According to a fresh report by Hacken, the crypto industry’s losses in the first half of 2025 reached $3.1 billion. This exceeds the total losses for the entire year 2024. The main reasons are failures in access rights management, compromise of private keys and smart contracts, as well as phishing attacks.
Of particular concern to analysts is the rise of social engineering and vulnerabilities in DeFi protocols. The Incrypted team has reviewed the report and obtained exclusive comments from Hacken representatives.
Access Vulnerabilities Worth $2 Billion
The category of attacks related to access management caused the most damage. They amounted to $1.83 billion, which is 59% of all losses. The main reason is incorrect role assignment, errors in entitlement logic and reliance on vulnerable interfaces for multi-signatures. The Bybit hack with $1.46 billion in damage was the largest not only for the mentioned period, but also for the entire history of the industry.
Hacken notes that similar vulnerabilities have been identified in smaller protocols: for example, the UPCX hack brought hackers $70 million, while the KiloEx project lost $7.5 million. That said, Q2 showed a marked decrease in scale — from $1.6 billion to $190.5 million — but the threat itself remains. Hackers continue to seek out single keys with full permissions or inaccessible roles without permission restrictions.
“Access control exploits arise from the weak security operational practices that most cryptocurrency companies, both CeFi and DeFi, utilize. Hot wallets of centralized exchanges are emptied, mainly due to private key leaks and “supply chain” attacks. Decentralized projects, in turn, suffer significant losses due to the compromise of devices that store the seed phrase, private key or are used to sign transactions,” said Egor Ruditsa, Head of digital forensics and incident response at Hacken.
According to the expert, viral repositories on the Bitbucket website, fake browser extensions or Calendly phishing links are just a few attack vectors. The Hacken researcher believes that to avoid such attacks, developers should:
- use cold wallets to store keys;
- focus on multi-signatures and timelocks for critical operations;
- access the private key only from a dedicated device that is not used for other tasks;
- implement real-time monitoring of suspicious activity and protocol anomalies.
“Every day, new DeFi projects are hacked when a deplayer’s or team member’s device is compromised via virus software,” Ruditsa emphasized.
DeFi Attacks
Smart contracts were another massive problem. Losses in this category totaled $263 million during the period. The main incident was the Cetus Protocol hack, which resulted in the theft of $223 million in 15 minutes. Meanwhile, analysts noted that Q2 was the worst quarter for DeFi since the beginning of 2023.
The company also highlighted the first-ever attack on hook mechanics in Uniswap V4. Attackers exploited the lack of basic verification and stole $12 million from Cork Protocol.
According to Hacken, the industry needs not just to write secure code, but to promptly monitor and respond to suspicious contract behavior — especially when introducing new features.
Phishing and Fake Calls Worth Hundreds of Millions
Social engineering remains one of the most dangerous and large-scale threats on Web3, experts say. According to the Hacken report, in the first half of 2025, this category of attacks caused about $600 million worth of damage to the industry.
Social engineering refers to methods in which attackers manipulate user trust. Often, such attacks take place through phishing, fake calls and fake interfaces.
“We urge crypto asset holders to carefully check the parameters of transactions they are about to sign, not to click on a suspicious link and not to run unfamiliar code without thoroughly checking the executable files,” Ruditsa said.
The most high-profile incident in this category is the theft of $330 million in bitcoins from an elderly US investor. The scammers posed as support staff and convinced him to transfer funds to addresses under their control on his own. The case became the largest individual theft in the history of the industry.
Another $100 million was lost by users as a result of fake calls allegedly made on behalf of Coinbase employees. The reason for the attack was the leak of user data — criminals used it for personalized deception. In addition, hackers hosted malicious dApps, copied interfaces of popular wallets and even spoofed open-source projects on GitHub by embedding malicious code in them.
In addition, attackers have been actively using fake calls to raid remote workers and development teams. Such attacks, experts say, are well-thought-out and carefully prepared.
“We are seeing a rapid increase in the number of compromised users’ devices, with instant theft of all crypto assets. Unfortunately, many Ukrainians are also falling victim to phishing attacks, most of which are organized by North Korea. They target freelancers and developers in the Web3 ecosystem,” Ruditsa warned.
According to the analyst, such attacks often occur when users want to get a job. They fall for a fake interviewer, after which jobseekers are provided with a repository that has a special script. With its help, hackers compromise the user’s computer in seconds.
“All your crypto-assets are then lost instantly,” the Hacken spokesperson noted.
A separate attack vector is browser extensions, especially in the Chrome ecosystem. Through them, attackers gain access to users’ wallets and sessions by tampering with interfaces or intercepting data.
Hacken experts noted that in the case of common phishing attacks, most users gave the attackers access to their seed phrase or independently transferred cryptocurrency to the attackers’ address.
Defense is Like a Better Version of Itself
The company said that cryptocurrency exchanges can improve the security of their platforms. To do so, they should integrate a number of practices:
- introducing a 48- to 72-hour waiting period for withdrawals after changing passwords, emails, or two-factor authentication (2FA);
- identification of suspicious account activity (new devices, VPN logins and other aspects);
- implementation of cold storage of user funds, instead of hot wallets.
Hacken analysts provided separate advice to users themselves at Incrypted’s request. Holders of digital assets are recommended for the sake of their security:
- not to follow a link via SMS or Telegram chats;
- when receiving an e-mail from the exchange, carefully check the sender’s address. It is important that it was an official account of the platform;
- use cold crypto wallets;
- use app-authenticators for protection instead of SMS for 2FA.
“2025 has clearly shown that the main vulnerability of Web3 is becoming people, not code. Social engineering and phishing led to record losses — over $600 million in Q2 alone. Most attacks are successful because of trivial trust: malicious links, fake jobs, signing dangerous transactions. Developers are especially threatened by the new wave of attacks,” said Hacken co-founder Eugenia Broshevan.
She emphasized that security in the Web3 sphere starts with basic “digital hygiene.” Using cold wallets, being careful with code and verifying every transaction. In addition, Broshevan urged exchanges to implement defense mechanisms, from timelocks to monitoring anomalous activity.
“Protecting users is a shared responsibility,” summarized the Hacken co-founder.