Hackers are increasingly focusing on real-world asset (RWA) tokenization protocols, threatening the growing institutional interest in this developing blockchain field.
Tokenization of real-world assets refers to the minting of financial and tangible assets on a secure blockchain ledger, enhancing access and trading possibilities for these assets for investors.
According to a report from blockchain security firm CertiK shared with Cointelegraph, RWA protocols have experienced targeted attacks, with losses from RWA-specific exploits amounting to $14.6 million in the first half of 2025.
This $14.6 million is significantly higher than the $6 million lost to RWA protocol exploits in 2024 and may exceed the $17.9 million lost in 2023.
These exploits were characterized as resulting “entirely from onchain and operational failures,” revealing a “marked shift in the RWA threat landscape between 2023 and 2025,” according to CertiK.
Related: Tokenized stocks soar 220% in July, echoing the ‘early DeFi boom’
The rise in malicious activity aligns with the RWA market, which grew over 260% in the first half of 2025, reaching a total valuation of over $23 billion by June 5, as reported by Cointelegraph.
Tokenized private credit led the RWA market surge, holding approximately 58% of the market share, followed by tokenized US Treasury debt at 34%, fueled by “greater involvement from major industry players” as “regulatory frameworks have clarified,” according to a Binance Research report shared with Cointelegraph.
Related: $2.1B in crypto stolen in 2025 as hackers shift their focus from code to users: CertiK
RWA tokenization brings about “hybrid” security challenges due to offchain assets
RWA protocols create more intricate, “hybrid” security hurdles, as the value of an RWA token is tied to an offchain asset, enlarging the potential attack surface beyond just smart contracts.
Each element of this five-layer security structure can pose a potential point of failure, according to CertiK’s report, which indicates:
“Key risks arise from this interaction since offchain processes involve human participants, are subject to legal interpretation, and adhere to operational workflows.”
Risks encompass oracle manipulation, failures of custodians and counterparties, “the unenforceability of legal frameworks, and fraudulent proof of reserves attestations,” the report further mentioned.
The RWA restaking protocol Zoth experienced the most significant exploit among RWA protocols in 2025, losing $8.5 million due to a “classic operational security failure,” which involved a compromised private key on March 21. In the same month, a different attacker exploited a smart contract logic flaw to mint assets worth $385,000 without adequate collateral.
Loopscale faced the second-largest hack valued at $5.8 million on April 26, caused by blockchain oracle price manipulation. However, in an encouraging development, the protocol managed to recover $2.8 million of the stolen assets by April 29, as reported by Cointelegraph.
Magazine: TradFi is building Ethereum L2s to tokenize trillions in RWAs — Inside story
