Hacken’s latest Yearly Security Report estimates total Web3 losses at around $3.95 billion for 2025. That figure represents an increase of roughly $1.1 billion compared with the prior year. The report also attributes slightly over 50% of the stolen capital to North Korea–associated groups.
One of the most notable takeaways is how uneven the losses were throughout the year. Hacken says damages peaked in Q1, exceeding $2 billion, before steadily declining to about $350 million by Q4.
Crucially, Hacken argues these were not isolated coding mistakes, but signs of systemic operational risk across the industry. Failures in access controls and security processes accounted for approximately $2.12 billion—about 54% of all losses—while “classic” smart contract vulnerabilities were responsible for around $512 million over the same period.
The report also highlights the Bybit hack in February as the single largest incident of the year. With losses close to $1.5 billion, it alone made up a substantial share of total 2025 damages.