In 2025, crypto phishing losses plummeted by 83%, but attackers are shifting towards a "scattergun" approach.

According to the latest report from the Web3 security platform Scam Sniffer, cryptocurrency phishing losses related to wallet stealers plummeted by 83% in 2025, reaching $83.85 million. However, the decline in total losses masks a more covert trend: attackers are abandoning “whale hunting” and shifting to a “broad net” strategy targeting retail users.

The report indicates that the ecosystem remains active, with new attack vectors emerging alongside Ethereum upgrades, signaling that security offense and defense will enter a more complex new stage. Meanwhile, despite a 60% month-over-month decrease in overall hacker losses in December, phishing attacks as a persistent threat are evolving in ways that ordinary investors should remain vigilant about.

Shadows Behind Market Frenzy: The High Correlation Between Phishing Losses and Cycles

Although annual total loss figures show a sharp decline, in-depth analysis of monthly data reveals that cryptocurrency phishing activities have not disappeared but are remarkably synchronized with market volatility. Scam Sniffer’s report shows that phishing losses are essentially a “probability function” of user on-chain activity—when market enthusiasm is high and on-chain transactions are frequent, the absolute number of victims also rises. This pattern was perfectly confirmed in Q3 2025, which coincided with Ethereum experiencing its strongest rally of the year, with phishing losses reaching a peak of $31 million, with August and September alone accounting for nearly 29% of the annual losses.

Looking at specific data, the impact of market hot and cold cycles on loss scale is stark. In December, when the market was most subdued, monthly phishing losses were only $2.04 million; when market activity peaked in August, this figure surged to $12.17 million—almost six times higher. This strong correlation serves as a warning to investors: the hype of a bull market is not only a herald of wealth growth but also a signal of heightened activity by malicious actors. It reminds us that security vigilance should not relax due to market sentiment; instead, it should be heightened to the maximum level during FOMO-driven periods.

Behind this cyclical wave of attacks is a mature and industrialized underground ecosystem of “theft-as-a-service.” The modularity and accessibility of attack tools and scripts enable even less technically skilled criminals to launch attacks quickly when market enthusiasm heats up. Therefore, the report’s conclusion that “the theft ecosystem remains active” is not alarmist but an objective description of an adaptive, profit-driven dark market. Old stealers may exit due to law enforcement actions or obsolescence, but new players quickly fill the void, waiting for the next market cycle.

Strategy Evolution: From “Whale Snatching” to “Net Fishing” — A Dimensionality Reduction Approach

The most notable change in the cryptocurrency phishing landscape in 2025 is not just the reduction in loss amounts but a fundamental shift in attack strategies. Previously, attackers often targeted high-net-worth individuals or institutions with “precision strikes,” stealing tens of millions of dollars in single cases, causing market shocks and widespread media coverage. However, data this year shows that this “whale hunting” pattern is waning. Cases exceeding $1 million in losses totaled only 11 in 2025, a significant decrease from 30 in 2024.

Instead, a more covert, persistent, and broader “broad net” strategy targeting retail users has emerged. The most direct manifestation of this shift is a significant decrease in average loss per victim. In 2025, the average loss per victim dropped to $790, contrasting sharply with previous years when single losses often reached hundreds of thousands or millions of dollars. The attackers’ logic has fundamentally changed: rather than risking high-value, complex operations aimed at heavily guarded “whales,” they now use automation tools to attack thousands of ordinary users at very low marginal costs. Even with a low success rate, the large base can generate substantial cumulative gains.

Key data on attack strategy evolution in 2025

• Average per-incident loss: $790 (significantly reduced, targeting retail users)
• Number of cases over $1 million: 11 (down 63% from 30 in 2024)
• Maximum single phishing loss in the year: $6.5 million (using malicious Permit signatures)
• Losses from new attack vector EIP-7702: $2.54 million (from two cases in August)

This strategic shift presents new challenges to the security ecosystem. High-value thefts can quickly trigger coordinated responses from project teams, exchanges, and security firms, using on-chain tracking and fund freezing to complicate money laundering. However, for dispersed losses of a few hundred dollars, victims often have no recourse, and law enforcement and recovery costs are high, making it easier for attackers to conceal traces. This marks a transition of phishing from a “news-driven” threat to a more normalized, pervasive “background noise” risk within the crypto ecosystem, with a broad and serious impact.

Double-Edged Sword of Technological Upgrades: Permit Signatures and EIP-7702 as New Risk Zones

While attack strategies are “reducing dimensions,” attack techniques are continuously “upgrading,” closely following the technological evolution of mainstream blockchains like Ethereum. The 2025 cases clearly demonstrate how attackers quickly exploit new protocols and standards. Among these, malicious authorization based on Permit and Permit2 signatures remains the most destructive weapon. The largest phishing theft in September, with losses of $6.5 million, exploited malicious Permit signatures. Statistics show that among cases over $1 million, 38% are related to Permit-type attacks.

The danger of Permit signatures lies in their user-friendly design being maliciously exploited. They allow users to sign a single authorization that enables a third party to operate their tokens without paying gas for each transaction—originally intended to improve DeFi interaction efficiency. However, if a user inadvertently signs a malicious contract with Permit, attackers can drain specific tokens from their wallet without their knowledge. This “single signature, unlimited authorization” feature makes Permit a favorite trap in phishing schemes.

More forward-looking and warning-worthy is the emergence of EIP-7702, a new attack vector standard introduced alongside Ethereum’s Pectra upgrade, aimed at enhancing account abstraction. However, shortly after deployment, attackers developed malicious signature schemes based on EIP-7702. Its terrifying aspect is that it allows multiple dangerous operations—such as authorization, transfers, and permission changes—to be bundled into a single user signature. Two related cases in August 2025 resulted in losses totaling $2.54 million, exposing how quickly attackers adapt to protocol-level changes. This is not just a technical vulnerability but an ecosystem security issue: every underlying upgrade intended to improve performance and user experience can be exploited by dark forest hunters to craft new weapons.

Multiple Factors Behind the Decline in Losses and Industry Insights

The significant narrowing of cryptocurrency phishing losses in 2025 is not due to a single cause but results from a combination of industry ecology, security infrastructure, user education, and market environment. First, major CEXs and wallet providers have continuously strengthened built-in security measures over recent years, such as more prominent authorization risk warnings, suspicious contract address interception, and transaction simulation features. These measures act as “speed bumps” before users perform critical operations, effectively blocking many reckless clicks.

Second, after multiple market cycles and numerous painful incidents, overall security awareness among crypto users has improved markedly. More users now habitually use hardware wallets for large assets, proactively review contracts with security tools before interacting, and are more alert to common tactics like “gasless transfers” or “airdrops.” Community-driven security culture and mutual aid—such as sharing suspicious domains and addresses—also form an important defensive network.

Furthermore, macro-level data from security agencies like PeckShield show that in December 2025, total losses from hackers and exploits across the crypto industry were about $76 million, down 60% month-over-month. This indicates that the overall security posture is strengthening through concerted efforts, and phishing, as part of this, benefits from the improving environment. However, we must remain sober: the “persistence” of attack activities has not changed. For example, the two largest security incidents in December—address poisoning scams involving $50 million and a $27.3 million multi-signature wallet private key leak—still demonstrate that whether through social engineering or technical vulnerabilities, large funds remain under threat.

Therefore, for ordinary investors, the current relatively calm period is the best time to consolidate security habits. Do not mistake the decline in data as a sign of threat elimination but see it as a “dynamic balance” created by attacker strategy adjustments and industry defense improvements. This balance is extremely fragile; the next market frenzy or new technological paradigm could shatter it.

Frontline Defense: Practical Security Tips for Cryptocurrency Users

In the face of evolving and strategically diverse phishing threats, passive platform protections are far from enough. Building a proactive personal security system is a must for every market participant. First, in authorization management, maintain principles of minimalism and regular cleanup. Immediately stop using “infinite approvals,” and for any DeFi or NFT interaction, authorize only the minimum necessary and revoke permissions immediately after the operation. Use blockchain explorers like Etherscan’s “Token Approval” feature or professional tools like Scam Sniffer regularly to check and revoke unnecessary permissions.

Second, understanding and being alert to new signature risks is crucial. For any transaction requesting signatures of “Permit,” “Permit2,” or related to “EIP-7702,” always preview all potential operations using your wallet’s transaction simulation feature. Do not be fooled by phrases like “save gas” or “one-click convenience.” For signature requests you do not fully understand, treat them as high risk and refuse. Remember, every use of your private key for signing in crypto is like stamping a blank check—you must be certain of what that check will be used for.

Finally, build a layered asset management architecture. This is the core of institutional-level security tailored for individuals. Store most long-term holdings (like Bitcoin, Ethereum) in completely offline hardware wallets, and only keep a small amount for daily transactions and on-chain interactions in hot wallets (e.g., MetaMask). Use separate browsers or devices for high-frequency interactions to prevent private key leaks from malicious websites. Also, stay vigilant against old but still effective scams like address poisoning; always verify every character of a recipient address through multiple channels before making large transfers.

Security is a never-ending arms race. Attackers are becoming more patient, dispersed, and technical. As users, we cannot control market fluctuations or prevent the emergence of new attack vectors, but through systematic learning and rigorous operations, we can transform ourselves from “victims” in probabilistic models into resilient nodes within a secure ecosystem. The decline in losses in 2025 is an encouraging milestone, but it should also serve as a mirror, helping us see the evolution of threats and reinforce our digital domains accordingly.