Web3 losses billions of dollars in six months Web3 loses billions in six months.

Security is no longer just an issue for back-office employees; it is now the basis of growth, trust and compliance.

“2025 is a wake up call,” YevheniiaBroshevan, the co-founder and CEO of Hacken. Cybersecurity is not just a technology issue, it’s also a business enabler. When projects incorporate operational resilience and invest security, they do more than just reduce risks. They build trust and protect innovations.”

Rudytsia said: “Even after a hack, users are often faced with withdrawal freezes or lost funds. They may also have a reduced level of trust. Smart contract bugs in DeFi directly drain deposits from users with little hope of recovery. “There are large-scale social engineering and phishing attacks that target users through fake airdrops or wallet drainers. These attacks result in widespread but often overlooked user losses.”

Damage breakdown

The report shows that Web3 losses totaled $3.09 Billion from January to June 2025. The breakdown shows deeper patterns.

•       Not a bug, but an operational issue, access control failures accounted for 59 percent ($1.83B).
•       19% ($594M), including a $330M fraud from an elderly investor, were attributed to social engineering and phishing.
•       9 per cent ($273M) was lost to smart contract vulnerabilities, including the $223 million Cetus exploit—DeFi’s worst in over a year.
•       Other losses included rug pulling and Uniswap v4 hook exploits. All of these point to a fragmented, maturing infrastructure.

In the first quarter, over $2 billion was lost, mostly due to the Bybit breach. Attackers exploited an interface compromised by signers in order to drain $1.46 trillion through a malicious transaction.

Access: The Hidden Vulnerability

Security breaches related to access control dominated the landscape. Multimillion dollar exploits were caused by a single leaky key, misconfigured multiplesig, or an unmonitored administrator role. In many cases, cryptography was perfect; it was only the human layer which failed.

Broshevan says that even if the code is perfect, a half-billion dollars can disappear. What’s missing is formal access control frameworks and third-party verifications.

Nobitex, Iran’s largest crypto-exchange, lost $90,000,000 in an attack that appeared to be politically motivated. The attackers sent assets to burner addresses which raised questions about the readiness of national infrastructure.

Hacken’s answer: Real-time prevention

Hacken is doubling down on its automated incident response tool suite in response to these systemic failings. The platform’s new features include:

•       A safe multisig monitor, which verifies signer actions in the real-time.
•       TVL Monitor detecting abnormal transfers, and initiating containment in real time.
•       Automated functions that pause contracts, rotate key and remove compromised signers.

The tools could have prevented many of the breaches that occurred this year, and often in just seconds.

Social engineering: human factor

Web3 attacks are becoming more psychological. Nearly $600,000,000 was stolen via phishing scams. The attackers pretended to be Coinbase support staff and exploited customer data. They also used sophisticated social techniques to obtain wallet access and passcodes.

The biggest single theft was committed by an elderly U.S. resident who was tricked into giving over $330,000,000 in Bitcoin. The attacker laundered the funds through hundreds wallets, increased Monero’s value by 50% and then disappeared into DeFi ether.

These events demonstrate the increasing importance of user interface education, transparency and multi-factor identification, particularly for high net-worth individuals.

Smart contracts still bleeding

Smart contract bugs remain a significant vector of attack despite the maturity in the industry. DeFi platforms have lost $264,000,000 in H1 of 2025. Cetus’ flash-loan attacks are particularly notable. In only 15 minutes, an attacker exploited the subtle overflow bug to drain nearly a quarter of a billion dollars from 264 liquidity pools.

In the Cork Protocol, a missing check for permissions allowed an attacker inject custom calldata in a Uniswap hook V4, resulting in a loss of $12 million through the conversion of fake tokens to tangible assets. The vulnerability was introduced when a single line in the default Uniswap access permissions was modified.

These incidents demonstrate the need for TVL awareness monitoring, automated controls and rigorous audits.

AI: A new threat class

AI-related attacks also increased, with a 1 025% increase in exploits volume from 2023. Hackers took advantage of insecure APIs and other vulnerabilities, including prompt injections and training data poisoning. They also exploited RCEs in open source ML libraries such as Langflow or BentoML.

“That being said, AI has been a part of cybercrime for over a decade and I’d argue that the increase in scams in recent years is due to the growth in the value of the market. “Simply put, stealing today’s Rolex Submariner would earn you more than stealing that same watch back in 1990,” said Mr. Sutton.

The attack surface has grown faster than the governance frameworks are able to keep up with. 34 percent of Web3 projects use AI agents now in production. Hacken describes “vibe-hacking” as a low-skilled attack using tools such as WormGPT.

Stephen Ajayi is Hacken’s DApp audit Technical Lead. He says, “The promise and risks of AI are massive.” By embedding security into every step of the process, from design to deployment, Hacken helps teams innovate with confidence.

Hacken now offers AI System Security Audits. This helps projects secure LLMs (multi-agent frameworks), multi-agent pipelines, and inference pipes using standards such as OWASP, ISO/IEC 42001, and MCP protocol.

Regulation is catching up but slowly

Although regulators, such as the EU AI Act and ISO/IEC 42001 have begun to respond, the majority of frameworks still need time to catch up with the complexity associated with Web3-native AI deployments. Standards such as ISO/IEC 27001/27002 provide foundational coverage, but do not address threats like model hallucination or prompt injection.

Broshevan says that compliance cannot be reactive. Businesses need proactive frameworks to match the speed and size of innovation. Hacken takes the lead in this area, from auditing through to implementation.

Hacken helps clients navigate MiCA, VARA and VASP requirements by bridging the traditional compliance with a decentralised infrastructure. Its new services include:

•       AI and smart contracts audits
•       Access Control Frameworks (CCSS + ISO/IEC 27001).
•       The Red Team and the adversarial AI test
•       Emergency response triage

The Way forward

These half-year numbers represent more than lost funds. These figures reflect a gap in strategic maturity. Exploits will continue to grow until businesses make security a priority, and not an optional option.

Hacken’s conclusion is that Hacken has a positive outlook. Broshevan explains that Web3 is not secured by fear but rather with trust. Security isn’t meant to slow you down. “It’s about unlocking momentum with confidence, clarity and control.”