It’s only halfway through 2025, and the crypto industry has already taken some heavy hits, as scams, breaches, and hacks continue to leave a trail of losses.
- Over $3.1 billion has been lost across the industry in just six months.
- The February Bybit exploit was the biggest crypto hack on record.
- Access control failures, smart contract bugs, phishing scams, and AI-powered exploits made up the bulk of the hacks.
In just six months, the crypto industry has already lost over $3.1 billion to hacks and scams, according to Hacken’s 2025 mid-year Web3 security report. This surpasses the full-year total from 2024, with access control failures making up the majority of the losses, accounting for roughly $1.83 billion.
The most devastating was the February Bybit $1.46 billion exploit, triggered by a compromised signer that let attackers seize wallet control.
Other high-profile cases followed in the months after, including:
- The Infini protocol exploit, where a former developer compromised the platform’s security and walked off with $50 million in a single transaction.
- zkSync’s April $5 million theft when a so-called multisig was exposed as a 1-of-1 signer setup.
- Iran’s Nobitex exchange’s $90 million breach, which appeared to be politically motivated.
DeFi platforms also saw major fallout from smart contract bugs. In total, $263 million was lost from vulnerabilities. Most of that came from the May Cetus exploit, which drained $223 million due to a faulty overflow check in liquidity range logic. Another favorite tactic among attackers was phishing.
Phishing Scams Skyrocket With $600M Stolen
Per Hacken’s report, phishing and social engineering attacks also hit new highs, accounting for roughly $600 million, also already surpassing 2024’s full-year total. The largest single case saw an elderly U.S. investor lose $330 million in BTC after falling for a sophisticated scam.
Coinbase users were also heavily targeted. Following a data breach, fraudsters posing as Coinbase support used real customer info to gain trust, tricking victims into handing over keys and passcodes. That incident alone netted more than $100 million.
Other schemes included fake wallet apps, malicious browser extensions, and token-approval scams hidden in cloned dApps, all designed to quietly siphon funds while users clicked through.
AI-related exploits jumped over 1000% compared to 2023. Hacken noted that most of these were tied to insecure APIs, and attackers are now using prompt injection, fake agents, and toolchain flaws to bypass industry defenses.
Collectively, these incidents have made the first half of 2025 the worst six-month stretch for Web3 security in years, prompting the need for tighter security measures.
