Synopsis: Web3 platforms lost nearly $4 billion in 2025, with North Korean hackers responsible for 52%. Weak access controls and poor key management caused most losses, not smart contract bugs.
Web3 platforms lost nearly $4 billion in 2025, marking a sharp rise from the previous year. More than half of these losses came from North Korean state-sponsored hackers. The Hacken 2025 Yearly Security Report reveals that weak access controls and sloppy key management drove most damages. Despite falling quarterly losses after a massive first-quarter spike, the industry still faces systemic risks that go beyond simple coding errors.
Source: Hacken-2025-Yearly-Security-Report
The report shows total Web3 losses reached about $4 billion. This figure is roughly $1.15 billion higher than 2024. North Korea-linked threat actors accounted for approximately 52% of stolen funds, or about $2 billion. The February 2025 Bybit breach alone resulted in nearly $1.5 billion stolen, making it the largest single crypto heist on record.
Operational Failures
Access control failures and broader operational security breakdowns caused about $2.12 billion in damages. This represents nearly 53% of all 2025 losses. Smart contract vulnerabilities, by comparison, accounted for only around $512 million. The Bybit breach highlighted how attackers exploited weak multi-signature wallet setups and bypassed approval safeguards.
Hacken identifies several critical operational mistakes that companies continue to make. Many firms fail to revoke developers’ access when employees leave. Others rely on single private keys for managing entire protocols. Most lack Endpoint Detection and Response systems that could catch suspicious activity early.
Yehor Rudystia, head of forensic at Hacken Extractor, points to these gaps as the industry’s biggest problem. He notes that regulators across the US and European Union increasingly spell out security requirements. These include role-based access control, secure onboarding with ID verification, and institutional-grade custody solutions. However, many Web3 companies still treat these requirements as optional suggestions rather than mandatory standards.
Quarterly Losses
Losses peaked at over $2.3 billion in the first quarter of 2025. By Q3, that figure had dropped to around $550 million. Q2 saw approximately more than $1 billion in losses. This pattern reflects a concentration of major incidents early in the year, followed by improved awareness.
Source: Hacken-2025-Yearly-Security-Report
Despite the quarterly decline, Hacken warns that the underlying story remains clear. The biggest and least recoverable losses still come from weak keys and compromised signers. Smart contract bugs matter, but operational security breakdowns cause far more damage.
North Korean hackers increasingly use AI-powered tactics to enhance their phishing campaigns. These tools lower the barrier for social engineering attacks and enable more targeted operations. Centralized exchanges bore the brunt of attacks early in the year, while DeFi exploits surged later.
Mandatory Security Standards
Rudystia emphasizes that large exchanges and custodians must treat security audits as non-negotiable in 2026. Regular penetration tests, incident simulations, custody control reviews, and independent financial audits should become mandatory. These practices exist on paper across major jurisdictions’ licensing regimes, but enforcement remains weak.
Yevheniia Broshevan, Hacken’s co-founder and CEO, sees a significant opportunity for improvement. The industry needs clear protocols for using dedicated signing hardware. Essential monitoring tools must become standard across all platforms. Broshevan expects overall security to improve in 2026 as regulators turn principles into requirements with enforcement mechanisms.
The report urges authorities to treat North Korean tactics as a specific supervisory concern. Regulators should mandate real-time threat intelligence sharing on North Korean indicators. Platforms need threat-specific risk assessments focused on phishing-led access attacks. Rudystia argues for graduated penalties for non-compliance paired with safe-harbor protections for compliant platforms.
Industry Must Adopt North Korea-Specific Defenses
Given that North Korean clusters drove roughly half of all losses, the industry needs tailored defenses. Authorities must require continuous monitoring and anomaly detection systems. Companies should implement institutional-grade custody using hardware security modules, multi-party computation, or multi-signature setups. Cold storage should become standard for large fund holdings.
The report positions 2026 as a potential turning point for Web3 security. Hacken expects the bar to rise as supervisors move from soft guidance to hard requirements. Insights from the Hacken TRUST Summit, featuring representatives from Nasdaq, JPMorgan, Citi, and Kraken, stressed cybersecurity as core infrastructure. Industry leaders agree that treating security as optional has cost billions.
Most losses in 2025 were preventable with basic security hygiene rather than advanced technical solutions. The operational failures category includes insider threats, inadequate offboarding, and absent access controls. These issues often stem from treating security standards as voluntary rather than essential. The industry must shift its approach to protect users’ funds and build trust in Web3 platforms.
Written By Fazal Ul Vahab C H
