The Hacken 2025 Yearly Security Report puts total Web3 losses at about $3.95 billion, up roughly $1.1 billion from 2024, with just over half of that attributed to North Korean threat actors.
A report shared with Cointelegraph shows losses peaked at more than $2 billion in the first quarter of the year before falling to around $350 million by Q4, but Hacken warns that the pattern still points to systemic operational risk rather than isolated coding bugs.
The report frames 2025 as a year where the numbers worsened, but the underlying story became clear. Smart contract bugs matter, but the biggest, least recoverable losses are still coming from weak keys, compromised signers, and sloppy off‑boarding.
Access control, not code, drives losses
According to Hacken, access control failures and broader operational security breakdowns accounted for about $2.12 billion, or nearly 54% of all 2025 losses, compared with around $512 million from smart contract vulnerabilities.
The Bybit breach alone, at nearly $1.5 billion, is described as the largest single theft on record and a key reason North Korea-linked clusters account for roughly 52% of total stolen funds.
Related: Crypto losses near $3.4B as hackers went ‘big game hunting’
Regulators spell out controls, industry lags
Yehor Rudystia, head of forensic at Hacken Extractor, told Cointelegraph that regulators across the US, European Union and other major jurisdictions’ licensing regimes increasingly spell out what “good” looks like on paper, such as role‑based access control, logging, secure onboarding and ID verification, institutional‑grade custody (hardware security models, multi-party computation, or multi‑sig, and cold storage), as well as continuous monitoring and anomaly detection.
However, “as regulatory requirements are only becoming mandatory principles, a lot of Web3 companies continued to follow insecure practices throughout 2025,” Rudystia said.
He pointed to practices such as not revoking developers’ access during off‑boarding, using a single private key for managing a protocol, and not having Endpoint Detection and Response systems.
“Among the most important are regular pen tests, incident simulations, custody control reviews, and independent financial and controls audits,” Rudystia said, adding that large exchanges and custodians should treat these as non‑negotiable in 2026.
Related: Social engineering cost crypto billions in 2025: How to protect yourself
From soft guidance to hard requirements
Hacken expects the bar to rise further as supervisors move from guidance to hard requirements.
Yevheniia Broshevan, Hacken’s co-founder and CEO, told Cointelegraph, “We see a significant opportunity for the industry to raise its security baseline, particularly in adopting clear protocols for using dedicated signing hardware and implementing essential monitoring tools.”
He said he expected overall security to improve in 2026 with regulatory requirements and “the most secure standards” that should be imposed to protect users’ funds.
Given that North Korea-linked clusters drove roughly half of all losses in Hacken’s attribution, Rudystia said regulators and law enforcement also needed to treat the country’s playbooks as a specific supervisory concern.
He argued that authorities should mandate real‑time threat intelligence sharing on North Korean indicators, require threat‑specific risk assessments focused on phishing‑led access attacks, and pair that with “graduated penalties for non‑compliance” and safe‑harbor protections for platforms that fully participate and maintain North Korea‑specific defenses.
