Key Takeaways: Web3 platforms lost $3.1 billion in H1 2025, already surpassing full-year 2024 losses. Access control failures were the leading cause, followed by phishing and smart contract bugs. AI-related attack vectors rose by 1,025%, showing risks in inference layers and APIs. Web3 projects lost $3.1 billion to exploits and scams in the first half of 2025, according to the Hacken 2025 Half-Year Web3 Security Report published July 24 . 🚨 2025 is already the most expensive year in Web3 security, and we’re only halfway through. $3.1B lost. Social engineering. AI-driven exploits. Protocol design flaws. Our Half-Year Report breaks it all down and shows how to defend against what’s next: https://t.co/6x8JDjkmJT pic.twitter.com/hQjxTvpjlN — Hacken🇺🇦 (@hackenclub) July 24, 2025 The report states that the amount lost in H1 this year has already exceeded the total losses recorded across all of 2024. It attributes $1.83 billion of this amount to access control exploits, the majority of which occurred in Q1. AI-Related Exploits Explode by 10x in Web3 Phishing and social engineering attacks accounted for $600 million, a sharp increase from the previous year. Another $263 million was lost due to smart contract vulnerabilities, marking DeFi’s most damaging quarter since early 2023. Hacken identified a surge in AI-related exploits, with incident volume rising by 1,025% compared to H2 2024. These cases stemmed from issues such as insecure API design, improper model access restrictions, and weak user input filtering in AI inference layers. The single largest incident in the period was the $290 million Munchables breach, followed by $136 million lost in the Pike Finance series of attacks. The Uniswap V4 ecosystem also recorded its first major hook-related exploit, resulting in a $12 million loss. According to the report, Ethereum accounted for 61.4% of total losses, while BNB Chain and Arbitrum represented 20.2% and 11.4%, respectively. Exploits on Ethereum L2s and alt-L1s made up the remainder. Security Enhancements in Exigent Need “2025 has been a wake-up call,” said Hacken Co-Founder and CBDO Yevheniia Broshevan. “As blockchain reaches enterprise scale and regulations advance, cybersecurity becomes a core business function.” The report recommends continuous monitoring and automated defense systems to address rising threats. It also warns that standard auditing remains insufficient given the increased complexity of integrated systems and AI models in Web3 environments. DeFi protocols made up nearly 69% of all incidents tracked in H1 2025. CeFi incidents were fewer but tended to result in higher individual losses. The report also noted a growing overlap between financial and infrastructure attack vectors. The rise in AI-driven exploits exposes the challenge facing the crypto industry: the rapid adoption of complex technologies outpacing the development of security frameworks. At the same time, geopolitical actors and financially motivated groups have begun to treat blockchain infrastructure as high-value targets. The convergence of traditional cybersecurity threats with on-chain vulnerabilities may require new regulatory coordination between Web3-native firms, national agencies, and cybersecurity vendors. Frequently Asked Questions (FAQs) How might regulations like MiCA or the EU AI Act influence future Web3 security practices? These frameworks may impose formal governance, model validation requirements, and real-time monitoring standards that force protocols to integrate cybersecurity by design rather than after deployment. Are smaller protocols more vulnerable to these complex attacks? Yes. The report implies that limited technical resources and overreliance on third-party tooling leave smaller teams exposed, especially as AI integrations expand without clear defensive standards. Is there any indication of coordination between threat actors? While not explicitly detailed, the increase in sophisticated, cross-layer attacks suggests potential collaboration or tooling exchanges between financially motivated hackers and more organized adversarial groups.Key Takeaways: Web3 platforms lost $3.1 billion in H1 2025, already surpassing full-year 2024 losses. Access control failures were the leading cause, followed by phishing and smart contract bugs. AI-related attack vectors rose by 1,025%, showing risks in inference layers and APIs. Web3 projects lost $3.1 billion to exploits and scams in the first half of 2025, according to the Hacken 2025 Half-Year Web3 Security Report published July 24 . 🚨 2025 is already the most expensive year in Web3 security, and we’re only halfway through. $3.1B lost. Social engineering. AI-driven exploits. Protocol design flaws. Our Half-Year Report breaks it all down and shows how to defend against what’s next: https://t.co/6x8JDjkmJT pic.twitter.com/hQjxTvpjlN — Hacken🇺🇦 (@hackenclub) July 24, 2025 The report states that the amount lost in H1 this year has already exceeded the total losses recorded across all of 2024. It attributes $1.83 billion of this amount to access control exploits, the majority of which occurred in Q1. AI-Related Exploits Explode by 10x in Web3 Phishing and social engineering attacks accounted for $600 million, a sharp increase from the previous year. Another $263 million was lost due to smart contract vulnerabilities, marking DeFi’s most damaging quarter since early 2023. Hacken identified a surge in AI-related exploits, with incident volume rising by 1,025% compared to H2 2024. These cases stemmed from issues such as insecure API design, improper model access restrictions, and weak user input filtering in AI inference layers. The single largest incident in the period was the $290 million Munchables breach, followed by $136 million lost in the Pike Finance series of attacks. The Uniswap V4 ecosystem also recorded its first major hook-related exploit, resulting in a $12 million loss. According to the report, Ethereum accounted for 61.4% of total losses, while BNB Chain and Arbitrum represented 20.2% and 11.4%, respectively. Exploits on Ethereum L2s and alt-L1s made up the remainder. Security Enhancements in Exigent Need “2025 has been a wake-up call,” said Hacken Co-Founder and CBDO Yevheniia Broshevan. “As blockchain reaches enterprise scale and regulations advance, cybersecurity becomes a core business function.” The report recommends continuous monitoring and automated defense systems to address rising threats. It also warns that standard auditing remains insufficient given the increased complexity of integrated systems and AI models in Web3 environments. DeFi protocols made up nearly 69% of all incidents tracked in H1 2025. CeFi incidents were fewer but tended to result in higher individual losses. The report also noted a growing overlap between financial and infrastructure attack vectors. The rise in AI-driven exploits exposes the challenge facing the crypto industry: the rapid adoption of complex technologies outpacing the development of security frameworks. At the same time, geopolitical actors and financially motivated groups have begun to treat blockchain infrastructure as high-value targets. The convergence of traditional cybersecurity threats with on-chain vulnerabilities may require new regulatory coordination between Web3-native firms, national agencies, and cybersecurity vendors. Frequently Asked Questions (FAQs) How might regulations like MiCA or the EU AI Act influence future Web3 security practices? These frameworks may impose formal governance, model validation requirements, and real-time monitoring standards that force protocols to integrate cybersecurity by design rather than after deployment. Are smaller protocols more vulnerable to these complex attacks? Yes. The report implies that limited technical resources and overreliance on third-party tooling leave smaller teams exposed, especially as AI integrations expand without clear defensive standards. Is there any indication of coordination between threat actors? While not explicitly detailed, the increase in sophisticated, cross-layer attacks suggests potential collaboration or tooling exchanges between financially motivated hackers and more organized adversarial groups.

Copy linkX (Twitter)LinkedInFacebookEmail