The crypto industry continues to face an unprecedented wave of security breaches in 2025, with more than $3.1 billion in digital assets stolen in the first half of the year alone, according to a comprehensive new report from blockchain security firm Hacken.
The losses, driven primarily by access-control vulnerabilities, outdated codebases, and a growing wave of AI-driven exploits, have already surpassed the full-year total of $2.85 billion in 2024 - signaling a worsening security crisis as Web3 adoption scales globally.
Hacken’s findings highlight persistent structural weaknesses in DeFi and CeFi systems, especially around human and process-level security, which have now overtaken cryptographic flaws as the primary attack vector. While major incidents like the $1.5 billion Bybit hack in February may be statistical outliers, the report underscores that the majority of losses stem from preventable flaws, often linked to outdated code, misconfigured permissions, or unprotected APIs.
Access-control vulnerabilities - which occur when unauthorized actors gain control of privileged functions due to weak permission settings - accounted for an estimated 59% of all stolen funds in 2025, Hacken reported. That equates to roughly $1.83 billion in lost value across dozens of incidents.
This trend mirrors 2024, where similar control-layer weaknesses dominated exploit data. However, the scale and sophistication of attacks have accelerated in 2025, with several large-scale intrusions targeting legacy smart contracts and stale admin logic in decentralized protocols. “Projects have to care about their old or legacy codebase if it was not stopped from operating completely,” said Yehor Rudytsia, Head of Forensics and Incident Response at Hacken. “Many protocols still expose administrative functions from versions that were thought to be deprecated.”
Rudytsia pointed to the example of GMX v1, where vulnerabilities in legacy contract architecture were actively exploited in Q3 2025 - long after the protocol shifted development to newer iterations.
DeFi and CeFi Platforms Continue to Bleed
Combined, decentralized finance (DeFi) and centralized finance (CeFi) platforms experienced over $1.83 billion in losses this year due to operational and security flaws. The most significant incident in Q2 was the Cetus protocol exploit, which resulted in a $223 million loss in just 15 minutes, making it the worst DeFi quarter since early 2023 and ending a five-quarter trend of declining hack volumes.
According to Hacken’s analysis, the Cetus attacker used a flash loan exploit that took advantage of a flawed overflow check in its liquidity pool calculations. By opening a series of micro-positions across 264 pools, the attacker overwhelmed the system and drained massive liquidity without triggering real-time security mechanisms.
“If Cetus had implemented a dynamic TVL monitoring system with auto-pause thresholds, we estimate that 90% of the stolen funds could have been preserved,” Hacken wrote in the report.
This incident also shifted the distribution of exploit types for Q2. While access-control failures dropped to $14 million - the lowest level since Q2 2024 - smart-contract bugs surged, indicating that while permissioning flaws remain dominant long-term, code-level issues still pose critical risks.
AI and LLMs Introduce New Vectors of Attack
One of the most concerning revelations in Hacken’s 2025 report is the dramatic rise in AI-related crypto security incidents. Exploits linked to large language models (LLMs) and AI-integrated Web3 infrastructure have spiked by a staggering 1,025% compared to 2023, with most attacks targeting insecure APIs used to connect on-chain logic with off-chain intelligence systems.
Among the AI-related incidents analyzed:
- 98.9% of AI-related breaches involved exposed or misconfigured APIs.
- Five new Common Vulnerabilities and Exposures (CVEs) related to LLMs were added in 2025.
- 34% of Web3 projects now deploy AI agents in production environments, making them increasingly attractive targets.
These attacks highlight the growing overlap between Web2 vulnerabilities and Web3 infrastructure, particularly as crypto platforms rush to integrate machine learning into trading bots, DAOs, customer support systems, and autonomous agents.
“The traditional security frameworks are lagging behind,” Hacken wrote, referring to standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework, which have not yet adapted to address AI-specific threats like prompt injection, model hallucination, and data poisoning.
Rug Pulls and Scams Remain a Major Problem
Beyond technical exploits, the crypto space continues to suffer from social engineering attacks, fraud schemes, and so-called "rug pulls" - projects that disappear after attracting investor funds.
While these incidents are harder to quantify in technical terms, Hacken estimated that non-technical losses, including scams, contributed to roughly $750 million in additional capital flight from retail and institutional investors in 2025.
The largest single rug pull this year involved a DeFi yield aggregator on BNB Chain, where developers siphoned $62 million in user funds through manipulated contract logic before deleting all project communication channels and going offline.
Key Lessons and Recommendations
Hacken's report concludes with a series of recommendations aimed at helping projects reduce their risk exposure in a rapidly evolving threat environment:
- Legacy Codebase Reviews: Projects must audit and disable legacy smart contracts that retain elevated permissions or admin functions. Hacken noted that over 20% of exploited protocols this year had vulnerable legacy modules still active.
- Dynamic Access Control: Rigid whitelists or admin-only functions should be replaced with multi-sig, timelock, and role-based systems that adapt to changing threat levels.
- Real-Time Monitoring and Auto-Pause Systems: Implement on-chain telemetry and real-time TVL movement alerts to prevent rapid draining of funds during flash loan attacks.
- AI Risk Controls: Projects using LLMs must establish input sanitization, audit logs, and limit access to sensitive on-chain functions. Open-ended agent frameworks must not be deployed without strict API whitelisting and response validation.
- User Education: Wallet-level security remains weak. Promoting hardware wallet usage, disabling blind signing, and implementing transaction simulation can reduce private key compromise from phishing campaigns.
Security is No Longer Optional
With crypto adoption expanding into mainstream financial systems and institutional infrastructure, security is no longer a secondary concern - it is foundational to Web3’s long-term viability.
As attackers evolve from technical exploits to process-level manipulation and AI exploitation, the need for proactive, adaptive, and comprehensive security standards has never been more urgent.
If the current trend continues, 2025 is on pace to become the costliest year in crypto security history, and the industry will need to confront its weakest links - from outdated smart contracts to insecure machine learning integrations.
“Crypto is entering a new era where human error, poor design, and AI exploitation matter more than ever,” Rudytsia concluded. “The protocols that survive this era will be the ones that treat security as a core product, not a post-launch afterthought.”