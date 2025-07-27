Halfway through 2025, the crypto industry has already suffered over $3.1 billion in losses from hacks, scams, and exploitations.

According to Hacken’s latest report, this year has emerged as one of the most damaging in recent memory.

Access-Control Exploits Dominate Losses

The latest figure surpasses last year’s $2.85 billion by over 6%, as security lapses across the sector continue. In a statement, Hacken Co-Founder and CBDO Yevheniia Broshevan said,

“2025 has been a wake-up call. In just two quarters, $3.1 billion was lost to access control failures, DeFi vulnerabilities, and social engineering. As blockchain reaches enterprise scale and regulations advance, cybersecurity becomes a core business function. Projects that invest in resilience and security build trust, meet compliance, and protect digital innovation.”

The single largest incident was the Q1 Bybit hack, where attackers drained nearly $1.5 billion. The incident alone accounted for 83% of Q1’s total losses and highlighted the catastrophic risks tied to compromised access control systems.

In total, access-control exploits dominated the landscape and were responsible for about 59% of all funds lost, approximately $1.83 billion, across DeFi and CeFi platforms.

DeFi Suffers Worst Quarter Since 2023

DeFi suffered its worst quarter since early 2023, with $300 million drained in Q2 alone. Smart contract flaws played a crucial role, as this cohort accounted for 8% of total crypto losses and led to $263 million stolen, including $223 million in the major Cetus exploit this year.

Phishing and social-engineering scams also surged to new records. In fact, a single incident in April saw a victim lose $330 million in Bitcoin after being tricked, while phone-based scams mimicking Coinbase support drained over $100 million following a contact data leak.

While Q1 was marred by large-scale access control failures, Q2 was comparatively quieter. The period witnessed under $200 million lost to similar exploits, yet several high-profile incidents showed how a single overpowered role or leaked key can enable attackers to drain systems within minutes.