Greater than $3.1 billion in crypto has been misplaced within the first half of 2025 on account of points together with smart-contract bugs, access-control vulnerabilities, rug pulls and scams, in keeping with a report from blockchain safety auditor Hacken.
This determine already exceeds the whole of $2.85 billion from all of 2024. Whereas the $1.5 billion Bybit hack in February might have been an outlier, the broader crypto sector continues to grapple with safety challenges.
The distribution of loss sorts stays largely per developments noticed in 2024. Entry-control exploits have been the first driver of losses, accounting for round 59% of the whole. Sensible-contract vulnerabilities contributed to about 8% of the losses, with $263 million stolen.
Yehor Rudytsia, head of forensics and incident response at Hacken, informed Cointelegraph that they noticed important exploitation of GMX v1, with its outdated codebase being focused beginning in Q3 2025.
“Initiatives must care about their previous or legacy codebase if it was not stopped from working fully,” Rudytsia stated.
Because the crypto area matures, attackers have shifted focus from exploiting cryptographic flaws to focusing on human and process-level weaknesses. These subtle methods embody blind signing assaults, personal key leaks and elaborate phishing campaigns.
Associated: $2.1B crypto stolen in 2025 as hackers shift focus from code to customers: CertiK
This evolving panorama highlights an important vulnerability: Entry management in crypto stays some of the underdeveloped and high-risk areas, regardless of rising technical safeguards.
DeFi and sensible contracts expose vulnerabilities
Operational safety flaws had been accountable for almost all of the losses, with $1.83 billion stolen throughout each decentralized finance (DeFi) and centralized finance (CeFi) platforms. The standout incident in Q2 was the Cetus hack, the place $223 million was drained in simply quarter-hour, marking DeFi’s worst quarter since early 2023 and halting a five-quarter downtrend in exploit-related losses.
Previous to this, This fall 2024 and Q1 2025 noticed a dominance of access-control failures, overshadowing most bug-based exploits. Nevertheless, this quarter noticed access-control losses in DeFi drop to simply $14 million, the bottom since Q2 2024, although smart-contract exploits surged.
The Cetus assault exploited an overflow examine vulnerability in its liquidity calculation. The attacker used a flash mortgage to open tiny positions, then swept by way of 264 swimming pools. If real-time complete worth locked (TVL) monitoring with auto-pause had been applied, as much as 90% of the funds may have been saved, in keeping with Hacken.
AI poses a rising menace to crypto safety
AI and huge language fashions (LLMs) are deeply built-in into each Web2 and Web3 ecosystems. Whereas this integration sparks innovation, it additionally widens the assault floor, introducing new and evolving safety threats.
AI-related exploits have surged by 1,025% in comparison with 2023, with a staggering 98.9% of those assaults tied to insecure APIs. As well as, 5 main AI-related Frequent Vulnerabilities and Exposures (CVEs) had been added to the record, and 34% of Web3 initiatives now deploy AI brokers in manufacturing environments, making them a rising goal for attackers.
Conventional cybersecurity frameworks — together with ISO/IEC 27001 and the NIST Cybersecurity Framework — are usually not but geared up to handle dangers distinctive to AI, equivalent to mannequin hallucination, immediate injection and adversarial knowledge poisoning. Hacken stated these requirements should evolve to mirror the AI-specific threats now dealing with Web3.
Journal: Coinbase hack reveals the legislation most likely gained’t defend you: Right here’s why
