Global crypto phishing losses fell by more than 80% in the last year, according to new data from blockchain security firm Scam Sniffer. The total losses resulting from wallet drainer phishing attacks reached $83.85 million, affecting 106,106 victims worldwide.

According to Scan Sniffer’s 2025 phishing report, there was an 83% drop in stolen funds and a 68% reduction in victims compared with 2024, when phishing scams drained nearly half a billion dollars from more than 330,000 users. 

The Web3 security group said the reduction was likely a result of the mixed bullish and bearish market cycles last year, where phishing activity went up at peak market performances and fell when user engagement on blockchain networks dropped. 

Crypto market valuation declines ‘sends away’ phishing scammers

Per Scam Sniffer’s analysis and chart data tracking the first quarter, when markets were declining, losses stood at $21.94 million, affecting slightly over 22,000 victims. When markets began to recover in the second quarter, phishing losses declined to $17.78 million from about 21,000 victims.

The third quarter was the most dangerous period for market participants because several assets had witnessed strong rallies, including Bitcoin, which peaked at $123,000, and Ethereum, which hit its all-time-high price at $4,946 in August. The price charge and bull market environment came with a surge in phishing activity, pushing losses to $31.04 million and impacting 40,000 victims. 

August and September alone accounted for 29% of total annual losses, making the quarter the most active for attackers. However, the last quarter of the year saw a pullback in phishing losses that fell to $13.09 million, by far the quietest part of 2025. 

Permit / Permit2 leads signature phishing theft methods 

The biggest single phishing theft last year resulted in a $6.5 million loss in September, where hackers made away with staked ether and wrapped bitcoin derivatives. The attackers used a method known as the Permit-style signature, a feat that made up 38% of losses among cases exceeding $1 million. 

Permit/Permit 2 signatures allow token spending approvals without direct transfers, which attackers take advantage of by disguising malicious permissions to appear as legitimate prompts and trick token holders into accepting them without question.

Other cases included a $3.13 million theft of wrapped Bitcoin in May using an approval escalation technique, and a $3.05 million loss of stablecoins in August through a direct transfer exploit. Yet, only 11 cases exceeded $1 million in the year, down from 30 the year before.

The data also showed a decline in the average loss per victim, which fell to $790, down from nearly $1,500 last year.

While the report focused on signature-based wallet drainer attacks, one of the most unforgettable cases occurred in February, when the Lazarus Group compromised a developer machine through a multisignature wallet provider within the Bybit crypto exchange. A malicious code was injected into a signing interface, enabling attackers to spoof legitimate approvals and steal approximately $1.46 billion.

Supply chain attacks were also among the most prevalent methods used, with attackers stealing developer credentials through phishing emails and injecting malicious code into open-source packages, backdooring hundreds of software libraries, and exfiltrating private information and security credentials.

Other campaigns phishing hackers used included compromised front-end interfaces, hijacked social media accounts, and spreading malware to steal private keys and authentication data. 

2025 closed with Google Task notification phishing abuse

In other news, the year ended with a sophisticated email phishing campaign in December, as hackers targeted more than 3,000 organizations in manufacturing by abusing Google’s cloud-based infrastructure.

Several users reported receiving emails that appeared as genuine task notifications, prompting recipients to complete an urgent “All Employees Task.” Victims who clicked buttons labeled “View task” or “Mark complete” were redirected to malicious pages hosted on trusted cloud storage services.

Because the messages were sent using legitimate application integration tools, they passed all major email authentication checks and walked past security gateways undetected. 

The smartest crypto minds already read our newsletter. Want in? Join them.