This represents a 40% increase from 2024, according to Hacken’s annual report, which tracked incidents throughout the year.
North Korean state-sponsored hackers emerged as the dominant threat, responsible for approximately 52% of all stolen funds. The TraderTraitor cluster alone extracted roughly $1.85 billion through sophisticated attacks on centralized exchanges, making nation-state actors the single biggest security threat facing the industry.
Operational Failures Drive Biggest Losses
Access control exploits—failures in operational security rather than smart contract code—accounted for $2.12 billion in losses, representing 53% of the total. The pattern repeated throughout the year: weak key management, compromised multisig signers, and vulnerable employee endpoints.
The year’s largest single theft demonstrated this vulnerability. Bybit, a major centralized exchange, lost nearly $1.5 billion in February through compromised access controls. Blockchain analysis revealed that attackers routed approximately $386 million through DeFi aggregators, with PancakeSwap alone processing $263 million of the stolen funds.
Other major exchange breaches attributed to North Korean actors included Phemex ($85 million), BTC Turk ($55 million), and SwissBorg ($41.5 million). All followed similar patterns: malware deployment, supply chain compromise, and exploitation of weak operational security practices.
Source: Hacken 2025 Yearly Security Report
“Most of the access control exploits you see in news come from North Korea,” the Hacken report stated. “They don’t hack smart contracts, they hack operational processes and weak endpoint security.”
Social Engineering Reaches New Sophistication
Phishing and social engineering attacks jumped to $951 million in losses, up from 21.3% of total losses in 2024 to 23.8% in 2025. North Korean threat actors perfected several attack playbooks that weaponized trust and human psychology.
The “Contagious Interview” campaign targeted crypto workers with fake job offers at legitimate companies like Coinbase and Kraken. Victims received polished LinkedIn messages from Western recruiter personas advertising remote positions. Once engaged, they were asked to complete “skills assessments” requiring them to run malicious code that deployed infostealers like BeaverTail, which immediately drained browser and desktop wallets.
Another cluster, active since 2018, impersonated venture capitalists proposing collaboration. Victims were invited to video calls where “audio issues” prompted them to install malicious software disguised as fixes. This group extracted nearly $200 million in 2025 alone.
The most devastating individual social engineering incident involved $330 million in Bitcoin stolen from an elderly US holder through complex manipulation tactics. A separate victim lost $50 million in a single transaction through address poisoning—where scammers create addresses with matching first and last characters hoping victims copy from transaction history instead of verified address books.
DeFi Protocols Exploited Despite Audits
Smart contract vulnerabilities cost the industry $512 million in 2025. Several major DeFi protocols were compromised despite having undergone multiple security audits, highlighting that code review alone cannot guarantee security.
Balancer lost $128 million when attackers discovered a subtle rounding error in Composable Stable Pools. By pushing pools into thin liquidity and executing repeated batchSwap calls, they exploited minor mathematical differences to distort prices and systematically drain value across multiple blockchains.
GMX v1 suffered a $42 million loss through a reentrancy vulnerability in its order execution logic. Attackers deployed malicious contracts that reentered the protocol mid-transaction during refunds, causing accounting inconsistencies. However, approximately 90% of funds were later recovered through negotiated bounty agreements—demonstrating that transparent on-chain activity can enable engagement with attackers.
Yearn Finance lost $9 million to an accounting error that allowed near-infinite minting of yETH tokens. Several newly launched projects built on Uniswap v4 were also compromised, including Bunni which lost $8.2 million in the first major hack on Unichain.
AI Security Threats Materialize
2025 marked the first documented wave of AI-native security failures as AI agents moved from experimental pilots into production systems. Multiple vulnerabilities emerged once agents connected to privileged tools and execution environments.
Notable incidents included EchoLeak, a zero-click indirect prompt injection enabling enterprise data exfiltration, and several vulnerabilities in Anthropic’s Model Context Protocol. Independent research found that 45% of tested AI-generated code samples failed security checks, often introducing common vulnerability patterns.
“Within five years, visual manipulation in XR will be photorealistic and targeted,” warned Luis Oscar Ramirez, CEO of Mawari, at the Hacken Trust Summit. “Don’t trust—verify must reach the display stack.”
The Hacken report identified key AI security failure patterns including indirect prompt injection across trust boundaries, insecure local transports, over-trust in tools, and AI-generated code acting as a vulnerability multiplier. Security experts emphasized that AI adoption creates new attack surfaces requiring updated security playbooks.
Quarterly Patterns and Security Outlook
Losses peaked in Q1 2025 at over $2 billion, driven primarily by the Bybit incident, then declined sequentially through the year. Q2 saw approximately $1.2 billion in losses, Q3 dropped to around $600 million, with losses continuing to decline into Q4.
For two consecutive years, the vast majority of losses occurred in the first quarter, leading security researchers to urge blockchain projects to strengthen security practices immediately. The report noted that while access control exploits remained the largest source of losses, their relative share declined from 60.3% in 2024 to 53% in 2025 as smart contract vulnerabilities, phishing, and rug pulls increased their proportional share.
The Hacken Trust Summit 2025, held at Nasdaq’s MarketSite in New York, brought together institutional leaders representing trillions in assets. The consensus was clear: the cryptocurrency industry’s “wild west” era has ended, but only if security becomes a continuous process rather than a one-time compliance exercise.
Security experts recommend hardware wallet isolation on dedicated devices, maintaining address books as a single source of truth, implementing multi-party computation for custody, continuous monitoring beyond initial audits, and extensive human factor training to combat social engineering.
With North Korean actors showing no signs of slowing their campaigns and AI-powered threats emerging, the industry faces a critical moment. Security can no longer be an afterthought—it must be engineered into every layer of infrastructure, independently verified, and continuously monitored to protect the billions of dollars flowing into digital assets.