Skip to main content

The $1.22 Hack: Ledger's CTO Says AI Has Broken Crypto Security Economics

· 13 min read
Dora Noda
Dora Noda
Software Engineer

A working smart contract exploit now costs about $1.22 in API credits to generate. That single number, surfaced by Anthropic's red team in late 2025 and reinforced by an academic exploit-generator that extracted up to $8.59 million per attack, is the backdrop to the warning Ledger CTO Charles Guillemet issued on April 5, 2026: artificial intelligence is not breaking cryptography. It is breaking the economics of crypto security, and the industry's traditional defenses were never priced for this regime.

If 2024 was the year AI rewrote how developers ship code, 2026 is the year it rewrote how attackers ship exploits. The asymmetry has flipped so fast that even the firms that have spent a decade building hardware wallets are now asking whether the entire trust model needs a rewrite.

What Guillemet Actually Said

Speaking publicly in early April, Guillemet — the chief technology officer at Ledger and a longtime hardware security researcher — laid out an uncomfortable thesis. The cost-to-attack curve for crypto is collapsing because large language models are competent enough to do the hardest parts of an attacker's job: read unfamiliar Solidity, reason about state machines, generate plausible exploit transactions, and iterate against on-chain forks until something works.

His framing was deliberately economic. Cryptography is not weaker today than it was in 2024. Hash functions still hash. Elliptic curves still curve. What changed is that the labor input behind a successful attack — the senior auditor's eye, the months of patient reverse engineering — has been compressed into a budget line that fits inside a single Anthropic or OpenAI invoice. "We are going to produce a lot of code that will be insecure by design," Guillemet warned, pointing to the second-order effect of developers shipping AI-generated Solidity faster than reviewers can read it.

Ledger's number for last year's losses sits at roughly $1.4 billion in directly attributable hacks and exploits, with broader scam-and-fraud totals reaching far higher depending on whose accounting you accept. Chainalysis put 2025's total stolen-funds figure at $3.4 billion. CoinDesk's January 2026 retrospective pegged the wider scam-and-impersonation universe at as much as $17 billion. Whichever figure you trust, the trend line is the wrong direction, and Guillemet's argument is that the trajectory is now AI-shaped.

The Anthropic Number That Changed The Conversation

In December 2025, Anthropic's own red team published results from SCONE-bench — a benchmark of 405 smart contracts that were actually exploited between 2020 and 2025. The headline statistic was blunt. Across all 405 problems, modern frontier models produced turnkey exploits for 207 of them, a 51.11% hit rate, totaling $550.1 million in simulated stolen value.

More disturbingly, when the same agents were pointed at 2,849 freshly deployed contracts that had no known vulnerabilities, both Claude Sonnet 4.5 and GPT-5 surfaced two genuine zero-days and produced working exploits worth $3,694 — at an API cost of roughly $3,476. That ratio is barely break-even on paper, but it dismantles the assumption that zero-day discovery requires a human team.

Independent academic work tells the same story from the other side. The "A1" system, published on arxiv in 2025 and updated through early 2026, packages any LLM with six domain-specific tools — bytecode disassemblers, fork executors, balance-trackers, gas-profilers, oracle-spoofers, and state-mutators — and points it at a target contract. A1 hit a 62.96% success rate on the VERITE exploit dataset, beating the previous fuzzing baseline (ItyFuzz, 37.03%) by an enormous margin. Per-attempt costs ran $0.01 to $3.59. The largest single payday it modeled was $8.59 million.

These are not theoretical numbers. They are the input cost of an exploit. And once that input cost reaches the price of a fast-food meal, the question stops being "can attackers afford this" and starts being "can defenders afford to miss anything."

The 1000:1 Throughput Mismatch

Here is the part of the picture that audit firms are still struggling to articulate. Auditors charge per engagement. They review one codebase at a time, often over weeks, and their AI tooling — when they use it — is bolted onto a workflow with humans in the loop and bills to send. Attackers, by contrast, can rent the same models, point them at thousands of contracts in parallel, and only pay when something works.

A Frontiers in Blockchain paper from early 2026 captured the asymmetry in a single line: an attacker turns a profit at roughly $6,000 in extractable value, while a defender's break-even is closer to $60,000. The 10x gap is not because defense is technically harder — it is because defense has to be complete, and offense only has to be correct once.

Stack that against the volume mismatch — call it 1000:1 between contracts an attacker can scan and contracts an audit firm can review — and you arrive at Guillemet's conclusion almost mechanically. No audit budget can close this gap. The economics simply do not work.

What 2026's Big Hits Already Tell Us

The hacks that have actually landed in 2026 do not all read as "AI exploit" stories on the surface. The two largest losses of the year so far are sobering reminders that LLM-assisted attack tooling is layered on top of older, more boring techniques.

On April 1, 2026, Drift Protocol on Solana lost $285 million — over half its TVL — in an attack TRM Labs and Elliptic both attributed to North Korea's Lazarus Group. The mechanism was social engineering, not a Solidity bug. Attackers spent months building relationships with the Drift team, then abused Solana's "durable nonce" feature to get Security Council members to pre-sign transactions whose effect they did not understand. Once admin control flipped, the attackers whitelisted a worthless token (CVT) as collateral and used it to drain real USDC, SOL, and ETH.

Eighteen days later, Kelp DAO took a $292 million hit through its LayerZero-powered bridge — now the largest DeFi exploit of 2026. The attacker convinced LayerZero's cross-chain messaging layer that a valid instruction had arrived from another network, and Kelp's bridge dutifully released 116,500 rsETH to an attacker-controlled address. Lazarus again, by most attributions.

What does this have to do with AI? Two things. First, the reconnaissance that makes long-tail social engineering possible — profile-mapping, message-tone matching, picking the right moment in a target's calendar — is exactly what LLMs are good at. CertiK's 2026 forecast already names phishing, deepfakes, and supply-chain compromise as the dominant attack vectors for the year, and notes a 207% jump in phishing losses from December 2025 to January 2026 alone. Second, AI lowers the barrier to parallel operations: where a Lazarus-grade team could run a few campaigns at a time in 2024, AI tooling lets a much smaller crew run dozens.

A reminder of how granular this can get came in April 2026 when Zerion, a popular wallet app, disclosed that attackers used AI-driven social engineering to drain roughly $100,000 from its hot wallets. The number is small by 2026 standards. The technique — AI generating the impersonation script, AI generating the fake support page, AI generating the phishing email — is what Guillemet is warning about.

Why "Just Audit Harder" Is Not An Answer

The instinctive industry response is to fund more audits. That response is missing the shape of the problem.

Audits scale linearly with auditor hours. Attacks now scale with API credits. Even if every Tier-1 audit firm doubled headcount tomorrow, the attacker's surface area would still be growing 10x faster, because anyone with an API key and a basic understanding of Solidity can now run continuous offensive scans across the entire deployed contract universe.

Worse, audits review code at a moment in time. AI-generated code is being shipped continuously, and Guillemet's "insecure by design" warning suggests the bug-introduction rate is going up, not down. A 2026 study cited by the blockchain-security community found that LLM-assisted Solidity authorship correlates with subtle reentrancy and access-control mistakes that human reviewers, fatigued by reading machine-formatted code, miss at higher rates than they miss the same bugs in human-authored code.

The honest framing is that audits remain necessary but not sufficient. The actual answer Guillemet pushes — and that Anthropic's own red team echoes — is structural.

The Defensive Stack That Actually Survives This

Three categories of defense plausibly scale against AI-accelerated offense, and all three are uncomfortable for the part of the industry that has optimized for shipping speed.

Formal verification. Tools like Certora, Halmos, and increasingly the verification stacks bundled with Move (Sui, Aptos) and Cairo (Starknet) treat correctness as a math problem rather than a review problem. If a property is proved, no amount of AI fuzzing can break it. The trade-off is engineering effort: writing meaningful invariants is hard, slow, and unforgiving. But it is one of the few defenses whose cost does not scale with the attacker's compute.

Hardware roots of trust. Ledger's own product line is the obvious example, but the broader category includes secure enclaves, MPC custody, and emerging zero-knowledge attestation primitives. The principle is the same: take the most consequential action — signing a transaction — and force it through a substrate that an LLM-driven phishing campaign cannot reach. Guillemet's "assume systems can and will fail" framing is essentially an argument for moving signing authority off general-purpose computers.

AI-on-AI defense. Anthropic's December 2025 paper makes the case that the same agents capable of generating exploits should be deployed to generate patches. In practice this means continuous AI-driven monitoring of mempools, deployed contracts, and admin-key behavior — flagging anomalies the way fraud-detection systems do for traditional banking. The economics are imperfect (defender costs are still higher than attacker costs) but they at least put both sides on the same compute curve.

The pattern across all three is the same: stop relying on humans-in-the-loop for the fast parts of security, and reserve human judgment for the slow, expensive, structural parts.

What This Means For Builders Right Now

For teams shipping in 2026, Guillemet's warning translates into a few concrete shifts:

  • Treat AI-generated code as untrusted by default. Run it through formal verification or property-based testing before it touches mainnet, regardless of how clean it looks.
  • Move admin keys behind hardware. Multi-sig with hot signers is no longer an acceptable security posture for treasury-grade contracts; the Drift incident proved that even "trusted" team members can be socially engineered into pre-signing destructive transactions.
  • Assume your phishing surface is bigger than your code surface. The Zerion drain ($100K) and the broader 207% phishing jump suggest the cheapest attacker dollar is still aimed at humans, not at Solidity.
  • Budget for continuous, automated monitoring. A weekly audit cadence is not a defense against an attacker that runs SCONE-bench-grade tooling 24/7.

None of these are new ideas. What changed is the urgency curve. In the pre-LLM era, an organization could survive lapses in any one of these areas if the others were strong. In 2026, the cost asymmetry is too steep for that kind of slack.

The Honest Read

It is tempting to read Guillemet's warning as Ledger talking its book — a hardware-wallet vendor naturally argues for hardware. That reading would be a mistake. The same case is being made independently by Anthropic's red team, by academic groups behind A1 and SCONE-bench, by CertiK's 2026 forecast, and by chain-analytics firms watching the monthly hack totals. The industry consensus is converging on a single point: the cost of a competent exploit has dropped by one to two orders of magnitude, and the defensive stack must move accordingly.

What is genuinely new is that this is the first major asymmetric shift in crypto security since the early 2020 DeFi-summer wave of audit demand. That wave produced a generation of audit firms, bug-bounty platforms, and formal-verification startups. The 2026 wave will produce something else: continuous AI-monitored infrastructure, hardware-rooted signing as a default, and a much harsher skepticism of any contract whose security model still depends on "we'll catch it in review."

Guillemet's $1.22 number — even if that exact figure was Anthropic's, not Ledger's — is the kind of statistic that ends an era. The era it ends is the one where attacker labor was the bottleneck. The era it begins is the one where the bottleneck is whatever the defender has not yet automated.

BlockEden.xyz operates blockchain RPC and indexing infrastructure across Sui, Aptos, Ethereum, Solana, and 20+ other networks, with AI-assisted anomaly monitoring built into the request path. If you are rebuilding your security posture for the post-LLM threat landscape, explore our infrastructure services or reach out to discuss continuous monitoring for your protocol.

Sources

Share on Twitter