Nearly four out of five crypto projects that suffer a major hack never fully secure their foundations, according to Mitchell Amador, CEO of Web3 security platform Immunefi.
Amador told Cointelegraph that most protocols enter a state of paralysis the moment an exploit is discovered. “Most protocols are fundamentally unaware of the extent to which they are exposed to hacking and are not operationally prepared for a major security incident,” he said.
According to Amador, the first hours after an injury are often the most damaging. Without a pre-defined incident plan, teams hesitate, debate next steps, and underestimate how deep a compromise can go. “Decision-making slows down as teams try to figure out what happened, leading to improvisation and delayed action,” he said, adding that this is often when additional losses occur.
Projects often avoid pausing smart contracts for fear of damaging their reputation, while communication with users is completely cut off. Amador warned that silence increases panic, not curbs it.
“Nearly 80% of hacked projects never fully recover,” he said. “The primary reason is not the initial loss of funds, but the breakdown of operations and confidence during the response.”
Related: Truebit exploit exposes $26 million smart contract flaw behind token mint
Most projects don’t survive even after fixing a major hack
Trust has become the most fragile asset in cryptocurrency. Alex Katz, CEO and co-founder of Web3 security company Kerberus, said that even technically resolved incidents often mark the beginning of the end. “There are always exceptions, but in most cases, massive exploitation is a death sentence,” Katz said, noting that users leave, liquidity dries up and reputational damage becomes permanent.
While smart contracts exploit once-dominant titles, recent losses increasingly stem from operational and human error. “Human error is clearly the weakest link in crypto security,” Katz said, explaining that most losses now come from users authorizing malicious transactions, interacting with rogue interfaces, or unknowingly exposing their keys.
Earlier this month, a crypto user lost more than $282 million worth of Bitcoin (BTC) and Litecoin (LTC) in one of the largest social engineering attacks ever recorded in the crypto sector. The user was allegedly scammed by an attacker posing as Trezor support who tricked them into revealing their hardware wallet seed phrase.
Crypto-related hacks surged in 2025, with attackers targeting major platforms and individual wallets, pushing total losses to $3.4 billion, the highest level since 2022. Just three incidents, including the $1.4 billion Bybit hack, accounted for 69% of all losses through early December.
“Beyond Bybit, we’ve seen an increase in similar attacks that completely bypass smart contracts and exploit protocol vulnerabilities,” Amador noted.
Advances in artificial intelligence have only made these attacks more effective. Amador said social engineering campaigns can now scale quickly, allowing attackers to send thousands of customized phishing messages a day.
Related: The Hidden Risk of Public WiFi: How One Approval Wiped Out a Crypto Wallet
2026 could be the strongest crypto year yet
Despite the grim statistics, crypto experts remain optimistic. Amador believes that smart contract security is improving faster than ever, driven by better development practices, stronger audits and more mature tools. “I think 2026 will be the strongest year yet for smart contract security,” he said, pointing to the growing adoption of onchain monitoring, firewalls and threat intelligence.
However, the unsolved problem is the readiness to respond. Amador emphasized that teams should act decisively and communicate immediately when an incident occurs, even if the full scope is unclear. He argued that pausing the protocol early is far less harmful than allowing uncertainty to grow.
Magazine: How Crypto Laws Changed in 2025 — and How They Will Change in 2026
