FBI IC3 Hits $20.88B: Crypto Is Over Half of US Fraud Loss

When the FBI's Internet Crime Complaint Center (IC3) released its 2025 annual report in early April 2026, two numbers did most of the talking. The first was the headline: more than $20 billion in reported losses in a single year, the first time the bureau has crossed that threshold. The second was quieter but, for anyone tracking the shape of American fraud, more revealing — of every dollar Americans told the FBI they lost to online crime last year, more than half traced back to cryptocurrency. The digital-asset category is no longer a niche of investment-scam reporting. It is, per the 2025 IC3 data, the single largest loss surface in the report.

The Scale, Stated Plainly

According to Alston & Bird's summary of the IC3 report, total reported losses reached $20.877 billion in 2025, a 26 percent jump from the prior year. ABA Banking Journal's coverage notes the IC3 crossed a quieter milestone at the same time: for the first time in its nearly 25-year history, it logged more than one million complaints in a single calendar year. The average reported loss across all victims, per ABA, was $20,699.

Two numbers against that $20.88 billion backdrop explain the more-than-half framing. ASIS International's coverage reports that 181,565 complaints referenced cryptocurrency, and AARP's reporting pegs total crypto-related losses at $11.3 billion — "the single largest loss category," AARP writes. Alston & Bird, tracking the finer-grained IC3 numbers, cites $11.36 billion, up 22 percent from the prior year. Against a $20.88 billion total, the crypto category is unambiguously the majority — a structural fact that, a few years ago, would have been unthinkable.

Why Half Is the Right Frame

Cryptocurrency showing up in an IC3 report is not new. It has been a growing line item for years. What is new in 2025 is the composition. The $11-billion-plus crypto figure is not a subset of investment fraud — it is a cross-cutting payment-and-laundering layer that shows up in romance scams, tech-support impersonation, employment fraud, BEC, and extortion alike. ASIS's summary of the IC3 report highlights that roughly 72 percent of investment-scam losses alone were tied to cryptocurrency, which tells you where the growth in investment fraud is concentrated. But the $11 billion figure is broader than the investment-fraud category. It is the aggregated loss across all crime types that involved cryptocurrency at some point in the money trail.

That distinction matters when interpreting the headline. Crypto is not half of American fraud because Americans are investing more in crypto. Crypto is half of American fraud because crypto has become the preferred cashing-out rail for organized scam operations — particularly so-called pig-butchering long-con investment schemes, where victims are relationship-groomed for weeks before being funneled into fraudulent platforms that accept only crypto deposits. ABA Banking Journal reports that the average loss rises sharply when cryptocurrency is involved: $62,604 per victim, against $20,699 across all categories.

Put differently: crypto-involved cases are roughly three times as costly per victim as the average case. The payment rail correlates with the high-dollar, long-duration fraud archetype.

Investment Fraud: Still the Biggest Single Category

Inside the loss-by-crime-type breakdown, ABA Banking Journal's summary puts investment fraud at $8.6 billion, making it the largest single category when crime types are counted discretely, as opposed to the cross-cutting crypto tag. Business Email Compromise (BEC) follows at about $3 billion, and tech/customer-support fraud trails at $2.1 billion. Personal-data-breach losses come in around $1.3 billion.

What is interesting here is the gap between investment fraud's complaint volume and its dollar damage. Investment scams account for fewer overall incidents than extortion or phishing — Biometric Update reports 191,561 phishing/spoofing complaints as the most common category, with extortion at 89,129. But investment fraud produces the largest dollar-denominated harm because the attack pattern is built for extraction at scale: the victim is cultivated over months, and the investment-vehicle structure provides a socially legitimate cover story that keeps the victim adding funds long after red flags would trigger suspicion in a phishing context.

Phishing is broad and shallow. Investment fraud is narrow and deep. Crypto is the rail that makes the deep end deeper.

BEC: The Most Financially Destructive Enterprise Threat

For enterprise security teams, the most important figure may not be the crypto total — it is BEC. Per McDonald Hopkins' analysis of the IC3 report, Business Email Compromise generated $3.046 billion in reported losses across 24,768 complaints in 2025, which the firm characterizes as "the most financially destructive enterprise-targeted cyber threat in the United States." Complaint volume rose from 21,442 the prior year.

What is different in the 2025 BEC picture is the AI overlay. Alston & Bird notes that BEC cases with a confirmed AI nexus produced more than $30 million in losses. That is a small slice of the total, but it is the trajectory that matters: voice-cloning of executives, deepfake video calls authenticating fraudulent wire instructions, and AI-generated pretext emails that read like the target's actual colleagues. The FBI, quoted via ABA Banking Journal, warns that "scammers rely on pressure techniques to defraud Americans while deploying fake social profiles, voice clones, identification documents, and believable videos depicting public figures or loved ones."

For a CFO approving a wire, the practical implication is that the out-of-band verification step — the call-the-CFO-on-a-known-number protocol — is no longer optional. A convincing voice on the phone is no longer sufficient evidence of who is on the other end of the line. This has been true in principle for several years. The IC3 2025 data turns it into a line item.

AI: First Year in the Report, Already Consequential

For the first time in its history, the IC3 report includes a dedicated section on artificial intelligence in cybercrime. Per ASIS International's summary, the bureau received 22,364 complaints referencing AI in 2025, with adjusted losses near $893 million.

A few things about that number deserve attention. First, it is likely an undercount. Victims do not always know when AI was used against them — a cloned voice on a phone call sounds like a voice, not like AI output. The 22,364 complaints represent cases where the AI element was either obvious or investigated after the fact. The true AI-touched fraction of 2025 fraud is almost certainly higher.

Second, the $893 million sits inside, not alongside, the other category totals. AI does not have its own attack type. It is a capability that shows up inside BEC, inside romance scams, inside investment fraud, inside tech-support impersonation. The IC3 section on AI is a measurement lens, not a separate crime category.

Third, the trajectory is the story. This is year one of IC3's AI line item. The comparison point for next year's report will be whether this number doubles — which, given the trajectory of generative-media capability between 2024 and 2026, would not be surprising.

Ransomware: The Reported-Loss Number Is a Floor, Not a Ceiling

Ransomware produced one of the 2025 report's most visually dramatic statistics and one of its most carefully qualified. Per McDonald Hopkins, 3,611 ransomware incidents were reported to IC3, up from 3,156 the prior year and 2,825 the year before — a multi-year upward trend. Reported losses rose to $32.32 million, a 259 percent increase from $12.47 million in 2024.

The important qualifier is what reported losses means in the IC3 context. The $32.32 million figure covers ransom paid and directly attributable financial damage as reported by victims. It does not include business-interruption costs, remediation spend, cyber-insurance payouts, or third-party liability. For any organization that has actually been through a ransomware event, the real cost multiplier between ransom paid and total event cost is typically an order of magnitude higher. The reported number is therefore a floor — a useful trend indicator, but not an estimate of the total economic footprint of ransomware on U.S. victims.

McDonald Hopkins' summary also notes that 63 new ransomware variants were identified in 2025, averaging roughly five new strains per month. The top 10 variants accounted for 56 percent of incidents and 49.8 percent of reported losses. The five most active were Akira, Qilin, RansomHub, LockBit, and Medusa. Healthcare and public health, critical manufacturing, financial services, and government facilities bore the heaviest sector-specific impact.

The Demographic Story: Fraud Is Increasingly a Tax on the Old

The age-skew in the 2025 IC3 data is sharp and worth reading carefully. Per Biometric Update, Americans aged 60 and older reported 201,266 complaints and $7.75 billion in losses — AARP notes that is approximately 60 percent higher than the prior year. The 50–59 cohort reported 124,820 complaints and $3.68 billion. The 50-and-over demographics combined account for more than half of all reported losses.

Younger-age cohorts are not immune — they simply lose less per case. The distribution reflects a combination of available wealth (older victims have more to lose) and a specific vulnerability pattern that scam operations exploit methodically: the long-con romance-to-investment pipeline, the tech-support panic call, the grandchild-in-jail impersonation. These are not accidental targets. They are the product of scam infrastructure built around who answers the phone.

Romance scams alone, per AARP, produced $929 million in reported 2025 losses. The median victim profile behind that number is not a caricature. It is a retired professional with savings, an internet connection, and a social vector that the scam-industrial complex has industrialized against.

Cyber-Enabled Fraud Is Now 85 Percent of the Problem

Perhaps the most structurally interesting single statistic is Alston & Bird's and Biometric Update's shared observation that cyber-enabled fraud — the IC3's umbrella term for human-interaction fraud that uses digital channels, as opposed to purely technical intrusions — now accounts for nearly 85 percent of total losses and 45 percent of total complaints.

The ratio is the story. Cyber-enabled fraud is a smaller share of cases but the dominant share of dollar damage. It is the per-case depth, not the per-case frequency, that drives the 2025 loss total. Which in turn explains why the growth is concentrated in the long-con crypto-investment category rather than in volume-driven phishing or extortion: once a victim enters a long-con funnel, the extracted sum scales with the victim's net worth, not with the attacker's incremental effort.

This is why the traditional wide-net defenses — spam filters, browser phishing warnings, MFA prompts — are insufficient against the 2025 loss surface. Those defenses reduce the number of incidents. The 2025 IC3 data suggests the growth is coming from cases those defenses never touched.

Enforcement: Some Real Wins, But a Structural Gap

The 2025 report does document meaningful enforcement gains. Per Alston & Bird, IC3's Recovery Asset Team — which intervenes in freshly reported fraudulent wire transfers to pause outgoing funds — froze "hundreds of millions" of dollars in 2025. Operation Level Up, a cross-agency initiative targeting crypto investment scams, prevented more than $500 million in potential losses by notifying at-risk victims before additional deposits were made.

These are real numbers and real people not further extracted from. But they are also, against a $20.88 billion annual loss figure, a reminder of the scale gap between enforcement capacity and the fraud-industrial complex on the other side. Operation Level Up's prevented losses, against the annual total, are meaningful at the margin but structurally small against the whole.

The scale gap is not an argument against enforcement. It is an argument that enforcement alone does not close the loop. The load-bearing interventions, if this trend is to reverse, will likely have to come upstream of the crime itself: at the payment-rail layer for crypto off-ramps, at the platform layer for social-engineering vectors, and at the procedural layer for the enterprise-wire-transfer workflow that makes BEC lucrative.

What This Report Does Not Tell Us

Several things are worth flagging about what the 2025 IC3 data does and does not measure. First, it is self-reported. IC3 receives the complaints people choose to file. AARP notes that the reported figures "likely represent only a fraction of the true toll, since fraud so often goes unreported." The Federal Trade Commission and state-level consumer-protection agencies maintain their own, only-partially-overlapping datasets. The $20.88 billion is a reported-losses figure, not an estimate of total economic harm.

Second, the crypto share of fraud is not the same as the crypto share of the crypto economy. The $11 billion-plus in 2025 crypto-tagged losses does not mean crypto itself is broken as a technology or that the underlying legitimate crypto market is predominantly fraudulent. It means crypto rails are disproportionately used by fraud operations — a fact about the scam-payment ecosystem, not a comprehensive judgment on digital-asset utility.

Third, the 2025 report's AI section is a starting line, not a finish line. The $893 million figure will look small by 2027 standards, not because AI crime will necessarily have grown tenfold in dollar terms (though it might) but because detection and attribution of AI-enabled fraud will have matured. Year-one AI numbers underestimate year-one AI harms.

Fourth, the ransomware loss figure of $32.32 million materially understates the actual economic cost of ransomware in 2025. That is a known limitation of IC3's methodology, not a fault, and anyone citing the number without the caveat is misusing it.

Key Takeaways

• Americans reported $20.88 billion in losses to the FBI's IC3 in 2025, per Alston & Bird's summary, a 26 percent jump from the prior year, crossing the one-million-complaint threshold for the first time.
• Cryptocurrency-involved losses exceeded $11 billion, the single largest loss category per AARP — structurally more than half of the total reported fraud. Crypto is now the dominant payment-rail for large-ticket American fraud, not a niche category.
• Per-victim losses in crypto-involved cases are roughly three times the cross-category average ($62,604 vs $20,699, per ABA Banking Journal), consistent with the long-con pig-butchering archetype.
• AI entered the IC3 report for the first time with 22,364 complaints and nearly $893 million in adjusted losses per ASIS International — almost certainly a floor, not a ceiling, given detection lag.
• Older Americans bear a disproportionate share of the harm: victims 60+ reported $7.75 billion in losses, roughly 60 percent more than the prior year, per AARP. Fraud in 2025 is structurally a tax on accumulated savings.
• Ransomware's reported-loss figure of $32.32 million is a floor, not a total cost, per McDonald Hopkins' analysis — it excludes business-interruption and remediation, which typically dominate the true cost.