The biannual review by Hacken paints a sobering picture of the state of security in the crypto ecosystem, citing deep-rooted vulnerabilities in both decentralized finance (DeFi) and centralized finance (CeFi) platforms. The report identifies outdated infrastructure, flawed access control mechanisms, and risky integrations of artificial intelligence (AI) as major contributors to the surge in losses.
Access Control and Smart Contract Bugs Lead the Damage
Access-control exploits were the primary cause of financial damage, accounting for approximately 59% of the total funds lost. Meanwhile, smart contract vulnerabilities were responsible for an estimated $273 million in losses.
A standout incident was the massive $1.5 billion breach involving the Bybit exchange in February. While it captured global attention, Hacken analysts argue that the scale of overall industry vulnerabilities overshadows any single incident.
“Human and procedural errors are now more frequent vectors of attack than cryptographic flaws,” noted Hacken’s forensic team in the report.
Legacy Codebases Remain Prime Targets
According to Yehor Rudytsia, Head of Forensics at Hacken, legacy systems continue to be exploited, particularly those still active despite being outdated. He cited the GMX v1 protocol as a notable example.
“Projects have to care about their old or legacy codebase if it was not stopped from operating completely,” Rudytsia said, underlining the dangers of leaving obsolete codebases exposed to modern attack strategies.
Operational Weaknesses: A $1.8 Billion Problem
Operational security gaps have been responsible for about $1.83 billion in losses so far in 2025. A key case was the $223 million hack of the DeFi platform Cetus during Q2. The exploit involved a vulnerability in overflow checks within its liquidity calculations.
Using flash loans, the attacker initiated hundreds of micro-positions across 264 liquidity pools. Hacken suggested that if real-time total value locked (TVL) monitoring and automatic shutdown mechanisms were in place, up to 90% of the stolen funds could have been protected.
AI Integration: Boon and Bane for Web3
Artificial intelligence has rapidly become a staple in Web3 development—but with it comes heightened risk. Hacken reported a 1,025% increase in AI-related security incidents over the previous year, primarily driven by insecure APIs.
In 2025, around 34% of Web3 projects have integrated live AI agents, exposing them to issues like prompt injection, model hallucinations, and data poisoning. Nearly 99% of AI-related exploits stemmed from insecure APIs, making them the most targeted attack vector.
The report also criticized current security frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework for failing to adequately address AI-specific threats. Hacken has called for the development of more agile governance and risk models to keep pace with the evolving attack landscape.
A Call for Adaptive Security
As attack methodologies become more sophisticated—leveraging automation, AI, and social engineering—the crypto sector’s demand for proactive, real-time security solutions is rapidly growing.
Hacken’s findings signal an urgent need for the industry to evolve from reactive patchwork fixes to holistic, forward-looking security architectures that encompass legacy systems, smart contracts, AI components, and operational workflows.
Source: Hacken Biannual Web3 Security Report 2025
