Blockchain security firm Hacken says more than $3.1 billion has been lost in the crypto sector so far this year, already surpassing the $2.85 billion total for all of 2024. The losses stem from a mix of smart contract bugs, access-control failures, rug pulls, and scams, with one outlier — the $1.5 billion Bybit hack in February — skewing the totals.
Access-control issues accounted for the bulk of losses, making up 59% of the total, while smart contract flaws were responsible for around $263 million, or 8%, according to Hacken’s 2025 Half Year Web3 Security Report.
Yehor Rudytsia, head of forensics at Hacken, said GMX v1 was a key target in recent months due to vulnerabilities in its older code. “Projects have to care about their legacy codebase if it’s still running,” he added.
While some attackers still exploit code-level bugs, Hacken notes a broader shift toward targeting operational lapses and user behavior. Blind signing attacks, phishing, and private key leaks are all on the rise — highlighting persistent gaps in crypto’s security model.
DeFi and CeFi platforms saw $1.83 billion in total losses. The worst hit came in Q2 with the Cetus exploit, where an attacker used a flash loan to trigger a liquidity overflow bug, draining $223 million across 264 pools in just 15 minutes. Hacken said real-time TVL monitoring could have prevented most of the damage.
That incident broke a five-quarter downtrend in DeFi-related exploits and marked the worst quarter since early 2023. Smart contract vulnerabilities surged this quarter, even as access-control losses in DeFi fell to $14 million — their lowest since Q2 2024.
AI and large language models have quickly become both a feature and a risk factor for Web3 projects. Hacken reported a 1,025% jump in AI-related exploits compared to last year, with nearly all of them tied to insecure APIs.
The firm noted that 34% of Web3 projects are now using AI agents in production environments. Traditional security frameworks, such as ISO 27001 or NIST, still don’t fully address issues unique to AI — including model hallucinations, adversarial inputs, or prompt injection attacks.
Five new AI-related CVEs have been added to public vulnerability lists so far this year, and Hacken warned that standards will need to catch up fast if crypto projects want to keep their systems secure.
Read more on The Industry Spread
