Hook
On a Tuesday morning in late 2025, a developer known for maintaining a widely-used open-source AI assistant logged into his GitHub account to find a repository he had never written. It contained a token contract, a pre-filled liquidity pool address, and a deployment script. Within three hours, that token hit a market cap of over $16 million. The developer—let us call him Alex Steinberger—had no memory of pushing that code. His account had been hijacked, his identity cloned, and his reputation turned into a launchpad for a pump-and-dump scheme that drained capital from hundreds of investors before the blockchain could finalize the block. The incident was not a failure of code. It was a failure of the entire forensic apparatus we rely on to keep this ecosystem safe.
Over the past seven days, I have reviewed the latest industry data from Chainalysis, TRM Labs, and the FBI. The numbers are sobering: in 2025, total crypto-related fraud losses exceeded $17 billion, nearly double the $9.9 billion reported in 2024. But the headline number masks a deeper structural shift. The average loss per successful scam has increased by 4.5 times, driven by a new generation of AI-enabled attackers who are not just faster, but smarter—they study our defenses, learn from them, and evolve before we can patch. This is not a story about bugs in smart contracts. It is a story about the fundamental asymmetry between the tools we build to protect and the minds we build them against.
Context: The Forensic Stack We Rely On
To understand the problem, we must first understand the tools that have defined blockchain security for the past decade. Since the early days of Bitcoin, the crypto ecosystem has depended on a layer of forensic software that sits above the ledger, watching the flow of funds and trying to make sense of the pseudonyms. Chainalysis, TRM Labs, Elliptic, and a handful of other firms have built businesses around this capability. Their core product is entity attribution: the ability to cluster addresses, map transaction patterns, and link on-chain activity to real-world identities or organizations. Over 45 national governments now license these tools, and every major exchange integrates them into their compliance workflow. In 2024 alone, these tools helped freeze or recover approximately $34 billion in illicit funds. That number sounds impressive—until you compare it to the $17 billion that got away.
The forensic stack has evolved through three generations. The first generation was purely reactive: given a compromised address, an analyst would trace the flow of funds using block explorers and public databases, relying on manual deduction. The second generation added clustering and heuristic rules: if two addresses spent from the same known exchange withdrawal, they were likely controlled by the same entity. The third generation, now being deployed, uses machine learning to assign risk scores to addresses before any crime occurs. One unnamed platform claims to have scored 14 million wallets with 98% accuracy at predicting future malicious behavior. But accuracy is a tricky metric when your adversary is also reading the training data.
The core assumption behind these tools is that the attacker’s behavior leaves a trace that can be recognized retroactively. That assumption holds when the attacker uses a fixed playbook—repeatable infrastructure, known wallet patterns, typical social-engineering scripts. But AI changes that assumption fundamentally. An AI-powered attacker can generate infinite variations of phishing messages, deepfake videos, and even deploy autonomous agents that probe a network’s defenses and adapt in real time. The forensic tools, trained on static datasets, become less effective with every new variant. The ledger remembers, but the algorithm forgets. And the attacker knows what the algorithm remembers.
Core: The Asymmetric Economics of AI Fraud
Let me walk through the numbers that matter. According to multiple industry reports, AI-enabled scams in 2025 averaged a return on investment 4.5 times higher than traditional, non-AI scams. This is not a marginal improvement. This is a step-change in economic efficiency. Attackers can now automate the generation of persuasive phishing messages tailored to individual victims, create lifelike deepfake calls impersonating exchange support agents, and deploy automated arbitrage bots that exploit prediction models’ blind spots. The cost of these attacks has dropped to near zero, while the potential payout has soared.
The data from the FBI’s NexusFund operation is instructive. In 2025, the Bureau infiltrated a sophisticated fraud network that was using AI to clone the voices of executives at a major exchange. They posed as the CEO, called the chief financial officer, and instructed him to transfer $2.2 million in USDC to a “new liquidity pool.” The transfer was initiated. The finance officer hesitated—a human delay—and contacted the real CEO via a separate channel. The attack was thwarted. But the fact that it got that far should terrify us. The AI-generated voice was indistinguishable from the real CEO’s on a phone call. The email thread showed a perfect replica of the company’s internal formatting. The attacker had scraped weeks of public Zoom recordings to train the model.
This is not an isolated case. Chainalysis reports that the top five types of AI-augmented fraud—impersonation, investment scam automation, deepfake wallet draining, account takeover via automated credential stuffing, and synthetic identity creation—accounted for 62% of all crypto fraud losses in 2025. The remaining 38% includes traditional issues like rug pulls and hacks, but even those categories are increasingly nested inside AI-driven social engineering. The attacker no longer needs to find a smart contract bug. They just need to convince the holder of the private key to sign the wrong transaction.
I have seen this shift firsthand. In 2020, while working as a junior quant in Nairobi, I modeled the impact of MakerDAO’s stability fee hikes on local stablecoin users. Back then, the threat was mostly irrational exuberance—people misunderstanding risk, not being actively deceived by machines. The difference now is not just scale, but intelligence. The AI does not sleep. It does not make spelling mistakes. It learns from every failed attempt.
The “Prediction Trap”: Why Forecasting Fails When the Adversary Learns
The most advanced forensic tools claim to predict malicious behavior before it happens. They look at 14 million wallets, assign risk scores, and flag addresses that exhibit patterns correlated with past attacks. The reported 98% accuracy sounds promising. But accuracy is a static metric in a dynamic environment. The moment an attacker knows that a certain behavior pattern flags their wallet, they change the pattern. They can test their new behavior against the model—because the model is a piece of software, and they can scrape its outputs through public APIs or reverse-engineer its logic by observing which addresses get flagged. This is the prediction trap: a model that predicts yesterday’s attacks perfectly is a blueprint for tomorrow’s evasion.
I experienced a version of this during my 2017 audit of Gnosis Safe. We optimized gas costs by restructuring the factory pattern, but we also learned that any optimization creates a fingerprint. An attacker who knows our pattern can mimic or avoid it. The same principle applies to predictive models. If you train a classifier on past scams, the future scam will look different from the past. And with generative AI, the attacker can generate thousands of variations in minutes, selecting only the ones that pass the classifier’s threshold. The model becomes a sieve, not a wall.
Furthermore, the 98% accuracy figure raises a statistical alarm. In a universe of 14 million wallets, a 2% false negative rate means 280,000 misclassified addresses. Those 280,000 are the exact wallets that the most sophisticated attackers will target, because they know they are invisible. The effective accuracy for high-value, AI-generated attacks may be much lower. The trust we place in these tools is borrowed, and it is never owned.
The Contrarian Angle: The Tools Are Making the Problem Worse
Here is the uncomfortable conclusion that most industry commentary avoids: the current generation of forensic tools may be contributing to the escalation of AI fraud. How? By creating a public record of what law enforcement looks for. Every time a forensic firm publishes a blog post about a new detection technique, every time a conference presentation walks through a case study, every time a government report details a successful takedown—the attacker feeds that information into their own models. They use the same data to reverse engineer the detection logic. They can simulate the forensic tool’s view of the chain and adjust their own behavior to avoid triggering alerts.
Consider the case of the Steinberger incident I opened with. The attacker did not need to exploit a zero-day bug. They simply took over a reputable developer’s GitHub and X accounts using credential stuffing—likely obtained from a previous breach. They then deployed a token contract that was functionally identical to hundreds of others, using a standard pair contract on Uniswap. The forensic tools would have flagged the token as low risk because the deployment address was the known developer’s account. The entire attack leveraged the trust that the forensic community had in the developer’s identity. The ledger remembered the developer’s previous contributions. The algorithm forgot that identity can be stolen.
This is not an argument against forensic tools. It is an argument against the assumption that they are a sufficient defense. We have built a security model that relies on post-hoc traceability, but the threat has shifted to pre-authentication deception. The attacker does not need to hide on the chain if they can hide in the mind of the victim.
A Structural Vulnerability: The Open-Source Dilemma
The open-source nature of most crypto projects creates another vector. Legitimate developers maintain repositories that attackers can clone or hijack to inject malicious code. In 2025, we saw a spike in what some analysts call “repo-jacking”: attackers find an abandoned but well-known dependency, take over its maintainer keys, and push a new version containing a backdoor. The supply chain attack becomes a low-cost, high-reward strategy. The forensic tools can trace the stolen funds after the fact, but by then the damage is done. The average time between a compromised repo and the first theft is now less than 12 hours, according to one security auditor I spoke with. The tools are not fast enough.
We need to rethink the fundamental architecture of security in this industry. The solution is not a better forensic tool. It is a shift from reactive to proactive defense, and from centralized risk scoring to decentralized verification. This means wallets that require multi-signature for every transaction above a threshold, even for advanced users. This means protocols that enforce cooldown periods on token creation from new accounts. This means exchanges that use behavioral biometrics to detect when a user is being socially engineered in real time. The technology exists—I have seen prototypes in private sandboxes—but the industry has been slow to adopt it because it adds friction.
The Takeaway: Safety Is the Only Yield That Compounds
We stand at a crossroads. The data from 2025 makes one thing clear: the attacker is winning. They are winning because they are learning faster than we are defending. The forensic stack is necessary but not sufficient. It can recover some of the stolen funds, but it cannot rebuild the trust that is lost every time a family loses their savings to a deepfake.
In my own experience managing a digital asset fund in Nairobi, I have learned that the biggest risk is not volatility—it is the invisible loss of confidence. When a client sees a report that $17 billion was stolen in a year, they question whether the entire system is safe. And if we cannot answer with a better security model, they will walk away. I survived the 2022 Terra collapse by moving aggressively into Bitcoin and Ethereum, but also by recognizing that the most vulnerable point in any system is the human holding the key. That lesson is even more urgent today.
The ledger remembers what the algorithm forgets. But the algorithm is being trained by the attacker, and the ledger cannot distinguish between a legitimate signature and one made under duress from a voice clone. We must build new forms of verification that are immune to automation—verification that is physical, multi-channel, and time-bound. We must treat every transaction as potentially compromised until proven otherwise. We must invest not just in forensic tools, but in preventive infrastructure that makes the attacker’s job uneconomical.
Trust is borrowed; trust is never owned. And in a world where AI can clone any voice, replicate any pattern, and learn any detection system, we cannot afford to borrow blind.
Five Signs to Watch
- The cost of AI fraud drops further. If average per-scam losses stay high but the number of scams explodes, we are entering the industrial phase.
- Major exchanges adopt behavioral biometrics. Watch for Coinbase, Binance, or Kraken to announce real-time screen recording analysis for sensitive transactions.
- Regulators mandate anti-deepfake measures. The first jurisdiction to require mandatory liveliness checks for wallet access will set a global standard.
- Forensic firms pivot to adversarial ML. The next generation of tools must include red-team testing against simulated AI attackers.
- More open-source repo hijackings. The pattern will accelerate until maintainers adopt hardware security keys and decentralized identity.
We cannot outrun the AI. But we can build a system that is resilient to its attacks—not by chasing it, but by changing the game. Safety is the only yield that compounds over time. The question is whether we are willing to pay the premium now, or pay the loss later.
This article is based on publicly available reports from Chainalysis, TRM Labs, the FBI, and my own experience as a digital asset fund manager in Nairobi. It does not constitute financial advice. Always verify before you trust.
Signatures: - “Trust is borrowed; trust is never owned.” - “The ledger remembers what the algorithm forgets.” - “Safety is the only yield that compounds over time.”