58 posts tagged with "Security"

In December 2025, Anthropic's researchers pointed an AI agent at 405 real-world exploited smart contracts. The agent produced working exploits for 207 of them — 51% — draining $550 million in simulated funds. The cost per successful exploit? Just $1.22.

That single data point captures the existential crisis facing decentralized finance in 2026. The $3.4 billion lost to crypto hacks in 2025 was not a failure of effort — most attacked protocols had been audited, some multiple times. It was a failure of paradigm. And now, a16z Crypto is proposing a radical replacement: abandon "code is law" and embrace "spec is law," where mathematically proven safety properties and real-time runtime guardrails make most exploits structurally impossible.

A joint whitepaper from ARK Invest and Unchained has done something no one else has managed at this scale: it puts a precise number on how much Bitcoin is exposed to quantum computing attacks. The answer — 34.6% of total supply, roughly $240 billion at current prices — is simultaneously alarming and reassuring. Alarming because it quantifies what was previously handwaved as a distant hypothetical. Reassuring because the report also demonstrates that the remaining 65.4% of BTC sits safely behind cryptographic hashing that quantum computers cannot crack, and that the industry likely has a decade to prepare.

On December 27, 2025, an attacker exploited a vulnerability in Flow's execution layer, minted 87.4 billion counterfeit tokens, and drained $3.9 million through cross-chain bridges before validators could slam the brakes. What happened next wasn't just a technical post-mortem — it became one of the most revealing governance crises in blockchain history, forcing the industry to confront a question it has been dodging since Ethereum's DAO fork in 2016: when a blockchain breaks, who gets to rewrite history?

An AI agent built by an OpenAI engineer accidentally sent $450,000 in tokens to a stranger on X who asked for $310 worth of SOL. No hack. No exploit. Just a session reset, a missing guardrail, and an irreversible blockchain transaction. The Lobstar Wilde incident in February 2026 was a wake-up call: if autonomous agents are going to handle real money, the industry needs a fundamentally different security model.

On March 13, 2026, MoonPay answered with one. Its CLI wallet now ships with native Ledger hardware signer support — making MoonPay Agents the first AI agent platform where every on-chain transaction must pass through a physical device before execution. Private keys never touch the agent runtime. The agent proposes; the human disposes.

Every dollar stolen in crypto creates demand for someone who can trace it. In 2025, criminals moved a record $158 billion through illicit cryptocurrency channels — a 145% surge from the prior year and the highest level in five years. That staggering number explains why TRM Labs, the blockchain intelligence startup that helps governments and corporations follow the money, just crossed the $1 billion valuation threshold.

In February 2026, TRM announced a $70 million Series C round led by Blockchain Capital, with participation from Goldman Sachs, Galaxy Ventures, Bessemer Venture Partners, DRW Venture Capital, Citi Ventures, and Y Combinator. The raise brought total funding to $220 million and valued the company at over $1 billion — unicorn status in an industry where the product is making crime unprofitable.

A single copy-paste mistake cost one crypto trader $50 million in December 2025. No smart contract was exploited. No private key was compromised. The victim simply copied a wallet address from their transaction history — one that looked almost identical to the real thing but belonged to an attacker. Welcome to address poisoning, DeFi's most insidious and underestimated attack vector.

Buried in Balancer's smart contract code, right above the function that would eventually hemorrhage $128 million, sat a developer comment: "the impact of this rounding is expected to be minimal." They were wrong — by nine figures.

On November 3, 2025, an attacker exploited a microscopic rounding error in Balancer V2's Composable Stable Pools, draining funds across nine blockchain networks in under 30 minutes. It was not a flashy reentrancy attack or a compromised private key. It was arithmetic — the kind of bug that hides in plain sight, passes multiple audits, and waits patiently for someone clever enough to weaponize it.

On February 21, 2025, North Korea's Lazarus Group executed the largest cryptocurrency theft in history — $1.5 billion in Ethereum drained from Bybit's cold wallet in a single transaction. One year later, the numbers tell a sobering story: while blockchain analytics firms initially tracked 88.87% of the stolen funds, only 3.54% has been frozen. The rest sits in thousands of wallets, waiting.

This is not just a heist story. It is a case study in how a nation-state hacking operation outmaneuvered an entire industry's security infrastructure, and what the crypto world learned — and failed to learn — in the twelve months since.

When a single phishing call impersonating Trezor support cost one investor $284 million in January 2025 — 71% of the entire month's adjusted crypto fraud losses — it became impossible to dismiss crypto scams as a retail problem. The Chainalysis 2026 Crypto Crime Report confirms what security researchers feared: artificial intelligence has industrialized cryptocurrency fraud, and the numbers are staggering.