Crypto Industry Faces $3.1 Billion Loss from Access Control & Social Engineering Exploits

The cryptocurrency industry faced unprecedented security challenges in the first half of 2025, recording losses exceeding $3.1 billion due to various exploits. This figure surpasses the total reported losses for the entirety of 2024, signaling a critical escalation in the sophistication and impact of cyber threats. Analysis by cybersecurity firm Hacken reveals that nearly 60% of these financial damages stemmed from vulnerabilities in access control mechanisms, underscoring systemic weaknesses in operational security across centralized and decentralized platforms.

• Cryptocurrency industry losses exceeded $3.1 billion in the first half of 2025, surpassing total losses from 2024.
• Access control vulnerabilities accounted for approximately 60% of financial damages, totaling $1.83 billion.
• The largest single incident was a $1.46 billion breach at Bybit, highlighting pervasive security gaps.
• Social engineering tactics inflicted roughly $600 million in damages, targeting both individuals and Web3 professionals.
• Smart contract vulnerabilities contributed an additional $263 million in losses, notably from the Cetus Protocol exploit.

Root Causes and Impact of Access Control Failures

Access control vulnerabilities emerged as the predominant vector for financial losses, accounting for approximately $1.83 billion. These incidents are largely attributed to improper role distribution, logical flaws in permission systems, and reliance on vulnerable interfaces for multi-signature operations. The largest single incident during this period, and indeed in the industry’s history, was a breach at Bybit, resulting in a staggering $1.46 billion loss. Other notable incidents, though smaller in scale, included exploits against UPCX for $70 million and KiloEx for $7.5 million, highlighting a pervasive issue across various protocols. While the second quarter of 2025 saw a noticeable reduction in the immediate financial scale of these attacks—from $1.6 billion in Q1 to $190.5 million—the underlying threat persists as attackers continue to target single keys with elevated privileges or unrestricted roles.

According to Yegor Ruditsa, Head of Digital Forensics and Incident Response at Hacken, access control exploits are primarily a consequence of “weak operational security practices adopted by most crypto companies, encompassing both CeFi and DeFi entities.” He noted that centralized exchange hot wallets are typically compromised through private key leaks and supply chain attacks, while decentralized projects often suffer significant losses due to the compromise of devices used to store seed phrases, private keys, or sign transactions. Common attack vectors include malicious repositories on platforms like Bitbucket, fake browser extensions, and phishing links.

To mitigate these critical vulnerabilities, experts advise developers and companies to implement robust security measures:

• Utilize cold wallets for key storage.
• Prioritize multi-signature requirements and timelocks for critical operations.
• Access private keys exclusively from dedicated, isolated devices.
• Implement real-time monitoring for suspicious activity and protocol anomalies.

DeFi Protocol Exploits and Smart Contract Vulnerabilities

Beyond access control, smart contract vulnerabilities represented another significant area of loss, totaling $263 million in the first half of 2025. The most impactful event in this category was the Cetus Protocol exploit, which resulted in a $223 million theft within just 15 minutes. The second quarter marked the worst period for the DeFi sector since early 2023 in terms of losses. Hacken also highlighted the first recorded attack on the hook-mechanic in Uniswap V4, where attackers exploited a lack of basic validation to steal $12 million from Cork Protocol.

The evolving nature of DeFi threats necessitates not only secure code development but also agile monitoring and incident response capabilities, especially as new functionalities are integrated into protocols.

The Pervasive Threat of Social Engineering

Social engineering remains one of the most dangerous and widespread threats in the Web3 ecosystem, inflicting approximately $600 million in damages during H1 2025. This category encompasses deceptive tactics designed to manipulate users, often through phishing, fake phone calls, and counterfeit interfaces. A notable incident involved the theft of $330 million in Bitcoin from an elderly US investor, where fraudsters impersonated support staff to induce a self-transfer of funds. This marked the largest individual crypto theft in the industry’s history.

Furthermore, users lost an additional $100 million due to fake calls impersonating Coinbase support, often leveraging leaked user data for personalized scams. Attackers also deployed malicious decentralized applications (dApps), mimicked popular wallet interfaces, and even injected malicious code into open-source projects on platforms like GitHub. Remote workers and development teams are increasingly targeted through sophisticated fake job interviews where malicious scripts are delivered, compromising user devices within seconds and leading to immediate asset loss.

Ruditsa warned of a “rapid increase in compromised user devices resulting in instantaneous theft of all crypto assets,” noting that many such attacks, particularly those organized by entities like North Korea, target freelancers and developers within the Web3 ecosystem. Browser extensions, especially within the Chrome ecosystem, serve as another common vector for attackers to gain access to wallets and user sessions by forging interfaces or intercepting data. Hacken’s analysis indicates that in general phishing attacks, most users either voluntarily provided their seed phrases or directly transferred cryptocurrency to attacker-controlled addresses.

Enhancing Industry and User Security Protocols

To bolster security, Hacken recommends that cryptocurrency exchanges adopt several key practices:

• Implement a mandatory 48-to-72-hour waiting period for withdrawals after password changes, email modifications, or two-factor authentication (2FA) resets.
• Enhance identification systems for suspicious account activity, such as new device logins or VPN usage.
• Increase the proportion of user funds held in cold storage, minimizing reliance on hot wallets.

For individual crypto asset holders, maintaining robust digital hygiene is crucial:

• Exercise extreme caution with links received via SMS or Telegram chats.
• Thoroughly verify the sender’s email address when receiving communications from exchanges, ensuring it originates from an official platform account.
• Utilize cold hardware wallets for storing significant cryptocurrency holdings.
• Prefer authenticator applications over SMS for 2FA for enhanced security.

Eugenia Broshevan, Co-founder of Hacken, emphasized that “2025 has clearly shown that the primary vulnerability in Web3 is not the code, but people themselves.” She highlighted social engineering and phishing as drivers of record losses, with over $600 million in Q2 alone. Broshevan stressed that successful attacks often exploit fundamental trust through malicious links, fake job opportunities, or the signing of dangerous transactions. She concluded that security in Web3 begins with basic digital hygiene—using cold wallets, exercising caution with code, and meticulously verifying every transaction—and that “user protection is a shared responsibility” requiring both individual vigilance and robust protective mechanisms from platforms.