AMLBot Report Finds Social‑Engineering Behind 65 % of Crypto‑Related Incidents in 2025
February 18 2026
A recent internal study by blockchain analytics firm AMLBot reveals that the majority of cryptocurrency‑related thefts in 2025 were not the result of technical flaws in protocols or smart contracts, but rather the product of human‑targeted manipulation. The company’s analysis, based on roughly 2,500 investigations conducted throughout the year, shows that 65 % of the incidents involved some form of social engineering—ranging from phishing and impersonation scams to device compromises—while the remaining cases stemmed from code‑level vulnerabilities.
What the Data Shows
| Attack Category | Share of Cases | Notable Details |
|---|---|---|
| Investment‑related scams | 25 % | Fake opportunities and “pig‑butchering” schemes |
| Phishing attacks | 18 % | Fraudulent links used to harvest private keys |
| Device compromises | 13 % | Malware or remote access obtained via chat apps |
| Impersonation scams | 7 % | Actors posing as exchange staff, project leads, etc. |
| OTC fraud & other | 16 % (combined) | Includes over‑the‑counter fraud and other less common vectors |
The report also tracks monthly incident volume, noting a pronounced spike in January 2026 where scammers siphoned off $370 million—an eleven‑month high, according to security firm CertiK. Of that sum, $311 million was attributed to phishing‑type attacks, underscoring the potency of social‑engineering techniques.
Key Findings
-
Human error eclipses code flaws – The 65 % figure demonstrates that, despite ongoing upgrades to blockchain security, attackers are increasingly bypassing technological safeguards by targeting the end user directly.
-
Impersonation is the most damaging sub‑type – AMLBot traced at least $9 million in stolen assets over the past three months to attacks where perpetrators pretended to be trusted entities such as exchange support teams or project managers.
-
Device compromise remains a significant gateway – About one‑in‑eight cases involved malicious takeover of a victim’s device via chat‑based scams, indicating that personal computers and mobile phones continue to be a weak link in the security chain.
-
Investment‑related scams dominate case count – With a quarter of all incidents classified as bogus investment offers, the lure of high returns remains a primary motivator for victims.
- Monthly volatility – The January surge highlighted by CertiK mirrors AMLBot’s trend data, suggesting that scam activity can fluctuate sharply and may be tied to broader market sentiment or seasonal factors.
Expert Commentary
Slava Demchuk, CEO of AMLBot, emphasized that “technical hardening of protocols alone will not stop the theft of digital assets when attackers can simply persuade a user to hand over their private key.” He urged the crypto community to adopt a layered approach that couples robust on‑chain defenses with rigorous off‑chain hygiene, such as:
- Never sharing private keys, seed phrases, or recovery codes, regardless of how urgent a request appears.
- Verifying the identity of anyone claiming to represent an exchange or project—preferably through official support channels.
- Keeping devices up to date and employing reputable anti‑malware solutions to deter remote access.
Demchuk’s warning aligns with broader industry sentiment: the human element is now the most exploitable attack surface in the crypto ecosystem.
Implications for the Industry
- Protocol designers may need to reconsider user‑experience elements that can mitigate risky behavior, such as built‑in transaction confirmations or multi‑factor authentication that integrates with hardware wallets.
- Exchanges and custodians should reinforce communication policies, clearly marking official outreach and discouraging any request for private credentials.
- Regulators and policymakers could focus on consumer‑education initiatives, as awareness remains a critical factor in reducing loss rates.
Takeaways
| Takeaway | Action |
|---|---|
| Social engineering is the primary driver of crypto loss | Prioritize education on phishing, impersonation, and device security. |
| Impersonation scams cause the highest monetary damage | Establish strict verification protocols for any request involving funds. |
| Technical upgrades alone are insufficient | Combine protocol hardening with user‑centric security practices. |
| Monthly loss spikes can be abrupt | Monitor threat intelligence feeds for emerging scam trends. |
| Investment‑related fraud remains prevalent | Scrutinize any unsolicited investment offers and verify legitimacy. |
Looking Forward
AMLBot plans to expand its investigative scope in 2026, aiming to incorporate data from external partners and provide a more comprehensive view of the crypto threat landscape. As attackers refine their social‑engineering playbooks, the industry’s defensive posture will need to evolve in tandem, balancing cutting‑edge protocol security with robust user awareness programs.
The findings presented here are based on AMLBot’s internal casework and should not be interpreted as a definitive measurement of all crypto crime activity.
Cointelegraph strives for independent, transparent journalism. Readers are encouraged to verify information through multiple sources.
Source: https://cointelegraph.com/news/amlbot-2025-crypto-incidents-social-engineering-phishing-impersonation?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
