Cyvers published its interactive annual report focused on 2025 on-chain security incidents and fraud activity. The report is presented as a data-driven recap of how money moved, where defenses failed, and why “fraud plus hacks” should be treated as one combined threat surface rather than two separate problems.
The timing is also part of the story. When markets get volatile, incident risk goes up, but so does user urgency. A report that puts hard numbers next to attack patterns tends to travel well across exchanges, wallets, and compliance teams because it turns vague fear into measurable exposure.
The Two Headline Numbers
Cyvers’ core framing is simple:
- Fraud-linked flows dwarf classic “hacks.”
- Most hack losses still come from access control failures, not exotic smart contract bugs.
Coverage summarizing the report highlights two topline figures for 2025:
- Around $16 billion linked to fraudulent activity
- Around $2.5 billion lost to hacks
What “$16B in Fraud” Typically Means
Fraud is not one tactic. It is a supply chain of persuasion, identity, and payout rails.
In the Cyvers framing, “fraud-linked” activity covers flows tied to social engineering and deception, including authorization scams where victims approve transactions or hand over control without realizing it.
Summaries of the report point to three scale signals that matter for platforms:
- Over 4.2 million fraudulent transactions
- Around 780,000 addresses involved
- Roughly 19,000 active fraud networks
Those numbers support the “industrialized” narrative: fewer lone actors, more repeatable playbooks, more network effects.
Why authorization scams are so effective
Authorization scams beat many security stacks because the transaction looks legitimate.
The victim signs <-> The chain validates <-> The funds move.
This creates a gap between what compliance teams flag and what users perceive as “being hacked.” It also explains why pig butchering is called out so often: the fraud is slow, relationship-driven, and optimized for extracting large balances over time.
The $2.5B Hacks Story: Access Control Still Wins
If fraud is the bigger number, hacks are the sharper lesson.
Report summaries highlight that the majority of hack losses in 2025 stem from access control failures: compromised keys, permission misconfigurations, and human error around privileged operations.
A common simplification is “smart contracts are insecure.” The report’s implied counterpoint is closer to: operational governance is the soft underbelly.
As covered in report roundups, the split is often described like this:
- Over $2.2B attributed to access control attacks
- About $292M attributed to smart contract and code vulnerabilities
Why access control failures dominate
Access control failures are high leverage because they sit above everything else.
If an attacker gains signing authority or privileged permissions, they can:
- upgrade contracts
- reroute funds
- drain hot wallets
- change whitelists
- alter bridge or oracle settings
That is why “basic” controls like key custody, multi-sig policies, and role-based access reviews can matter more than a marginally better audit.
Newer Attack Patterns That Keep Showing Up
The report coverage also leans into a trend that has been building for years: attackers increasingly target what sits around the contract, not just the contract.
Examples frequently cited include:
- supply chain compromises
- front-end and DNS attacks
- social engineering that targets operational staff
- transaction flows that initially look valid because signatures are real
One reason this is underappreciated is that it does not look like an exploit. It looks like normal operations until the loss is already final.
What Exchanges, Wallets, and Projects Can Do Right Now
Cyvers’ data points toward one clear prioritization: reduce the blast radius of “valid but unsafe” actions.
Exchange and custody controls
- Reduce hot wallet exposure and segment by risk tier
- Enforce withdrawal allowlists for treasury-grade wallets
- Add real-time anomaly detection for new destination clusters
- Tighten privileged access pathways for operations staff
Smart contract and protocol operations
- Use least-privilege roles with short-lived permissions
- Require multi-party approvals for upgrades and parameter changes
- Monitor privileged calls and enforce policy at runtime
- Run continuous access reviews, not quarterly checklists
Fraud and social engineering defenses
- Build user-facing warnings into signing flows for high-risk approvals
- Flag newly created addresses that receive rapid inbound funding then route to cash-out venues
- ate-limit suspicious approval patterns when possible
- Coordinate faster takedowns of spoof domains and fake support channels
Practical Takeaways for Users
Fraud is scaling because it exploits human routines.
A simple user checklist still prevents a huge share of losses:
- Use a hardware key or hardware wallet for high-value accounts
- Treat “support” DMs as hostile by default
- Verify domains with bookmarks, not search ads
- Revoke token approvals periodically
- Keep a separate wallet for day-to-day use and for long-term storage
These steps do not make fraud impossible. They raise the cost and reduce the chance that one mistake becomes a total wipeout.
What To Watch Next
If Cyvers’ report framing holds, the next cycle of headlines will not be about new exploits. It will be about:
- better detection of authorization scams before the transaction is signed
- more exchange-level friction on obvious fraud funnels
- stronger identity and recovery standards for user accounts
- incident response playbooks that treat “valid signatures” as a possible compromise signal
In other words, the industry’s security narrative shifts from “find the bug” to “protect the operations.”
Conclusion
Cyvers’ annual report puts a stark gap on the table: fraud-linked activity at roughly $16B versus hack losses at roughly $2.5B, with access control failures still doing most of the hack damage.
The takeaway is not that smart contracts do not matter. It is that the fastest-growing risk sits at the intersection of people, permissions, and signing authority.
The post Cyvers Flags $16B in Crypto Fraud and $2.5B in Hacks appeared first on Crypto Adventure.
