Grafa logo

North Korea-linked theft and weak security drive Web3 losses

Written by Heidi Cuthbert Published Dec. 30 2025Last Updated Dec. 30 2025

Share

Web3 losses climbed to nearly $4 billion in 2025, according to Hacken’s latest yearly security report.

Hacken estimated total losses at approximately $3.95 billion, up about $1.1 billion from 2024.

More than half of the total damage was attributed to North Korea-linked threat actors.

Losses peaked at over $2 billion during the first quarter of the year before easing by year end.

By the fourth quarter, reported losses had fallen to roughly $350 million.

Hacken said the pattern points to systemic operational weaknesses rather than isolated coding errors.

The report highlighted poor key management and compromised signers as the primary causes of losses.

Smart contract vulnerabilities accounted for a far smaller share of total damage.

Access control failures and operational security breakdowns caused about $2.12 billion in losses.

This represented nearly 54% of all Web3 losses recorded in 2025.

By comparison, smart contract bugs were responsible for roughly $512 million.

Hacken identified the Bybit breach as the largest single theft on record.

The incident resulted in losses of nearly $1.5 billion.

Hacken said this breach was a major factor behind North Korea-linked clusters accounting for 52% of stolen funds.

Yehor Rudystia, head of forensic at Hacken Extractor, said regulators are increasingly clear on security expectations.

He noted that licensing regimes in the United States and European Union outline role-based access control and logging.

Rudystia also cited secure onboarding, ID verification and institutional-grade custody as regulatory benchmarks.

As regulatory requirements are only becoming mandatory principles, a lot of Web3 companies continued to follow insecure practices throughout 2025.

Yehor Rudystia said.

He pointed to failures such as not revoking developer access during off-boarding.

Rudystia also criticised the use of single private keys to manage entire protocols.

He said many firms lacked endpoint detection and response systems.

Among the most important are regular pen tests, incident simulations, custody control reviews, and independent audits.

Yehor Rudystia said.

Hacken expects regulators to shift from guidance to hard security requirements.

Yevheniia Broshevan, co-founder and chief executive of Hacken, said the industry has room to raise its security baseline.

We see a significant opportunity for the industry to raise its security baseline.

Yevheniia Broshevan said.

She added that clearer standards should improve protection for users’ funds in 2026.

Hacken also urged regulators to treat North Korea-linked tactics as a specific supervisory concern.

The firm called for real-time threat intelligence sharing and graduated penalties for non-compliance.