4 weeks ago
15
The first half of 2025 has already proven catastrophic for the Web3 ecosystem, with blockchain security firm Hacken reporting over $3.1 billion in cumulative losses due to scams, breaches, and protocol failures.
This figure already surpasses the full-year total of 2024, underscoring the scale of damage inflicted in just six months.
The primary cause: access control failures, which contributed to roughly $1.83 billion in damages, including a landmark $1.46 billion Bybit exploit in February.
Internal threats, compromised keys drive biggest breaches
The largest single incident of the year was the Bybit attack, attributed to a compromised wallet signer that gave malicious actors full control of funds.
Hackers used the vulnerability to drain assets undetected, exposing a significant weakness in private key storage and management.
This was closely followed by the Infini Protocol attack, where a former developer exploited internal access to steal $50 million in a single transaction.
The incident highlighted how insider threats remain an ongoing challenge for decentralised protocols, particularly those with incomplete governance or access restrictions.
Geopolitical tensions also entered the spotlight when Iran’s Nobitex exchange lost $90 million in a breach that analysts suggest may have been politically motivated.
The incident involved both phishing and technical compromise, combining multiple attack vectors for maximum impact.
DeFi platforms suffer from flawed smart contracts
Decentralised finance (DeFi) platforms were not spared. Hacken reported $263 million in total losses from smart contract vulnerabilities, mostly from bugs in logic and overflow checks.
The most severe case involved Cetus, which saw $223 million drained in May.
The bug was traced to a liquidity range miscalculation that allowed attackers to repeatedly withdraw unearned assets.
These incidents show that many DeFi platforms continue to deploy unaudited or under-tested code, making them attractive targets for sophisticated exploits.
Despite past lessons from similar vulnerabilities in 2020–2022, several protocols still struggle to implement robust logic checks and formal verification.
Phishing scams and fake support schemes accelerate
Phishing attacks surged to new records, accounting for $600 million in losses—also exceeding 2024’s full-year total.
One of the most damaging cases involved an elderly US investor who lost $330 million in Bitcoin after falling prey to a multi-stage scam.
Coinbase users were also targeted following a data breach. Using stolen credentials and customer details, scammers impersonated official Coinbase support staff.
Victims were tricked into handing over seed phrases and two-factor passcodes, leading to more than $100 million in stolen funds.
Additional scams included fake wallets, deceptive browser extensions, and token approval traps embedded in lookalike dApps.
All these relied on social engineering and interface manipulation to extract funds without the victim realising it.
AI-fuelled attacks rise 1000% with new tactics
Artificial intelligence-related attacks are on the rise, with Hacken observing a 1000% increase compared to 2023.
The majority of these breaches involved unsafe APIs, where attackers used prompt injection, fake AI agents, and vulnerable toolchains to hijack automation systems and user wallets.
These methods bypass traditional cybersecurity protocols by exploiting emerging tech layers that are poorly understood or inadequately protected.
As AI tools are increasingly integrated into DeFi, exchanges, and wallets, the attack surface is expanding rapidly, giving hackers new ways to bypass defences.
With only half the year gone, the scale and sophistication of these breaches suggest that the crypto industry faces its most critical security moment in years.
Security experts are now calling for urgent updates to access controls, contract audits, and AI usage guidelines to reduce further exposure.
The post Web3 scams surge past $3.1 billion in losses during first half of 2025 appeared first on Invezz
English (US) ·