Web3 Hacks Hit $4B in 2025: What NFTs, DeFi, and Crypto Must Learn

Web3 hacks in 2025 reached an uncomfortable milestone. Almost $4 billion was lost across crypto, NFTs, and DeFi due to security failures, scams, and plain human error. The figure comes from the 2025 Yearly Security Report published by Hacken, and it paints a picture the industry can’t ignore.

This wasn’t a year defined by obscure bugs hiding in experimental code. Most of the damage came from weak access controls, stolen credentials, and social engineering. In other words, the same problems security teams have warned about for years—now playing out at a much larger scale.

If you hold NFTs, trade on centralized exchanges, or build in Web3, the lessons from 2025 matter more than ever.

A $4 Billion Reality Check for Web3

Hacken’s report places total losses for 2025 at $4 billion. That number includes exchange breaches, phishing scams, compromised wallets, rug pulls, and protocol exploits.

Other firms, including CertiK and Chainalysis, estimated lower totals—between $2.5B and $3.2B—depending on their attribution models. However, all major sources agree that 2025 saw a surge in both scale and sophistication of attacks.

What stands out isn’t just the size of the losses. It’s where they came from.

Earlier crypto cycles were dominated by smart contract mistakes. In 2025, the balance shifted. Operational failures and social attacks caused more harm than broken code. As more capital flowed into Web3, attackers followed the money—and focused on the easiest paths in.

For NFT users, this shift changes the risk profile completely. A perfect contract doesn’t help if a wallet approval or signing request gets abused.

How the Year Unfolded

Q1 Changed Everything

The year started badly. By the end of the first quarter, more than $2 billion had already been lost. That made Q1 the worst quarter for Web3 security on record.

The biggest driver was the Bybit breach. Attackers didn’t exploit a smart contract. They compromised the supply chain and tampered with front-end infrastructure. It was a reminder that blockchain security doesn’t stop at the chain itself.

After that incident, security assumptions shifted fast.

The Pace Slowed, But the Threat Didn’t

Losses dropped through the rest of the year. By Q4, total damage for the quarter sat around $350 million. That decline reflected better awareness and faster response times.

Still, the early damage couldn’t be undone. Attackers adjusted their strategy rather than backing off. Fewer attacks. Bigger impact.

Where the Money Was Lost

Access Control Was the Biggest Failure

More than half of all losses in 2025 came from access control issues. Compromised private keys. Misconfigured multisig wallets. Internal credentials abused or leaked.

None of this required cutting-edge exploits. In most cases, attackers simply got access they shouldn’t have had.

Hacken’s data shows $2.12 billion—or 53% of all losses—stemmed from access control failures, making it the leading cause of crypto theft in 2025.

One key insight: multisig wallets proved vulnerable when signers used everyday devices. The UXLINK exploit saw compromised signers mint trillions of tokens, drain assets, and dump them on the market.

That’s uncomfortable to admit, but it’s also useful. These are problems teams can fix with better processes.

Phishing Became Harder to Spot

Phishing and social engineering accounted for nearly $1 billion in losses. Wallet poisoning, fake support messages, and impersonation scams kept evolving.

AI made these attacks more convincing. Fake job interviews. Deepfake video calls. Messages that looked exactly like something a real project would send.

One user lost $50 million in a single transaction due to address poisoning—mistaking a scammer’s wallet for a familiar one. Another lost $330 million in Bitcoin after a long-con social engineering attack.

NFT traders were frequent targets, especially those active in Discord and Telegram communities.

Smart Contract Exploits Didn’t Disappear

Contract bugs still caused damage, adding up to about $512 million in losses. DeFi protocols took most of that hit, with Ethereum-based projects seeing the highest concentration.

Notable exploits included: Balancer v2 ($128M via a rounding error), GMX v1 ($42M via reentrancy bug), and Yearn yETH ($9M via infinite minting).

Audits helped reduce frequency, but edge cases and integrations continued to create risk. Code security improved. It just wasn’t enough on its own.

Exchanges vs DeFi: Different Weak Spots

Centralized Platforms Took the Largest Hits

Centralized exchanges accounted for more than half of all losses. The most visible case involved Bybit, where attackers exploited front-end access rather than blockchain logic.

Custody concentrates risk. Internal tools, third-party vendors, and employee access all expand the attack surface. When something goes wrong, the numbers escalate quickly.

DeFi and NFT Infrastructure Stayed Exposed

DeFi exploits crossed $500 million across dozens of incidents. Liquidity drains, bridge failures, and math errors showed up again and again.

Ethereum was the most targeted chain, largely because so much activity lives there. NFT platforms often shared wallets, permissions, or back-end services with DeFi protocols, which allowed risks to spill over.

North Korea’s Role Grew Sharply

One of the clearest patterns in 2025 involved state-linked attackers. Groups tied to North Korea were responsible for around 52% of total losses, stealing more than $2 billion over the year.

In fact, 9 out of 10 access control attacks traced back to DPRK groups, using tactics like fake recruiter profiles, malware-laced GitHub repos, and deepfake interviews.

Investigators linked much of this activity to actors associated with the Lazarus Group and the TraderTraitor cluster. Their approach focused on phishing, impersonation, and insider access rather than technical exploits.

Compared with 2024, the value stolen by these groups jumped by more than 50%. The scale and coordination stood out.

Why NFT Holders Felt the Impact

NFTs didn’t drive the biggest dollar figures, but collectors were heavily targeted. Fake mint links. Malicious approvals. Compromised Discord accounts posing as project admins.

Once a wallet is compromised, NFTs move instantly. There’s no rollback. Marketplace permissions often stay active long after users forget about them.

For NFT security, wallet habits matter just as much as platform safeguards.

AI Changed the Security Equation

AI played both sides in 2025.

Attackers used automation, deepfake media, and adaptive messaging to scale scams faster than before. Defenders responded with better monitoring, anomaly detection, and faster incident triage.

Bug bounty platforms like Immunefi helped surface issues early, showing that incentives still matter.

The gap between offense and defense didn’t close. It moved.

Regulation Started to Catch Up

Security expectations tightened across major jurisdictions.

In the U.S., licensing frameworks increasingly require penetration testing and hardware-secured key management. In Europe, MiCA emphasizes custody segregation and independent audits.

These rules won’t eliminate breaches. They do raise the baseline and make shortcuts harder to justify.

What Actually Helps Going Forward

For users:
Hardware wallets reduce exposure. Dedicated devices help even more. Address books and transaction previews prevent common mistakes.

For NFT and Web3 teams:
One audit isn’t enough. Layered reviews catch more issues. Multisig and MPC setups reduce single points of failure. Monitoring needs to continue after launch.

For the industry:
Clear standards build confidence. Security maturity now influences adoption and capital flow.

A Costly Year, but a Clear Signal

The $4 billion lost to Web3 hacks in 2025 reflects growth under pressure. Attackers refined their playbooks. Defenders learned in public. Transparency exposed weaknesses, but it also forced improvement.

Security has become credibility. For NFTs, DeFi, and crypto as a whole, the next phase depends less on speed and more on discipline.