Web3 fraud reached a striking $15.87 billion in 2025, according to Cyvers’ latest annual security report, vastly exceeding the more than $2.5 billion lost to traditional hacks and exploits during the same period. The findings suggest that the crypto industry’s biggest threat is no longer limited to high-profile breaches, but increasingly comes from large-scale fraud operations that are less visible, more distributed, and harder to stop with conventional security tools.
While major incidents such as the Bybit hack captured headlines, Cyvers said the much larger fraud total was spread across 4.29 million individual transactions. That distribution is a critical part of the story. Instead of a handful of catastrophic events drawing immediate public attention, fraudulent activity was fragmented across millions of transfers, allowing massive aggregate losses to accumulate with less scrutiny.
From Isolated Scams to Industrialized Networks
According to the report, the Web3 threat landscape changed significantly in 2025 as criminal activity became more organized and operationally mature. Cyvers described the trend as a form of “industrialized” crime, in which scam networks use clusters of addresses linked to the same operation and route funds across multiple services. These flows can connect exchanges, payment service providers, and off-ramps, forming a broader infrastructure for laundering and cashing out fraudulent proceeds.
This model marks a shift away from viewing crypto crime mainly as isolated incidents. In Cyvers’ framing, scam activity is increasingly structured like a coordinated business operation, with repeatable methods, linked wallets, and cross-platform movement patterns. That makes detection more complex, especially when funds are broken into smaller transactions and routed through several intermediaries.
Authorized Fraud Emerges as a Defining Threat
The report singles out authorized fraud as one of the most troubling developments of 2025, with pig butchering schemes standing out as the clearest example. Unlike traditional hacks, which attempt to exploit technical vulnerabilities or bypass platform defenses, authorized fraud relies on manipulation. Victims are persuaded to move funds themselves, often through their own wallets or verified exchange accounts.
Cyvers said these schemes are built on carefully managed psychological playbooks. Criminal groups may spend weeks or even months cultivating trust, maintaining contact, and gradually deepening a victim’s commitment before the final liquidation event. By the time funds are transferred, the victim has technically approved the transaction, which means the activity may not trigger standard alerts designed to catch account takeover or unauthorized access.
This distinction matters because many anti-fraud systems were developed around the idea of a compromised account. If a user is the one initiating the transfer, legacy controls may fail to identify the risk. Cyvers argues that platforms need real-time behavioral analytics and entity-level risk scoring to detect suspicious patterns before assets leave the platform.
Liquid Assets Remain the Preferred Vehicles
The report also found that fraudulent flows were heavily concentrated in a small number of highly liquid crypto assets, underscoring how important convertibility remains to scam operations. Among detected fraudulent movements, USDT accounted for 37%, ETH for 36%, and USDC for 25%. These assets are favored not necessarily because they are uniquely vulnerable, but because they offer deep liquidity and easier paths into fiat conversion.
The concentration in stablecoins and blue-chip crypto also reflects a broader pattern in illicit finance: criminal operators tend to favor the most transferable and widely accepted instruments. In the Web3 environment, that means dollar-linked stablecoins and major assets with broad exchange support. The report suggests that the same characteristics valued by legitimate market participants—speed, liquidity, and global reach—also make these assets attractive within fraud networks.
Exposure Is Concentrated Among Major Exchanges
Cyvers said exposure was also concentrated among large centralized platforms. Although the report did not publicly identify specific entities, it stated that the single most exposed global exchange handled more than $2.3 billion in fraudulent flows. It also found that just three of the top ten global exchanges accounted for nearly half of all fraud volume routed through centralized venues.
That concentration highlights the central role of major exchanges in the movement of illicit funds, even when the underlying fraud originates elsewhere. Large platforms remain critical liquidity hubs in the crypto ecosystem, and that makes them natural transit points for both legitimate and illegitimate activity. For compliance teams and regulators, the finding reinforces the importance of monitoring not just hacks and sanctions risks, but also behavioral indicators tied to scam-related fund flows.
A Broader Shift in Crypto Crime
Taken together, the 2025 data points to a broader transformation in crypto-related crime. Fraud is no longer a secondary issue overshadowed by hacks; in value terms, it has become the dominant threat identified in the report. More importantly, it is evolving into a global enterprise that rivals traditional organized crime in scale and sophistication.
Pig butchering may be the most visible example of authorized fraud, but Cyvers suggests it rests on a common foundation shared by many scam models: liquid stablecoins, blue-chip digital assets, and large centralized exchanges. Those components form the infrastructure that allows fraud rings to attract funds, move value across platforms, and eventually reach off-ramps.
The report does not propose a simple fix, but its conclusions point to a clear direction for the industry. A security model focused only on exploits, private key theft, and smart contract vulnerabilities may no longer be enough. As fraud becomes more behavioral, more distributed, and more networked, exchanges and service providers may need to combine on-chain intelligence with more advanced transaction monitoring and user-risk analysis.
In practical terms, 2025 may be remembered as the year the crypto sector’s risk narrative changed. The headline breaches still matter, but the larger financial damage appears to be coming from scams that exploit trust rather than code. That shift raises difficult questions for platforms, investigators, and policymakers alike: how to detect consent-based deception, how to intervene before funds move, and how to preserve open access to digital assets without making them easier to weaponize at scale.

