger audits can help reduce the human factor risks that make these attacks possible.

4.4 Phishing Scams

Phishing remains one of the most persistent and costly threats in crypto security. These scams aim to trick victims into giving up sensitive information - login credentials, private keys, or seed phrases - or, in more advanced forms, deploy malware to compromise devices and wallets. Attackers often impersonate trusted sites, support teams, or project channels with near-perfect copies. Sometimes the only clue is a small change in the URL, like swapping a single character or using an unusual top-level domain (.info, .xyz). As per Forbes, since the launch of ChatGPT, attacks that leverage AI have risen by 1,265%.

A scam email posing as Ripple

In 2025, phishing has evolved far beyond fake login pages. Attackers now hijack real social media accounts and websites, push fake airdrops through verified channels, or manipulate dApp interfaces to prompt victims to sign malicious transactions. One example is ice phishing, where a user unknowingly grants smart contract permissions that allow attackers to drain funds later. We have seen multiple cases this year where scammers used fake staking sites and malicious contract approvals to drain assets through hidden ice phishing traps.

Cointelegraph acknowledged that their website was compromised and exploited by attackers to promote fake ICOs and airdrops. Source: Coincentral

The financial losses from phishing attacks can be severe and wide-ranging. In late April 2025, ZackXBT reported that an elderly victim lost 3,520 BTC, worth around $330 million, to a social engineering scam run by a call center group based in the United Kingdom.

Source: @zachxbt

Another notable case, aforementioned in Section 3.2, shows how phishing now exploits new technical standards too: on May 24, a victim lost $146,551 when the phishing group Inferno Drainer abused MetaMask’s EIP-7702 Delegator feature to carry out bulk token approval phishing without switching the victim’s address. Overall, while EIP-7702 expands what wallets can do, it also introduces new risks. Users must carefully understand who they’re authorizing and exactly what permissions they’re granting before signing any delegation.

4.4.1 LinkedIn Recruitment Phishing

Since early 2025, scammers have increasingly exploited LinkedIn’s professional trust to target engineers with fake job offers from bogus blockchain projects. They present convincing project overviews, share detailed design drafts, and offer technical lead roles to gain trust.

After initial calls and interviews, victims are asked to download a “technical test” from a shared repository, but hidden in the code is an encrypted payload that installs a backdoor. Once active, this malware quietly steals sensitive data like SSH keys, wallet mnemonics, and browser extensions, putting crypto assets at high risk. For example, one victim found harmless‑looking files like error.js that hid extra lines of encrypted code. This hidden script copied sensitive data using Python — or a fallback bash script — silently draining keys and credentials once run. These attacks are difficult to detect at first, making careful code reviews and testing in secure, isolated environments critical when dealing with unfamiliar recruiters or projects.

Random DMs like this often lead to a call, and in many cases, the scam ends with you running malicious code on your machine as a so-called pre-requisite test.

These incidents highlight how both classic social tricks and new smart contract features can be misused if victims don’t carefully verify what they’re signing or approving.

X Red Flags

Signals for phishing or scam attempts in the crypto space include suspicious or lookalike URLs, especially those using unusual domains like .info or .xyz, designed to mimic legitimate crypto platforms. Users should also be wary of unsolicited requests for login credentials, private keys, seed phrases, or wallet backups.

Generic greetings such as “Dear User” instead of personalized names, along with fake support emails or direct messages that create urgency or threaten account suspension, are common tactics. These scams may also push victims toward private communication apps like Telegram. Another red flag is transaction prompts that don’t clearly show the permissions being granted, often a sign of potential ice phishing.

Additionally, some attackers exploit professional platforms, sending fake job offers on LinkedIn that ask candidates to download or run unverified code as part of a so-called technical test.

Solutions

Always verify URLs using trusted tools and consider bookmarking official crypto websites for future logins. Be especially cautious of messages that pressure you to act quickly, share sensitive information, or click suspicious links. Before signing any transaction, take a moment to double-check the details and consider using transaction simulators for extra safety. If you're asked to run unfamiliar code—for example, in a job-related context—do so only in a secure, isolated environment, never on a device connected to your primary wallet.

Tools like Blockscope’s Wallet Profiler and Tracer can help detect risky addresses, fake sites, and malicious approval flows linked to phishing campaigns. Finally, companies should implement strong spam filters, regularly train staff to recognize phishing attempts, and ensure customers can easily verify any unusual requests through official support channels.

4.5 ATM Scams

Crypto ATMs remain a popular tool for scammers due to their speed, ease of use, and gaps in regulation in many regions. While some countries have tightened KYC and reporting rules, the anonymity these machines offer still makes them an easy on-ramp for fraud and money laundering. Criminals often pose as government officials, utility company representatives, or tech support agents, pressuring mostly elderly or vulnerable victims to urgently pay fines, bills, or “protect” their money using a crypto ATM.

A crypto ATM accompanied by a warning advising users to stay alert and avoid scams.

Moreover, non-KYC crypto ATMs often serve as an easy obfuscation layer for criminals, enabling them to quickly convert cash into crypto with minimal traceability. This loophole makes ATMs a common tool for various scams, from romance fraud and pig butchering to sextortion and fake investment schemes. Scammers favor ATMs because victims can deposit funds rapidly, often under pressure, and the lack of strong identity checks means these transactions are harder for banks and law enforcement to flag in real time. Organizations like the FBI, IC3, and FTC continuously warn the public about these tactics and urge people to think twice before sending money through a crypto ATM.

Recent figures highlight the scale of the problem. The U.S. FTC reported losses of around $65 million linked to crypto ATM scams in just the first half of 2024, mostly tied to government and business impersonation frauds. Australian Federal Police (AFP) recorded over AUD 3.1 million (~USD 2.1 million) in ATM scam losses in the past year, with elderly victims making up a large share. Some recent cases include victims paying tens of thousands through ATMs after being threatened with arrest warrants, fake fraud investigations, or fake bail demands for family members. In a notable UK incident, law enforcement even cut open a Bitcoin ATM to recover nearly USD 32,000 that a victim had deposited to scammers.

Police saw open Bitcoin ATM to recover $32,000 in scam funds; Source: Cointelegraph

X Red flags

For ATM fraud, include new or elderly users making large, one-off ATM deposits, payments just under reporting thresholds, and stories that create urgency and fear. Scammers often demand payment specifically through crypto ATMs to avoid bank traceability and exploit the lack of real-time oversight.

Solutions

The best defense is a mix of stronger due diligence, public awareness, and real-time monitoring. ATM operators and VASPs should share scam patterns and use tools like Blockscope’s Security monitoring to flag addresses that repeatedly receive funds from different ATMs. Many jurisdictions, including parts of the U.S. and Australia, are also setting limits on how much new users can deposit or withdraw via ATMs — an important step in protecting vulnerable groups. Most importantly, people should remember that no legitimate government agency, utility company, or bank will ever ask for payment through a crypto ATM.

Blockscope Security Monitoring helps to create custom risk rules for compliance and risk control.

5. Threat Actors Landscape

The crypto threat actor landscape in 2024 and H1 2025 is dominated by two forces: state-sponsored hacking groups and large, profit-driven crime syndicates. Both have scaled rapidly, using AI-powered phishing, deepfakes, and precise social engineering to steal ever-larger sums.

Organized crime rings drive the surge in pig-butchering, romance fraud, and mass phishing. The FBI’s IC3 logged US$4.57 billion in crypto investment-scam losses for 2023- the single largest fraud category - and early 2025 indicators show the curve still rising. The latest UNODC brief puts annual revenue from Southeast-Asian scam compounds at ≈US$64 billion, much of it laundered through opaque on- and off-chain channels.

State actors, above all North Korea, remain the most damaging single players, striking DeFi protocols, bridges, and exchanges, and then washing funds through mixers and cross-chain swaps. One shadow payment hub that repeatedly surfaces in laundering flows is Huione Pay, now a key conduit for proceeds of pig-butchering, romance scams, and other crypto frauds.

5.1 Lazarus Group

North Korea remains one of the most active and notorious state-backed crypto threat actors, targeting exchanges, DeFi protocols, and blockchain infrastructure with highly organized hacks and laundering networks. In the first half of 2025 alone, North Korean-linked clusters have been connected to some of the largest security breaches so far, including the Bybit cold wallet breach and the Phemex hot wallet exploit. As per our data, North Korean actors have directly caused losses of more than $1.8 billion in various hacks and exploits so far this year in the crypto ecosystem.

Blockscope’s on-chain tracing and link analysis tools were able to identify wallet flows and laundering paths that connect funds siphoned from Bybit and Phemex back to addresses linked with prior North Korean operations, including exploits of BingX and Poloniex last year.

Blockscope Tracer connected the Bybit, Phemex, and BingX exploits by revealing overlapping addresses.

Following these discoveries, the FBI confirmed that the Bybit theft, now estimated at over $1.4 billion, was carried out by North Korean hacking cells, likely involving the well-known Lazarus Group. These threat actors continue to rely on advanced phishing, insider recruitment, and malware to breach high-value targets, often using sophisticated laundering layers involving cross-chain bridges and mixing protocols.

Source: FBI IC3

Beyond direct hacks, North Korean clusters are also tied to cyberattacks, ransomware campaigns, and extortion schemes targeting crypto-rich businesses and critical infrastructure. In April this year, Kaspersky revealed that the Lazarus Group has been running ‘Operation SyncHole,’ targeting at least six major South Korean firms in IT, finance, semiconductors, and telecom. The attackers combined website traps using watering hole tactics with exploits of one-day vulnerabilities in software to penetrate networks and escalate privileges. Then, they deployed malware, including ThreatNeedle, Agamemnon, SIGNBT, and related loaders, allowing Lazarus to maintain stealthy long-term access and expand inside internal systems.

Source: Kaspersky

On May 8, Taiwanese exchange BitoPro was hacked, losing around USD 11.5 million from hot wallets across multiple chains. The attack, triggered by sophisticated social engineering, mirrored tactics linked to Lazarus, including hijacked AWS session tokens and trojans planted on cloud operations staff. BitoPro’s investigation ruled out insider involvement and confirmed that quick emergency action prevented greater losses.

Law enforcement agencies worldwide — including the FBI, OFAC, and partners across Asia — continue to issue public alerts, freeze stolen assets where possible, and sanction mixers and facilitators tied to these groups. In the Bybit hack, for example, eXch and Thorchain were used to launder much of the stolen funds. In many Lazarus-linked incidents, there is a consistent pattern of heavy reliance on bridges and protocols like Tornado Cash to obscure transaction trails and bypass sanctions.

Thorchain was one of the bridges used during the Bybit Hack
The table shows a spike in fee revenue of Thorchain, generated during Bybit Hack.

North Korea’s ongoing cyberattacks remain a global threat, not just to crypto but to industries and critical infrastructure worldwide.

5.2 Huione Group

Huione Pay has emerged as a major underground payment channel driving Southeast Asia’s vast pig butchering and romance scam networks. Officially promoted as a payment and “guarantee” service under Huione Group, it operates heavily in Cambodia, where it is deeply connected with scam compounds that use forced labor to run large-scale online fraud operations. Victims are lured into fake relationships or crypto investments, then the stolen funds are routed through Huione Pay and affiliated accounts to move money across borders and obscure its origins.

Huione’s escrow arm, Huione Guarantee, was pitched as a fraud-prevention layer, but, according to investigators and law enforcement agencies, often served to reassure victims while shielding operators.

Crackdowns in 2024–25—including coordinated raids on scam compounds and wallet freezes—have increased pressure, yet the network’s scale persists: pig-butchering rings are still estimated to siphon tens of billions of dollars globally each year, underscoring how deeply entrenched Huione-style channels are in the fraud economy.

6. Artificial Intelligence: Threat and Opportunity

The rapid adoption of Artificial Intelligence in crypto-crime has dramatically reshaped the threat landscape in the first half of 2025. AI-enabled tools such as deepfake videos, voice cloning, and malicious code generation have lowered barriers for criminals, leading to increasingly sophisticated and convincing scams.

Supply-chain poisoning through malicious AI plugins emerged as a prominent threat this year. In a notable incident, a crypto startup lost hundreds of thousands of dollars after a developer unknowingly introduced malware through a pirated AI assistant tool (Cursor), purchased from an unverified vendor on Taobao. This malicious plugin implanted a backdoor, enabling attackers to inject unauthorized wallet addresses into smart contracts. Further investigation revealed a widespread issue: similar compromised packages, including sw-cur and aiide-cur, had affected over 4,200 developers, primarily on macOS systems.

Attackers used short-video platforms to divert traffic, luring victims into installing malicious AI coding plugins.

Another growing threat is the rise of “unrestricted” or "jailbroken" Large Language Models (LLMs), AI models deliberately modified to bypass safety restrictions and ethical boundaries. These models, available on underground forums, significantly reduce the technical expertise required to execute cyberattacks. Notable examples include:

WormGPT: An unrestricted variant of GPT-J, marketed explicitly for generating malware and phishing emails, with access available at low monthly fees.

FraudGPT: A premium LLM designed specifically for scams, used extensively in generating fake crypto project materials, phishing pages, and tailored social engineering scripts.

GhostGPT: Marketed as an ethics-free AI assistant, enabling attackers to craft sophisticated deepfake scams, fraudulent smart contracts, and malware variants designed to evade detection.

To counteract these emerging AI-driven threats, several recommendations are crucial for the crypto industry:

  • Strictly vet and install AI-related plugins and dependencies only from trusted sources.

  • Enhance phishing detection capabilities with AI-powered content and URL analysis tools.

  • Adopt advanced jailbreak-detection mechanisms, content watermarking, and traceability measures for AI-generated content.

  • Implement transaction simulation and explicit permission reviews before smart contract deployments and interactions.

  • Encourage industry-wide collaboration to quickly share indicators of compromise linked to AI-generated attacks.

Despite these threats, AI also offers powerful defensive opportunities. Blockchain analytics companies increasingly use AI to detect suspicious transactions, identify complex laundering patterns, and proactively defend against fraud. AI-powered tools rapidly identify phishing emails, deepfake impersonations, and anomalous blockchain activities, significantly enhancing real-time monitoring and security measures.

For instance, Blockscope employs its advanced AI Investigator tool to assist investigators and law enforcement agencies in rapidly tracing, clustering, and analyzing suspicious blockchain transactions. The effectiveness of this AI-driven approach was demonstrated in the recent ResupplyFi exploit, where complex attack transactions involving flash loans, multiple swaps, and cross-contract calls were rapidly analyzed and visualized by the AI Investigator. Similar advanced AI systems are leveraged by various blockchain analytics companies for real-time cross-chain token tracing and automated fraud detection.

Trace Call Analysis of the attack transaction of Resupply Exploit using Blockscope AI Investigator.

Ultimately, AI’s dual nature—as both threat and protective force—is inherent to its potential. While criminals leverage AI advancements to escalate fraud sophistication, firms like Blockscope are harnessing these same innovations to protect the crypto ecosystem, reduce investigative lead times, and enhance security across the industry. The ongoing challenge will remain adapting quickly and effectively, ensuring that AI technology stays firmly on the side of security and transparency.

7. Conclusion

The first half of 2025 has highlighted both the resilience and adaptability of global crypto crime, as well as the increasing effectiveness of regulatory responses and investigative actions. Significant enforcement milestones, such as the shutdown of eXch following allegations of facilitating funds for the Lazarus Group, the crackdown on Huione Pay's extensive money-laundering operations linked to large-scale romance scams, and the disruption of Russian crypto exchange Garantex, underscore the growing resolve of international authorities. These actions disrupted key networks that criminal groups rely upon to cash out illicitly obtained assets.

The German law enforcement splash page on eXch. Source: Presseporta

Yet, major challenges persist. Platforms such as Tornado Cash and similar mixers continue to provide critical infrastructure for cybercriminals and state-sponsored actors, notably those tied to North Korea, facilitating seamless cross-border fund obfuscation. Recent regulatory shifts further complicate these issues: On January 21, the U.S. District Court for the Western District of Texas revoked OFAC’s sanctions against Tornado Cash, and on March 21, OFAC officially removed Tornado Cash and associated Ethereum addresses from its Specially Designated Nationals (SDN) list, reversing economic sanctions imposed since August 2022. Subsequently, on April 30, the Court issued a final ruling deeming Treasury Department sanctions on Tornado Cash unlawful, permanently preventing similar future actions. Additionally, the U.S. Department of Justice signaled a notable policy change on April 8, dissolving its National Cryptocurrency Enforcement Team (NCET) and ending its "prosecution in lieu of regulation" stance, as reported by Fortune magazine.

These developments highlight the complex regulatory landscape and underline the ongoing need for cohesive international standards to effectively mitigate crypto-related threats. Encouragingly, swift on-chain tracing, emergency protocol freezes, and cross-border seizure orders have already recovered or frozen almost US$468 million in stolen crypto so far in 2025, spanning the Bybit, Cetus, and pig-butchering cases, plus smaller forfeitures in the United States.

Sustained information-sharing between exchanges, analytics providers, and financial-intelligence units will determine whether the next six months tilt toward resilience or relapse.

Author: Tushar Tiwari, Forensics Analyst @ Blockscope

For more information, please reach out to us:

E-mail: [email protected]

X: x.com/BlockscopeCo

LinkedIn: www.linkedin.com/blockscopeco

Disclaimer: Best effort work

This report represents Blockscope’s best-effort analysis based on blockchain data, on-chain forensics, and open-source information available at the time of writing. While we strive for accuracy, readers should note that blockchain data can contain discrepancies and may evolve. Our findings reflect our understanding as of mid-2025 and may change as new information emerges.

Last updated