Published

Web3 hacking losses 2025 — $3.95B lost, OpSec failures dominant

3 min read
Marina Sokolova
Web3 hacking losses 2025 — $3.95B lost, OpSec failures dominant

Key Takeaways

  • 1 Total Web3 hacking losses in 2025 reached $3.95 billion, per Hacken.
  • 2 Over 50% of the stolen value is attributed to groups tied to North Korea.
  • 3 More than $2 billion was lost in Q1 of 2025 alone.
  • 4 Operational security failures — not smart contract bugs — caused the bulk of losses.
  • 5 Smart contract vulnerabilities accounted for $512 million of the total.

Hacken reports Web3 hacking losses reached $3.95 billion in 2025, with over half linked to North Korean groups and operational security failures cited as the main cause.

The Web3 ecosystem suffered $3.95 billion in hacking losses in 2025, according to a report by blockchain security firm Hacken. More than half of that amount is attributed to advanced persistent threat groups linked to North Korea, and the first quarter alone accounted for over $2 billion of the total. The report highlights that most incidents were the result of operational security failures rather than flaws in smart contract code.

Web3 Hacking Losses Reach $3.95 Billion in 2025

The $3.95 billion figure reflects a steep rise in funds stolen across decentralized finance protocols, cross-chain bridges, and centralized platforms. Hacken’s data shows a particularly large concentration of losses early in the year, with the first quarter responsible for more than $2 billion. This distribution underlines how a small number of high-impact incidents can drive the annual total upward.

North Korean Hacking Groups Dominate Crypto Theft

Hacken attributes over 50% of 2025’s stolen value — roughly $2 billion — to APT groups with links to North Korea. The report names groups such as Lazarus and notes their use of complex social engineering and infrastructure-level methods to move and obfuscate funds. For more on the scale of North Korean activity, see the report on the record $2.02 billion theft attributed to those actors.

Operational Security Failures as the Primary Cause

Hacken found that the overwhelming majority of security incidents in 2025 stemmed from poor operational security (OpSec). Examples include private key mismanagement, phishing attacks on team members, insecure multi-signature setups, and insider threats. By contrast, losses from smart contract code vulnerabilities were $512 million, representing only about 13% of the total.

The report’s emphasis on human and procedural weaknesses signals that code audits alone are not enough to prevent large-scale thefts. Projects and teams must address communication, access controls, and daily operational practices to reduce the risk of compromise. Practical defensive measures are discussed below, including protections against social engineering that are covered in our guide to social engineering in crypto.

Regulatory Changes and Projected Security Improvements

Hacken projects that security standards across Web3 will start to improve in 2026 as regulatory recommendations from bodies like the Financial Action Task Force (FATF) and national regulators move toward mandatory compliance. The report links future progress to the adoption of stronger, enforceable security and AML/KYC practices across the industry. For a broader view of evolving defensive measures in Web3, see our piece on Web3 security.

Why this matters

If you run mining equipment or any crypto-related operation, the 2025 losses matter because they reflect where attackers successfully focused their efforts — on OpSec failures. Even if your devices do not store large on-chain balances, poor operational practices elsewhere in the ecosystem increase systemic risk and can make services you rely on less secure. At the same time, concentrated attacks tied to nation-state actors add a geopolitical dimension to thefts that can complicate recovery and tracing efforts.

What to do?

For miners operating in Russia with a small to medium fleet (1–1,000 devices), prioritize straightforward, proven OpSec steps that reduce exposure without changing your core setup. Start by securing credentials and critical access points, and treat administrative accounts and signing keys as high-risk assets.

  • Use hardware wallets for any holdings not needed for day-to-day operations, and never share seed phrases.
  • Enable multi-factor authentication (MFA) on exchange and service accounts tied to your operation.
  • Train any team members to recognise phishing attempts and limit access rights on a need-to-know basis.
  • Implement secure multi-signature setups and avoid single points of failure for custodial actions.
  • Diversify where you store funds and split operational from long-term holdings to reduce single-incident impact.

These measures follow the report’s recommendations and are practical for small and medium operators. For specific guidance on social engineering countermeasures and operational practices, consult the linked guides above and apply changes incrementally to verify they work with your workflow.

Frequently Asked Questions

What was the single biggest cause of Web3 hacking losses in 2025?

The report identified poor operational security (OpSec) discipline as the primary cause, including phishing, private key compromises, insecure multi-signature setups, and insider threats.

How much of the 2025 losses were due to smart contract bugs?

Losses directly attributable to smart contract vulnerabilities amounted to $512 million, roughly 13% of the total $3.95 billion.

What immediate steps can individual users take to reduce risk?

Users should use hardware wallets for long-term storage, enable multi-factor authentication on accounts, verify website URLs and communications, never share seed phrases, and diversify holdings across reputable platforms and self-custody.

Related Articles