How 2025 changed the crypto market and AML standards: the year-end report

Last year was exceptional for the crypto market in terms of cybercrime, money laundering and sweeping regulatory shifts. GetBlock AML Research reviewed the results and identified the most important trends that defined the crypto industry in 2025.

Overview

In 2025, the blockchain industry continued to grow rapidly, but against a backdrop of global economic pressure, regulatory uncertainty and a rising number of attacks, the overall security landscape became more complex. Hacking groups and underground criminal networks grew more organized and professional, with particularly high activity linked to North Korea. The most common attack methods included data-stealing malware, private key compromise and phishing campaigns using psychological pressure. Significant losses also stemmed from access-control errors in DeFi projects and during the launch of meme tokens.

“Crime-as-a-service” models such as ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS) significantly lowered the barrier to entry for cybercrime. Even individuals with limited technical expertise could carry out attacks using ready-made tools. At the same time, underground money-laundering infrastructure expanded, with scam centers in Southeast Asia, transaction anonymization services and mixers forming multi-layered fund-flow schemes.

On the regulatory side, 2025 saw accelerated implementation of anti-money-laundering and counter-terrorism financing measures. International joint operations became more frequent, improving transaction tracing and asset freezing. Regulation shifted from fragmented actions toward systematic oversight, while the legal boundaries around privacy tools were reassessed to distinguish legitimate use from criminal activity.

Blockchain security trends

Roughly 200 major security incidents occurred in 2025, with total losses estimated at around $2.935 billion. By comparison, 2024 recorded 410 incidents with losses of about $2.013 billion. Despite fewer attacks, total losses increased by roughly 46%.

All figures are calculated using token prices at the time of each incident. Due to price volatility, unreported cases and individual user losses, actual damage is likely higher.

Security incident statistics for 2025. Visualization: SlowMist

Ethereum accounted for the highest number of attacks and the largest losses, with around $254 million lost over the year. BSC ranked second with approximately $21.93 million in losses, followed by Solana at about $17.45 million.

Incident and loss statistics by blockchain

By project type, DeFi remained the most vulnerable segment. In 2025, DeFi saw 126 incidents, or about 63% of all cases, with losses totaling roughly $649 million. This marked a decline from 2024, which saw 339 incidents and losses exceeding $1 billion. Attacks on centralized exchanges were relatively rare, with just 12 incidents, but were extremely destructive: total losses reached $1.809 billion. A single incident involving Bybit accounted for approximately $1.46 billion, making it the largest exchange-related loss of the year.

Incident and loss statistics by project type

Smart contract vulnerabilities remained the leading cause of attacks, with 61 cases recorded in 2025. Account takeovers and credential compromises ranked second with 48 incidents.

Hack statistics in 2025 by attack type

Major fraud schemes

Phishing

Phishing remained one of the most widespread and dangerous attack vectors in 2025, becoming far more sophisticated. Attackers no longer relied solely on fake websites. They combined system commands, wallet permissions, protocol mechanics and even device-level access. Instead of directly stealing seed phrases, victims were increasingly manipulated into signing transactions and transferring funds themselves. These attacks became more covert and affected a broader audience.

Social engineering

Social engineering attacks intensified in 2025 and increasingly served as the entry point for phishing, malware infections and asset theft. Attackers exploited trust, impersonated others, applied emotional pressure and took advantage of victims’ lack of information. Many attacks unfolded in stages: criminals first established contact, then gradually persuaded victims to install malware, disclose sensitive data or transfer funds.

Supply chain and open-source attacks

Software supply-chain attacks remained a serious threat in 2025. Attackers increasingly targeted open-source projects, developer tools and dependency distribution systems rather than well-known components. By injecting malicious code, they gained access to large user bases at once. These attacks typically spread through trusted components, making them difficult to detect and stop.

Malicious browser extensions

Browser extensions are widely used in Web3, including wallets, security tools and developer plugins. They often have extensive permissions, run in the background and update automatically. Once compromised, such extensions can quietly collect user data and directly lead to asset losses.

Use of AI in attacks

With the spread of generative AI, attackers increasingly incorporated it into fraud schemes. AI made it easy to generate convincing text, voices, images and videos, lowering costs and increasing effectiveness. As a result, attacks appeared more credible and became psychologically harder for victims to detect.

Ponzi schemes

Ponzi schemes remained one of the most common forms of digital-asset fraud in 2025. New projects often disguised themselves as “blockchain finance,” “big data” or “international trading platforms,” growing rapidly through multi-level referral programs.

Anti-money-laundering trends

This section covers regulatory developments, data on asset freezes and recoveries, and the activities of cybercriminal organizations.

Largest cryptocurrency thefts in 2025

Enforcement and sanctions

In 2025, law enforcement and regulatory actions in the crypto sector became markedly stricter. Governments moved from formal guidance to direct action, including asset freezes, sanctions, criminal cases and international cooperation. Oversight expanded beyond exchanges to infrastructure providers and even individual blockchain addresses.

Regulatory policy

Crypto regulation entered a more structured phase in 2025. Many countries abandoned experimental approaches in favor of clear rules. Compliance became a prerequisite for market development, with a focus on tax transparency, AML and KYC requirements, custody security and disclosure standards.

Asset freezes and recoveries

Throughout 2025, Tether and Circle froze USDT and USDC on hundreds of Ethereum addresses. Over the year, 18 cases were recorded in which stolen funds were partially or fully frozen or recovered. The total value of assets involved was about $1.957 billion, of which roughly $387 million was frozen or returned, representing 13.2% of total annual losses.

Cybercriminal groups and the underground ecosystem

North Korea–linked hackers

Hacking groups linked to North Korea were particularly active in 2025, carrying out complex attacks that resulted in multi-billion-dollar losses. Research shows that between January 2024 and September 2025, these groups stole at least $2.837 billion from exchanges, wallets and infrastructure firms worldwide. In the first nine months of 2025 alone, losses reached about $1.645 billion, a record high.

Wallet drainers

In 2025, wallet drainer attacks caused total losses of $83.85 million and affected more than 106,000 users. While overall figures declined compared with 2024, individual attacks still resulted in multi-million-dollar losses.

Losses caused by wallet drainers. Visualization: ScamSniffer

Huione Group

Amid the rise of online fraud and cross-border money laundering in Southeast Asia, platforms linked to Huione Group drew increased scrutiny from regulators.

Ransomware and malware

Ransomware and data-stealing malware remained core tools for cybercriminals in 2025. The commercialization of MaaS and RaaS models enabled attackers without technical skills to deploy ready-made solutions.

Privacy tools and mixers

Privacy-enhancing services and transaction mixers continued to play a key role in crypto money laundering. They were used by both legitimate users and criminal groups. Case analysis from 2025 shows regulators increasingly attempting to distinguish lawful use from criminal abuse, moving away from blanket bans toward more targeted oversight.

What comes next

By the end of 2025, the blockchain security and AML landscape was defined by three key traits: increasingly professional attacks, more complex and covert criminal networks, and tighter regulation. While the total number of incidents stabilized, systemic risks related to access management, social engineering and private-key leaks remain.

Underground tools and turnkey services have made “out-of-the-box” attacks a reality, shifting risk from purely technical layers to users and supply chains. At the same time, governments have moved toward coordinated international action, narrowing the operating space for criminals through address seizures, asset freezes and accountability for anonymization service operators. Security and compliance are no longer optional advantages — they have become essential for survival in the market.