Attackers using artificial intelligence stole $36.7 million from unverified DeFi smart contracts in just six months, according to a new Chainalysis report. The findings underscore a growing vulnerability in the decentralized finance space, where code that hasn't been audited or publicly reviewed is being targeted by increasingly sophisticated AI-driven exploits.
How the attacks unfolded
The report, released Thursday, tracks a series of automated attacks that took advantage of smart contracts lacking proper verification on blockchain platforms. Chainalysis says the attackers deployed AI tools to scan for weaknesses in unverified code—contracts that haven't been published or audited by a third party. Once a flaw was found, AI algorithms executed trades or drained funds before human operators could respond.
Over the six-month window, the total haul reached $36.7 million. Chainalysis didn't name the specific platforms or contracts targeted, but said the pattern was consistent: fast, automated exploits hitting contracts that users assumed were safe but were never actually checked.
Why unverified contracts are an easy target
In the DeFi world, many developers deploy smart contracts without making the source code public or submitting to a security audit. That opacity makes it harder for users to know what they're agreeing to, and easier for attackers to hide malicious logic. AI tools can rapidly parse even obfuscated code, spotting backdoors or price-manipulation hooks that manual review might miss.
Chainalysis noted that the attacks accelerated in the latter half of the six-month period, suggesting that attackers are refining their AI models and becoming more efficient. The company warned that without wider adoption of code verification and real-time monitoring, the trend could worsen.
The role of AI in crypto crime
This isn't the first time AI has been used in cryptocurrency theft, but the scale and speed of these DeFi heists mark a shift. Earlier attacks often relied on phishing or social engineering. Here, the AI did the heavy lifting—scanning, analyzing, and exploiting smart contract logic in a matter of minutes.
Chainalysis's report positions AI-driven exploits as a new frontier in crypto crime, one that traditional security measures aren't equipped to handle. The company recommends that DeFi platforms require automated, continuous verification for any contract that holds user funds, and that users check whether a contract has been audited before interacting with it.
The $36.7 million figure represents only verified thefts; the real total could be higher, as some attacks go unreported. Chainalysis expects law enforcement and regulators to start paying closer attention to unverified smart contracts, and to push for stricter oversight of deployment practices.
For now, the onus remains on developers and users. Until the industry adopts verification as a standard—rather than an option—AI-powered attackers will keep finding openings. The report doesn't offer a silver bullet, but it makes one thing clear: code that hasn't been checked is code that's being exploited.
