The first half of 2025 has already set records for theft across Web3. Hacken’s Half Year Web3 Security Report shows that over $3.1 billion has been stolen from different platforms. That is more than the $2.85 billion taken in the whole of 2024.
The biggest case was the Bybit breach in the first quarter, where $1.46 billion vanished. In the same quarter, Infini lost $50 million when a former developer emptied its systems. Nobitex, Iran’s largest exchange, lost $90 million in June in what Hacken described as a politically driven attack.
Hacken found that access control failures were the main cause, responsible for about 59% of all losses. This came to $1.83 billion across six months. Weak signers, compromised keys and poor permission settings gave attackers ways in.
What Trends Are We Seeing?
The data shows that one type of exploit can dominate losses. In the first quarter, $1.63 billion of access-related thefts took place, equal to 83% of that period’s total.
Phishing and social engineering added $594 million, about 19% of the total. The most shocking case was an elderly US holder tricked into sending $330 million worth of Bitcoin. Attackers laundered the money through hundreds of wallets, converted part of it to Monero which spiked in price and then bridged some into Ethereum.
Smart contract errors caused another $263 million in damage. Cetus lost $223 million in just 15 minutes when an overflow bug was exploited. Cork Protocol saw $12 million drained after attackers misused a weakness in a Uniswap V4 hook. These cases show how fragile DeFi systems can be when even one line of code is unchecked.
More from News
- How Is The UK Government Helping The Agri-Tech Industry?
- Why Gilt Yields Could Make (Or Break) the UK Economy
- Experts Share: How Are Businesses Preparing For The Upcoming Autumn Budget?
- How A Musical Artist Used AI To Land A Record Deal
- We’ve Heard Of Smart Homes, But What About Smart Gyms?
- The End of The Line: Copper Phone Networks Are Ageing and Some Users Are Paying The Price
- Experts Share: What International Women In Cyber Day Means For The Tech And Cybersecurity Industry
- Reports Found Meta Approved Unorthorised AI Chatbots On The App
What Does This Mean For DeFi And Investment?
DeFi had its harshest quarter since 2023 when nearly $300 million was lost in the second quarter alone. Smart contract bugs that had been quieter in previous months came back strongly. At the same time, ‘rug pulls’ cost $300 million across the first half of the year.
Such breaches affect confidence. Liquidity providers may be wary of placing funds, and backers often hesitate when trust has been broken. Even well-established names have suffered, which makes investors question the safety of the entire space.
Hacken’s co-founder Yevheniia Broshevan said that cybersecurity is now a priority in blockchain projects. Those who make it a business priority are better placed to keep users and attract capital, especially as compliance demands grow worldwide.
How Is AI Changing The Threats?
AI is adding new risks as well as new tools. Hacken reported a 1025% increase in AI-related exploits compared with 2023. Nearly all were tied to insecure APIs.
Exploits included flaws in Langflow and BentoML, which allowed remote code execution, and prompt injection attacks against large language models. Researchers even manipulated memory in models such as Google Gemini to create persistent threats.
About 34% of Web3 projects are now using AI agents for trading, customer support or code review. Hacken brought up how the rate at which integration is growing brings new points of entry for attackers. Without stronger standards such as ISO/IEC 42001 or compliance with the EU AI Act, projects face risks they may not be prepared for.
Can Trust Be Restored?
The numbers show how serious the situation has become. Losing $3.1 billion in six months is a sign that Web3 platforms are under constant pressure from hackers. Hacken’s report believe stricter access controls, monitoring in real time and frameworks that ensure compliance are the only way forward.
For projects and investors, small oversights can cost hundreds of millions. Trust is fragile, and unless projects take security as seriously as growth, 2025 may actually prove to be the hardest year yet for Web3.
