Web3 hacks reached an uncomfortable milestone in 2025. Nearly $4 billion was lost in crypto, NFTs and DeFi due to security flaws, scams and simple human errors. The figure comes from the Annual Security Report 2025 published by Hackenand it paints a picture that the industry cannot ignore.
This wasn’t a year marked by obscure bugs hiding in experimental code. Most of the damage came from weak access controls, stolen credentials and social engineering. In other words, the same problems that security teams have been warning about for years are now happening on a much larger scale.
If you own NFTs, trade on centralized exchanges, or incorporate Web3, the lessons from 2025 are more important than ever.
A $4 billion reality check for Web3
Hacken’s report estimates total losses by 2025 at $4 billion. That number includes exchange breaches, phishing fraud, compromised wallets, rug pulling, and protocol exploits.
Other companies, including CertiK and Chainalysis, estimate lower totals – between $2.5 billion and $3.2 billion – depending on their attribution models. However, all major sources agree that by 2025 there was an increase in both the size and sophistication of attacks.
What is striking is not just the magnitude of the losses. Are Where where they came from.
Previous crypto cycles have been dominated by smart contract errors. In 2025 the balance changed. Operational glitches and social attacks caused more damage than broken code. As more capital flowed in Web3attackers followed the money and focused on the easiest paths.
For NFT users, this shift completely changes the risk profile. A perfect contract won’t help if a wallet approval or signature request is misused.
How the year unfolded
Q1 changed everything
The year started badly. By the end of the first quarter, more than $2 billion had been lost. That made the first quarter the worst quarter ever for Web3 security.
The greatest driver was the Bybit infringement. Attackers did not abuse a smart contract. They compromised the supply chain and tampered with the front-end infrastructure. It reminded us that blockchain security doesn’t stop at the chain itself.
After that incident, safety assumptions quickly changed.
The pace slowed, but the threat did not
Losses decreased during the rest of the year. In the fourth quarter, total damages for the quarter were approximately $350 million. That decline reflected better awareness and faster response times.
Still, the early damage could not be undone. Attackers adjusted their strategy instead of retreating. Fewer attacks. Greater impact.
Where the money was lost
Access control was the biggest failure
More than half of all losses by 2025 were due to access control problems. Compromised private keys. Misconfigured multisig wallets. Internal login details have been misused or leaked.
None of this required advanced exploits. In most cases, attackers simply gained access they should not have had.
Hacken’s data shows that $2.12 billion – or 53% of all losses – are due to access control errors, making it the leading cause of crypto theft by 2025.
One key insight: multisig wallets proved vulnerable when signers used everyday devices. The UXLINK exploit has allowed compromised signers to mint trillions of tokens, drain assets, and dump them onto the market.
That’s uncomfortable to admit, but it’s also helpful. These are problem teams can solve with better processes.
Phishing became more difficult to recognize
Phishing and social engineering were responsible for nearly $1 billion in losses. Wallet poisoning, fake support messages and impersonation scams continued to develop.
AI made these attacks more convincing. Fake job interviews. Deepfake video calls. Messages that looked exactly like something a real project would send.
One user is lost $50 million in one transaction due to address poisoning, where a scammer’s wallet is mistaken for someone you know. Another lost $330 million worth of Bitcoin after a lengthy social engineering attack.
NFT traders were frequent targets, especially those active in Discord and Telegram communities.
Smart contract exploits haven’t gone away
Contract bugs still caused damage, amounting to approximately $512 million in losses. DeFi protocols took the brunt of that hit, with Ethereum-based projects seeing the highest concentration.
Notable exploits included: Balancer v2 ($128 million via rounding bug), GMX v1 ($42 million via reentrancy bug), and Yearn yETH ($9 million via infinite coin operations).
Audits helped reduce frequency, but edge cases and integrations continued to pose risks. Code security improved. It just wasn’t enough on its own.
Exchanges vs. DeFi: Different Weaknesses
Centralized platforms got the biggest hits
Centralized exchanges were responsible for more than half of all losses. The most visible case involved Bybit, where attackers exploited front-end access instead of blockchain logic.
Custody concentrates the risk. Internal tools, third-party vendors, and employee access all increase the attack surface. When something goes wrong, the numbers escalate quickly.
DeFi and NFT infrastructure remained visible
DeFi exploits exceeded $500 million in dozens of incidents. Liquidity shortages, bridging errors and calculation errors came to light again and again.
Ethereum was the most targeted chain, largely because so much activity takes place there. NFT platforms often shared wallets, permissions, or back-end services with DeFi protocols, allowing risk to spill over.
North Korea’s role has grown significantly
One of the clearest patterns in 2025 involved state-affiliated attackers. Groups linked to North Korea were responsible for about 52% of the total losses, stealing more than $2 billion during the year.
In fact, 9 out of 10 access control attacks were traced to North Korean groups, using tactics such as fake recruiter profiles, malware-riddled GitHub repositories, and deeply fake job interviews.
Researchers linked much of this activity to actors linked to the Lazarus Group and the TraderTraitor cluster. Their approach focused on phishing, impersonation and insider access rather than technical exploits.
Compared to 2024, the value stolen by these groups has increased by more than 50%. The scale and coordination were striking.
Why NFT holders felt the impact
NFTs didn’t make the biggest dollar figures, but collectors were heavily targeted. Fake coin links. Harmful endorsements. Compromised Discord accounts pretending to be project administrators.
Once a wallet is compromised, NFTs are immediately moved. There is no rollback. Marketplace permissions often remain active long after users have forgotten them.
For NFT securitywallet habits are just as important as platform security.
AI has changed the security equation
AI played both sides in 2025.
Attackers used automation, deepfake media, and adaptive messaging to scale scams faster than before. Defenders responded with better monitoring, anomaly detection, and faster incident assessment.
Bug bounty platforms like Immunefi helped uncover issues early, showing that incentives still matter.
The gap between attack and defense was not closed. It moved.
Regulations started to catch up
Security expectations in key jurisdictions have been tightened.
In the US, licensing frameworks increasingly require penetration testing and hardware-secure key management. In Europe, MiCA emphasizes custody separation and independent audits.
These rules will not eliminate violations. They raise the baseline and make shortcuts harder to justify.
Which actually helps progress
For users:
Hardware wallets reduce exposure. Special devices help even more. Address books and transaction examples prevent common mistakes.
For NFT and Web3 teams:
One audit is not enough. Tiered reviews bring more problems. Multisig and MPC setups reduce single point failure. Monitoring should continue after launch.
For industry:
Clear standards create trust. Security maturity is now impacting adoption and capital flow.
A costly year, but a clear signal
The $4 billion loss due to Web3 hacks by 2025 reflects growth under pressure. Attackers refined their playbooks. Defenders learned in public. Transparency exposed weaknesses, but also forced improvement.
Safety has become credibility. For NFTs, DeFi, and crypto as a whole, the next phase depends less on speed and more on discipline.
Frequently asked questions
Here are some frequently asked questions on this topic:
1. How much will be lost to Web3 hacks in 2025?
Hacking reported a total of $4.004 billion in losses. Other companies such as CertiK and Chainalysis estimate between $2.5 billion and $3.2 billion, depending on methodologies.
2. What were the biggest sources of crypto losses in 2025?
The majority resulted from access control errors (53%), followed by phishing (24%) and smart contract vulnerabilities (13%).
3. Was North Korea Really Responsible for Most of the Web3 Hacks?
Yes. Groups linked to North Korea were responsible for about 52% of losses in 2025, often using phishing and social engineering tactics.
4. Are smart contract audits still effective?
Audits help reduce risk, but are not infallible. Many 2025 exploits occurred in controlled or proven protocols due to overlooked edge cases.
5. What impact did AI have on Web3 security in 2025?
AI was used both defensively (for monitoring) and offensively (deepfakes, automation of scams), introducing new risks such as rapid injection attacks.
6. What can users do to protect their assets?
Use hardware wallets, avoid signing unknown transactions, verify addresses and practice strict digital hygiene, especially on social platforms.