Cryptocurrency hackers are targeting real-world asset (RWA) tokenization protocols, posing a security threat to the increasing institutional demand for this emerging blockchain sector.

Real-world asset tokenization refers to financial and other tangible assets minted on the immutable blockchain ledger, increasing investor accessibility and trading opportunities for these assets.

Hackers have started targeting RWA protocols, as losses from RWA-specific exploits reached $14.6 million during the first half of 2025, according to a report by blockchain security firm CertiK and shared with Cointelegraph.

The $14.6 million is more than double the $6 million lost to RWA protocol exploits during 2024, and may rise above the $17.9 million lost in 2023. 

These RWA exploits were defined “entirely by onchain and operational failures,” signaling a “clear transformation in the RWA threat landscape between 2023 and 2025,” according to CertiK.

Related: Tokenized stocks rise 220% in July, reminiscent of ‘early DeFi boom’

The growing malicious activity around the sector comes as the RWA market surged over 260% during the first half of 2025, surpassing $23 billion in total valuation by June 5, Cointelegraph reported.

Tokenized private credit led the RWA market boom, accounting for about 58% of the market share, followed by tokenized US Treasury debt, which accounted for 34%, driven by “increased participation from major industry players,” as “regulatory frameworks become clearer,” according to a Binance Research report shared with Cointelegraph.

Related: $2.1B crypto stolen in 2025 as hackers shift focus from code to users: CertiK

RWA tokenization introduces “hybrid” security risks due to offchain assets

RWA protocols present more complex, “hybrid” security challenges, as an RWA token’s value is a claim on an offchain asset, expanding the attack surface beyond just smart contracts.

Each component of this five-layer security stack can present a single point of vulnerability, according to CertiK’s report, which states:

 “Key risks emerge from this interaction because offchain processes involve human actors, are subject to legal interpretation, and follow operational workflows.”

Risks include oracle manipulation, custodial and counterparty failures, the “unenforceability of legal frameworks, and fraudulent proof of reserves attestations,” added the report.

RWA restaking protocol Zoth suffered the largest exploit among RWA protocols in 2025, losing $8.5 million to a “classic operational security failure,” a compromised private key on March 21, the same month a different attacker exploited a smart contract logic flaw to mint $385,000 worth of assets without sufficient collateral.

Loopscale suffered the second-largest hack worth $5.8 million on April 26, caused by blockchain oracle price manipulation. Yet, in a positive turn of events, the protocol recovered $2.8 million worth of the stolen funds by April 29, Cointelegraph reported.

Magazine: TradFi is building Ethereum L2s to tokenize trillions in RWAs — Inside story