More than $3.1 billion in crypto has been lost in the first half of 2025 due to issues including smart-contract bugs, access-control vulnerabilities, rug pulls and scams, according to a report from blockchain security auditor Hacken.

This figure already exceeds the total of $2.85 billion from all of 2024. While the $1.5 billion Bybit hack in February may have been an outlier, the broader crypto sector continues to grapple with security challenges.

The distribution of loss types remains largely consistent with trends observed in 2024. Access-control exploits have been the primary driver of losses, accounting for around 59% of the total. Smart-contract vulnerabilities contributed to about 8% of the losses, with $263 million stolen. 

Crypto attack types and total loss in the 2025 half-year. Source: The Hacken 2025 Half Year Web3 Security Report

Yehor Rudytsia, head of forensics and incident response at Hacken, told Coinpectra that they observed significant exploitation of GMX v1, with its outdated codebase being targeted starting in Q3 2025.

“Projects have to care about their old or legacy codebase if it was not stopped from operating completely,” Rudytsia said.

As the crypto space matures, attackers have shifted focus from exploiting cryptographic flaws to targeting human and process-level weaknesses. These sophisticated techniques include blind signing attacks, private key leaks and elaborate phishing campaigns. 

Related: $2.1B crypto stolen in 2025 as hackers shift focus from code to users: CertiK

This evolving landscape highlights a crucial vulnerability: Access control in crypto remains one of the most underdeveloped and high-risk areas, despite growing technical safeguards.

DeFi and smart contracts expose vulnerabilities

Operational security flaws were responsible for the majority of the losses, with $1.83 billion stolen across both decentralized finance (DeFi) and centralized finance (CeFi) platforms. The standout incident in Q2 was the Cetus hack, where $223 million was drained in just 15 minutes, marking DeFi’s worst quarter since early 2023 and halting a five-quarter downtrend in exploit-related losses. 

Quarterly DeFi losses Source: The Hacken 2025 Half Year Web3 Security Report

Prior to this, Q4 2024 and Q1 2025 saw a dominance of access-control failures, overshadowing most bug-based exploits. However, this quarter saw access-control losses in DeFi drop to just $14 million, the lowest since Q2 2024, though smart-contract exploits surged.

The Cetus attack exploited an overflow check vulnerability in its liquidity calculation. The attacker used a flash loan to open tiny positions, then swept through 264 pools. If real-time total value locked (TVL) monitoring with auto-pause had been implemented, up to 90% of the funds could have been saved, according to Hacken.

AI poses a growing threat to crypto security

AI and large language models (LLMs) are deeply integrated into both Web2 and Web3 ecosystems. While this integration sparks innovation, it also widens the attack surface, introducing new and evolving security threats.

AI-related exploits have surged by 1,025% compared to 2023, with a staggering 98.9% of these attacks tied to insecure APIs. In addition, five major AI-related Common Vulnerabilities and Exposures (CVEs) were added to the list, and 34% of Web3 projects now deploy AI agents in production environments, making them a growing target for attackers.

Traditional cybersecurity frameworks — including ISO/IEC 27001 and the NIST Cybersecurity Framework — are not yet equipped to address risks unique to AI, such as model hallucination, prompt injection and adversarial data poisoning. Hacken said these standards must evolve to reflect the AI-specific threats now facing Web3.

Magazine: Coinbase hack shows the law probably won’t protect you: Here’s why