The New Norm Of Crypto Crime: Why 2025 May Be Web3’s Hardest Year Yet

Cybersecurity

In the first half of 2025, Web3 platforms experienced significant security breaches, with over $3.1 billion stolen, surpassing the $2.85 billion lost in the entirety of 2024. The largest incident involved a $1.46 billion breach at Bybit during the first quarter. Additionally, Infini suffered a $50 million loss due to a former developer exploiting its systems, and Nobitex, Iran’s largest exchange, faced a $90 million politically motivated attack in June.

Primary Causes of Losses

Hacken’s report identified access control failures as the leading cause of these breaches, accounting for approximately 59% of total losses, amounting to $1.83 billion. This was primarily due to weak signers, compromised keys, and inadequate permission settings.

Trends in Exploits

Access-related thefts were predominant in the first quarter, accounting for $1.63 billion, or 83% of the total for that period. Phishing and social engineering scams contributed an additional $594 million, including a notable case where an elderly individual was deceived into transferring $330 million worth of Bitcoin. Attackers laundered these funds through multiple wallets, converting some to Monero and Ethereum. Smart contract vulnerabilities resulted in $263 million in losses, with notable incidents including a $223 million loss by Cetus due to an overflow bug and a $12 million loss by Cork Protocol via a Uniswap V4 hook exploit.

Impact on DeFi and Investment

The DeFi sector faced its most challenging quarter since 2023, with nearly $300 million lost in the second quarter alone. The resurgence of smart contract vulnerabilities and ‘rug pulls’ resulted in an additional $300 million in losses. Such breaches have eroded trust among liquidity providers and investors, affecting confidence in the sector.

AI-Related Risks

The integration of AI has introduced new risks. Hacken reported a 1025% increase in AI-related exploits compared to 2023, with most linked to insecure APIs. Incidents included vulnerabilities in Langflow and BentoML, allowing remote code execution, and prompt injection attacks on large language models. Approximately 34% of Web3 projects now utilize AI for various functions, increasing potential attack vectors. Without adherence to standards like ISO/IEC 42001 or compliance with the EU AI Act, these projects remain vulnerable.

Path Forward

With $3.1 billion lost in six months, Web3 platforms face continuous threats. Hacken emphasizes the necessity of implementing stricter access controls, real-time monitoring, and compliance frameworks to enhance security. For both projects and investors, prioritizing security is crucial to maintaining trust and avoiding substantial financial losses.