Social Engineering Is Now Crypto's Biggest Threat — What the AICPA Stablecoin Criteria Mean for Internal Controls

Social Engineering Is Now Crypto's Biggest Threat and the Accounting Profession Is Responding

For years, the crypto industry's biggest security failures were rooted in code. Smart contract bugs, bridge exploits, flash loan attacks, reentrancy vulnerabilities, oracle manipulation. In 2022, these technical exploits drove $3.8 billion in stolen funds, a record year. The assumption was simple: if you could write better code, you could prevent the next hack.

That assumption no longer holds.

By 2025 and into early 2026, the threat landscape has completely inverted. According to data from CertiK, TRM Labs, and Chainalysis, the dominant source of crypto losses has shifted decisively toward wallet compromises, phishing, and social engineering. In January 2026 alone, $370 million was stolen, with CertiK attributing $311 million of that total to phishing schemes. For the full year of 2025, Chainalysis reported over $3.4 billion in total crypto theft from January through early December, with the top three incidents alone accounting for 69% of all losses from compromised services.

The code is working as designed. The people are the vulnerability.

The Resolv Hack: A Case Study in Off-Chain Failure

On March 22, 2026, the Resolv stablecoin protocol suffered a devastating breach that illustrates the new reality. The attacker didn't find a bug in Resolv's smart contracts. Instead, according to a post-mortem published by Chainalysis, the attacker compromised Resolv's cloud infrastructure and gained access to a privileged signing key stored in an AWS Key Management Service (KMS) environment. A blockchain security analyst identified the exploited account as a privileged role designated SERVICE_ROLE, controlled by a single externally owned account rather than a multisignature wallet.

With that key in hand, the attacker deposited roughly $100,000 to $200,000 in USDC, then used the compromised key to authorize the minting of 80 million USR tokens with no collateral backing. The smart contract itself did not enforce any maximum limit on minting; it only checked that a valid signature existed. From there, the attacker swapped the unbacked USR through multiple decentralized exchanges, converting it through wstUSR and other stablecoins into ETH, extracting approximately $25 million in under 17 minutes.

The result: USR lost its peg, dropping as low as $0.025 before partially recovering, and Resolv halted all operations. The smart contract code performed exactly as designed. The failure was entirely in the off-chain cloud infrastructure and key management practices. As one security researcher noted, this reflects a growing trend of attacks targeting sensitive keys and credentials that don’t hold funds directly but can be used to access them, including developer credentials, trading API keys, and deployment keys.

The Bybit Breach: $1.4 Billion Lost to a Phishing Attack

The Resolv hack was not an isolated incident. In February 2025, Bybit suffered the single largest hack in crypto history: $1.4 billion in ETH drained from a cold wallet in one coordinated transaction.

The attack vector was targeted social engineering. The attackers, attributed to North Korea's Lazarus Group via blockchain forensics, used advanced phishing techniques to compromise the multisig cold wallet signing process. As Chainalysis documented, the attack methodology leveraged social engineering tactics consistent with previous DPRK operations, including infiltration through compromised personnel and sophisticated impersonation. No smart contract exploit was needed. The ETH was drained because the human layer of security failed.

This single event accounted for approximately 44% of all crypto theft in 2025, and roughly 69% of all funds stolen from services when combined with the next two largest incidents. Same root cause as Resolv: operational and human failure, not code.

The Threat Landscape Has Inverted

These are not anomalies. They represent a structural shift in how attackers approach the crypto ecosystem. In 2022, the dominant attack vectors were smart contract bugs, bridge exploits, flash loan attacks, and oracle manipulation. By 2025 and 2026, the dominant vectors are compromised private keys, phishing campaigns, social engineering schemes, and off-chain infrastructure failures.

The industry spent years hardening the code layer, and to a large extent, it worked. Smart contract auditing matured. Bug bounties incentivized responsible disclosure. Formal verification tools improved. Chainalysis noted that DeFi hack losses actually remained suppressed in 2024 and 2025 even as total value locked recovered significantly, a meaningful divergence from earlier cycles where rising TVL typically meant more successful attacks. But as the code got harder to crack, attackers simply moved up the stack to the people and processes managing the keys.

Meanwhile, North Korean state-sponsored hackers stole at least $2.02 billion in cryptocurrency in 2025, a 51% increase over 2024, primarily through social engineering and the embedding of fraudulent IT workers inside crypto firms. As Chainalysis put it, traditional code reviews are no longer adequate when the threat has shifted to human vulnerability.

This is exactly the kind of shift that the accounting and assurance profession has been anticipating.

The Profession Is Responding: AICPA Stablecoin Criteria

In March 2025, the AICPA released Part I of its 2025 Criteria for Stablecoin Reporting: Specific to Asset-Backed Fiat-Pegged Tokens. Part I established a common framework for stablecoin issuers to present and disclose information at a specific point in time on outstanding stablecoins and the assets backing them. It was designed to eliminate inconsistencies in reporting and give stakeholders, including regulators, investors, and the public, greater clarity on whether a stablecoin's reserves actually exist at a given date.

Then on January 12, 2026, the AICPA released Part II: 2025 Criteria for Controls Supporting Token Operations. This second set of criteria goes significantly further than the point-in-time snapshot. Part II establishes a framework for evaluating the design and operating effectiveness of controls across all aspects of stablecoin operations over a specified period of time.

Specifically, Part II addresses risks commonly associated with stablecoin issuers’ operations and provides control objectives spanning several critical domains:

Private Key Management

How are the cryptographic keys that authorize minting, burning, and transfers stored and protected? Are they held in hardware security modules or cloud-based KMS environments? Are they controlled by single accounts or multisig arrangements? Who has access, and how is that access governed?

Token Recordkeeping

Are there controls to ensure the accuracy and completeness of records tracking token issuance, redemption, and circulation? Can the issuer reconcile on-chain token supply with its internal records?

Reserve Asset Management

Are the assets backing outstanding tokens maintained and safeguarded between reporting periods? Are there controls over custody, investment, and liquidity management that ensure assets are available to meet redemption requests?

Vendor and Third-party Management

How does the issuer evaluate and monitor third parties, such as custodians, cloud infrastructure providers, and investment managers, that play a role in stablecoin operations?

The criteria also include implementation guidance to assist both stablecoin issuers and practitioners in assessing whether controls achieve their stated objectives. As the AICPA noted, the update was developed in close communication with regulators and with consideration of existing guidelines, including New York State’s stablecoin rules, and is designed to align with emerging federal frameworks such as the GENIUS Act.

The timing of Part II is significant. As PwC partner Jeff Trent observed, the idea behind the framework is to help stablecoin issuers consider the effective design of their controls and help investors and regulators evaluate them. Monthly reports using Part I can show that redemption assets exist at a point in time. But for stakeholders to trust that those reports are more than a snapshot that could quickly be out of date, an issuer's operations should include controls designed to maintain redemption assets between one monthly report and the next.

How the AICPA Criteria Would Have Caught the Resolv and Bybit Vulnerabilities

This is precisely the gap that the Resolv and Bybit incidents exposed. Both protocols had been subject to prior security reviews focused on the smart contract layer. Neither had independent assurance over the operational controls governing key management, access authorization, and off-chain infrastructure. Part II of the AICPA criteria directly targets these blind spots.

For practitioners, Part II provides the basis for internal control examinations over stablecoin operations. These engagements evaluate whether controls are not just designed effectively, but operating effectively over a period of time. How are private keys stored and managed? What access controls govern minting and redemption? How does the organization detect and respond to unauthorized activity? How are changes to critical infrastructure reviewed and approved? These are the questions that would have surfaced the weaknesses exploited at Resolv and Bybit long before an attacker could.

Why Internal Controls Matter for Every Digital Asset Company

For stablecoin issuers, exchanges, custodians, and any organization managing digital assets on behalf of others, the lesson is clear. Technical security, while necessary, is not sufficient. The most well-audited smart contract in the world can't protect against a phished signing key or a compromised cloud environment.

What protects against those threats is a robust operational control environment: key management procedures, access governance, change management, incident response, and independent assurance that those controls are operating effectively over time, not just at a single point. This is the domain of attestation services and internal control examinations, the kind of work that a crypto-specialized accounting firm is built to deliver.

As Kevin Plank once said, trust is built in drops and lost in buckets. Years of trust-building, gone in minutes because of one compromised key, one successful phish. Every attestation, every controls examination, every time reserves are verified or key management procedures are tested, it's another drop in the bucket of trust. The new AICPA Part II criteria exist because the profession recognizes that those drops need ongoing protection, not just periodic snapshots.

Why Internal Controls Matter for Every Digital Asset Company

The threat landscape will continue to evolve, but the current trajectory is clear. Attackers are targeting people and processes, not code. The organizations best positioned to weather this shift are those investing in operational controls and independent assurance, not just smart contract audits.

If your organization issues stablecoins, manages reserves, or custodies digital assets, now is the time to evaluate whether your control environment reflects the current threat landscape, and whether you have the independent assurance to prove it.

The Network Firm is a public accounting firm specializing in digital asset attestations, internal control examinations, and proof of reserves for crypto and blockchain companies. Talk to an expert to learn how we can help.

The Network Firm is the largest crypto-focused CPA firm in the United States, providing proof of reserves attestations, financial statement audits, crypto tax advisory, and outsourced accounting for digital asset companies. Get in touch to discuss how we can support your business.

Author Bio:
Jesse is a manager in TNF’s attestation practice with 5 years of public accounting experience. Jesse manages real-time attestation engagements, proof of reserves engagements, as well as expert advisory services to other CPA firms performing financial statement audit engagements over digital asset companies. He has worked with both public and private companies in the digital asset industry including cryptocurrency exchanges, Bitcoin mining operations, and Decentralized Physical Infrastructure Network (DePIN) operations.

Jesse is a Certified Public Accountant (CPA), Certified Bitcoin Professional (CBP), and a Certified Ethereum Professional (CEP).

He graduated from the University of Colorado Denver with a Master of Science in Accounting and is a member of both the Colorado Society of CPAs and the American Institute of Certified Public Accountants.

Connect with Jesse on LinkedIn for more expert advice.