AdvancedSecurity

Attack Vectors 2025: What Changed and What's Coming

From access control failures to fake recruiters. The attack landscape shifted in 2025. Here's what's actually working for hackers and how to protect yourself.

January 2, 2026

6 min read

Dive Deeper with AI

Click → prompt copied → paste in AI chat

The attacks changed in 2025.

Not just the targets. The methods.

Fewer incidents, bigger payouts. Supply chain attacks hitting browser extensions. North Korean hackers pretending to be recruiters instead of job seekers. AI finding vulnerabilities faster than auditors.

If your security knowledge is from 2023, you're already behind.

The numbers tell the story

2025 overview:

$2.94 billion lost across 200 incidents
46% increase in losses despite fewer attacks
69% of value stolen through wallet compromises
63% of incidents targeted DeFi protocols

The math is simple: attacks got more efficient. Fewer shots, bigger hits.

OWASP Smart Contract Top 10: What actually matters

The 2025 list reveals where developers keep failing:

#1 Access Control Vulnerabilities

Still number one. Still the biggest killer.

$953.2 million in losses from poorly implemented permissions. Unauthorized admin actions. Private function exploits. The basics that teams still get wrong.

#2 Price Oracle Manipulation

New prominence this year. 31% of early 2025 DeFi losses came from oracle attacks.

Attackers manipulate price feeds, then exploit protocols that trust those feeds. KiloEx lost $117 million in April 2025 to exactly this attack.

#3 Logic Errors

Code that does what it's told—but not what it should.

Cetus DEX lost $223 million in May 2025 from a missed overflow check. One line of code. Nine figures gone.

#4 Flash Loan Attacks

Uncollateralized loans used to manipulate markets within a single transaction. $33 million in Q1 2024 from 10 high-profile attacks.

#5 Reentrancy

The classic. Fell from #1 to #5 thanks to better tooling, but still catches developers off guard in yield farming and lending protocols.

Bottom line: Access control and oracles cause most of the damage. Everything else is noise by comparison.

The shift: On-chain to off-chain

Here's the uncomfortable trend:

As smart contract audits improve and bug bounties become standard, hackers moved up the stack.

Where attacks are happening now:

Browser extensions
Developer tooling
Supply chain dependencies
Social engineering
Credential theft

The Trust Wallet disaster (December 2025):

On Christmas Eve, attackers pushed a malicious update to Trust Wallet's Chrome extension. $8.5 million drained from 2,520 wallets within hours.

How? The Shai-Hulud supply chain attack compromised developer tools across multiple industries. Trust Wallet's Chrome Web Store API key was leaked. Attackers uploaded a compromised extension directly, bypassing all internal code review.

Users updated their extension and got robbed. No phishing. No user error. Just a legitimate-looking update.

$713 million was stolen through wallet compromises in 2025—20% of all crypto theft. Most of it happened "above" the blockchain: browsers, extensions, supply chains.

North Korea's new playbook

They adapted.

The old way: Fake IT workers apply for jobs, get hired, steal from inside.

The new way: Fake recruiters from prominent companies interview victims, harvest credentials, and deploy malware during the "hiring process."

The tactics:

Create front companies (BlockNovas LLC, Angeloper Agency, SoftGlide LLC)
Pose as recruiters on LinkedIn, Upwork, and crypto job boards
Run fake interviews that deploy malware
Use real-time AI deepfakes in video calls
Target executives with fake acquisition meetings

The scale:

$2.02 billion stolen in 2025 (51% increase year-over-year)
136 companies unknowingly hired North Korean operatives
Millions funneled to weapons programs

The arrests: In January and June 2025, five U.S. residents pleaded guilty to helping North Korean workers get jobs using stolen identities. In June, four actual North Korean operatives were indicted on wire fraud and money laundering charges.

But the scheme continues. It's active and evolving.

What defenders are doing right

Not all news is bad.

Proactive monitoring works.

Some protocols detected attacks 18 hours before execution and paused contracts in time. The combination of real-time monitoring, rapid response, and governance that can act decisively has changed the equation.

Bug bounties are paying off.

Simple smart contract vulnerabilities are decreasing. Teams that implement security best practices are seeing fewer exploits of obvious bugs.

Multi-sig and MPC wallets.

High-value wallets protected by multiple signatures are surviving while single-key wallets get drained.

The shift in losses:

Despite higher Total Value Locked in DeFi, hack losses remained suppressed compared to earlier years. The ecosystem is learning—slowly.

What's coming in 2026

Predictions:

More supply chain attacks. Browser extensions and developer tools remain soft targets.
AI vs AI. Attackers using AI to find vulnerabilities. Defenders using AI to detect attacks. The arms race is on.
Sophistication over volume. Fewer attacks, bigger payouts. Quality over quantity.
Social engineering dominance. As code gets harder to exploit, humans become the weak point.
Regulatory pressure. Governments starting to require security standards for crypto platforms.

Wild cards:

A major centralized exchange breach that dwarfs Bybit
AI-discovered zero-day that affects multiple protocols
Successful attack on a major staking provider
Nation-state attack on stablecoin infrastructure

Practical defense checklist

For individuals:

[ ] Minimize browser extensions—especially wallet extensions
[ ] Use hardware wallets for significant holdings
[ ] Verify update sources before installing
[ ] Be skeptical of recruiters and job offers
[ ] Enable multi-factor authentication everywhere
[ ] Separate daily-use wallets from storage wallets

For projects:

[ ] Implement multi-sig for all admin functions
[ ] Use multiple oracle sources
[ ] Audit regularly (including dependencies)
[ ] Run bug bounty programs
[ ] Monitor for suspicious on-chain activity
[ ] Have an incident response plan before you need one

For everyone:

[ ] Assume you will be targeted
[ ] Verify, then verify again
[ ] Speed is not worth security shortcuts

The uncomfortable truth

2025 proved something uncomfortable:

Technical security is improving. Human security is not.

Smart contracts are getting audited. Code is getting reviewed. But browser extensions get compromised. Developers download malicious dependencies. Employees click phishing links. Executives take meetings with fake investors.

The attack surface shifted from code to people.

The industry invested billions in smart contract security. It invested far less in operational security, supply chain integrity, and human factors.

That gap is where the money went.

Bottom line

Attack vectors in 2025 evolved faster than defenses.

Access control and oracles remained the biggest smart contract risks. But the real action moved off-chain: supply chains, browser extensions, social engineering.

North Korea stole $2 billion using fake recruiters and deepfakes. Attackers pushed malicious browser extensions on Christmas Eve. AI started finding vulnerabilities before auditors.

The pattern is clear: as one attack vector hardens, attackers find another.

Security isn't a destination. It's a constant race.

Stay paranoid. Stay updated. Stay humble about what you don't know.

Sources: