Web3 loses $3.1 billion to hacks in early 2025 as cyber threats intensify
More than $3 billion in digital assets were stolen in the first half of 2025, marking one of the worst periods in the history of blockchain security. According to the Hacken 2025 Half-Year Web3 Security Report, the total value of stolen assets has already surpassed the entire amount lost in 2024, underscoring a sharp escalation in cyberattacks targeting both decentralized (DeFi) and centralized (CeFi) platforms.
Rising attacks expose vulnerabilities in access control and human behavior
The report revealed that breaches linked to poor access controls accounted for $1.83 billion, nearly 59% of all incidents making them the primary driver of digital asset theft. Hacken described this as a “wake-up call” for blockchain companies, warning that cybersecurity must now be considered a fundamental part of the Web3 ecosystem as adoption expands and regulatory oversight tightens.
Among the most significant incidents, the Bybit hack led to losses of approximately $1.46 billion after attackers exploited a compromised signer interface to take control of a wallet. Another major event, involving the Cetus protocol, saw $223 million drained in just 15 minutes due to a software error, marking one of the most damaging DeFi breaches on record.
Other cases included a $300 million rug pull linked to the $LIBRA token and a $12 million theft exploiting a vulnerability in Uniswap’s V4 hook. While access-control incidents decreased slightly in the second quarter, phishing and social-engineering attacks rose sharply, costing around $600 million, already exceeding last year’s total.
One high-profile case involved a U.S. victim tricked into transferring $330 million in Bitcoin to scammers. Another major incident saw fraudsters impersonating “Coinbase support” to steal over $100 million using stolen client data. Hacken noted that such incidents underscore the enduring risk of human error, which remains the weakest link in Web3 security.
Smart contract flaws and AI-driven vulnerabilities deepen risks
Smart contract weaknesses accounted for roughly 8% of losses, totaling $263 million. The Cetus exploit marked the most damaging DeFi quarter since early 2023, breaking a five-quarter decline in attacks. Hacken attributed many of these incidents to seemingly minor software oversights, such as unchecked permissions and poor update management.
In the Cork Protocol case, developers altered Uniswap’s default permissions, enabling attackers to inject malicious data and siphon more than $12 million. The report suggested that real-time transaction monitoring and automated defense systems could have prevented up to 90% of the Cetus losses.
The study also identified a dramatic surge in AI-related vulnerabilities, rising by over 1,000% since 2023. Most attacks stemmed from insecure APIs and flawed AI supply chains integrated within blockchain systems. Hacken documented five new critical AI-linked weaknesses, including a remote code execution flaw in Langflow that affected over 1,000 exposed instances.
The firm urged Web3 developers to adopt AI security frameworks such as ISO/IEC 42001 and NIST AI RMF 1.0, stressing that the convergence of AI and blockchain technologies has created overlapping security challenges that demand new governance standards.
Strengthening governance to rebuild digital trust
According to Hacken, the Web3 sector’s greatest vulnerabilities are organizational as much as technical. Weak governance structures, insufficient access-control mechanisms, and limited user protections have left many projects exposed. The report advised crypto service providers seeking regulatory licensing to follow recognized standards such as CCSS and ISO/IEC 27001.
Yevheniia Broshevan, Hacken’s co-founder and Chief Business Development Officer, emphasized that investing in resilience and cybersecurity is essential for trust and innovation. “Projects that invest in resilience and security build trust, meet compliance, and protect digital innovation,” she stated.
