Over $3.1 billion in crypto has been lost so far in 2025 due to issues including smart-contract bugs, access-control vulnerabilities, rug pulls and scams, according to a report from blockchain security auditor Hacken.
This figure for the first half of 2025 surpasses the total of $2.85 billion from all of 2024. While the $1.5 billion Bybit hack in Q1 2025 may have been an outlier, the broader crypto sector continues to face significant challenges.
The distribution of loss types remains largely consistent with trends observed in 2024. Access-control exploits have been the primary driver of losses, accounting for around 59% of the total. Smart-contract vulnerabilities contributed to about 8% of the losses, with $263 million stolen.
As the crypto space matures, attackers have shifted focus from exploiting cryptographic flaws to targeting human and process-level weaknesses. These sophisticated techniques include blind signing attacks, private key leaks and elaborate phishing campaigns.
Related: $2.1B crypto stolen in 2025 as hackers shift focus from code to users: CertiK
This evolving landscape highlights a crucial vulnerability: Access control in crypto remains one of the most underdeveloped and high-risk areas, despite growing technical safeguards.
DeFi and smart contracts expose vulnerabilities
Operational security flaws were responsible for the majority of the losses, with $1.83 billion stolen across both DeFi and CeFi platforms. The standout incident in Q2 was the Cetus hack, where $223 million was drained in just 15 minutes, marking DeFi’s worst quarter since early 2023 and halting a five-quarter downtrend in exploit-related losses.
Prior to this, Q4 2024 and Q1 2025 saw a dominance of access-control failures, overshadowing most bug-based exploits. However, this quarter saw access-control losses in DeFi drop to just $14 million, the lowest since Q2 2024, though smart-contract exploits surged.
The Cetus attack exploited an overflow check vulnerability in its liquidity calculation. The attacker used a flash loan to open tiny positions, then swept through 264 pools. If real-time total value locked (TVL) monitoring with auto-pause had been implemented, up to 90% of the funds could have been saved, according to Hacken.
AI poses a growing threat to crypto security
AI and large language models (LLMs) are deeply integrated into both Web2 and Web3 ecosystems. While this integration sparks innovation, it also widens the attack surface, introducing new and evolving security threats.
AI-related exploits have surged by 1,025% compared to 2023, with a staggering 98.9% of these attacks tied to insecure APIs. In addition, five major AI-related Common Vulnerabilities and Exposures (CVEs) were added to the list, and 34% of Web3 projects now deploy AI agents in production environments, making them a growing target for attackers.
Traditional cybersecurity frameworks, like ISO/IEC 27001 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), are ill-equipped to address AI-specific risks such as model hallucination, prompt injection and adversarial data poisoning. These frameworks must evolve to offer comprehensive governance that includes the unique challenges posed by AI.
Magazine: Coinbase hack shows the law probably won’t protect you: Here’s why