Hacken's report indicates that Web3 losses reached $3.95 billion in 2025, an increase of $1.1 billion from the previous year, with North Korean actors responsible for 52% of the losses and key security flaws outnumbering source code vulnerabilities.
The Web3 industry experienced a turbulent year with total losses from cyberattacks and security vulnerabilities reaching nearly $4 billion, according to Hacken's 2025 annual security report. This figure marks a significant increase from 2024, with more than half of the total losses attributed to threat actors linked to North Korea.
A report Chia with Cointelegraph shows losses peaked at over $2 billion in the first quarter of the year before falling to around $350 million in the fourth quarter, but Hacken cautioned that this trend reflects systemic operational risks rather than isolated code errors.
The most notable finding in the report is the dramatic shift in the source of losses. Incidents related to access control failures and operational security breaches accounted for approximately $2.12 billion, equivalent to nearly 54% of total losses in 2025, while smart contract vulnerabilities caused only about $512 million in losses.
The Bybit hack, valued at nearly $1.5 billion, has been identified as the largest single theft ever recorded, with North Korea-related groups accounting for approximately 52% of all stolen funds.
Hacken describes 2025 as a year where “the numbers get worse, but the underlying story becomes clear,” emphasizing that while smart contract flaws are important, the biggest and most difficult-to-recover losses still come from weak keys, compromised signers, and careless access release processes.
The gap between regulations and enforcement is still too large.
Yehor Rudystia, head of forensics at Hacken Extractor, said that regulators in the U.S., the European Union, and other major jurisdictions are increasingly specifying security standards such as Vai based access control, logging, secure reception procedures, institutional-grade custody with hardware-based or Multisignature security models, and continuous monitoring and anomaly detection.
However, he noted that while new governance requirements are only just becoming mandatory, many Web3 companies will continue to pursue insecure practices throughout 2025, such as not revoking developer access when they leave the company, using a single private key to administer the protocol, and not implementing endpoint detection and response systems.
Yevheniia Broshevan, co-founder and CEO of Hacken, sees significant opportunities for the industry to raise its security baseline, particularly in the adoption of clear processes for specialized signing hardware and essential monitoring tools. She expects overall security to improve in 2026 as supervisory bodies shift from guidance to hard requirements.
Rudystia argues that regulators need to mandate real-time Chia of threat intelligence on North Korean-related indicators, require risk assessments focused on phishing-based access attacks, and incorporate escalating penalties for non-compliance and security mechanisms for platforms that maintain specialized defenses against the North Korean threat.
