Hacken’s 2025 analysis pegs total Web3 losses at roughly $3.95 billion, with about $2.02 billion attributed to actors linked to North Korea. The dominant risk profile has shifted toward operational breakdowns—compromised keys, weak access controls, and governance gaps—rather than smart-contract bugs as the primary failure mode.
Mid-year figures reinforce the scale and pace of the damage. Hacken’s data puts losses at about $3.1 billion in the first half of 2025, including roughly $2.0 billion in Q1, with state-linked groups accounting for over half of stolen value. The same dataset attributes around $2.02 billion specifically to North Korea-linked actors and notes these operations have increased year over year.
Operational security has become the main attack surface
High-impact incidents show how quickly losses can concentrate when controls fail. A compromised signer interface drove a single event of about $1.46 billion, while a protocol coding bug still produced a $223 million drain, illustrating that both operational and code risks remain financially material. The pattern, however, is that the largest tail events increasingly originate in access pathways.
Smart-contract risk is still meaningful, but it is no longer the dominant driver in this framing. Code-related incidents are estimated at $512 million, or about 13% of projected 2025 losses, which keeps contract assurance and testing squarely on the risk agenda even as the larger exposure shifts to operations. That split signals a broader control problem rather than a purely technical one.
Access-control failures sit at the center of the loss curve. Hacken’s figures allocate about $2.12 billion (54%) of 2025 losses to access-control breakdowns, and in H1 alone these failures represented $1.83 billion, or 59% of the period’s total. In the 2025 TRUST analysis, the conclusion is explicit: “Operational security … has become the principal source of blockchain losses.”
Social engineering and key governance are the critical control points
Human-targeted compromise continues to scale because it bypasses protocol-level safeguards. Phishing and social engineering are cited as representing 21% of losses in the 2025 trust dataset, with 2024 phishing losses referenced at $600 million, indicating that attacker ROI remains high where training and controls are weak. The examples cited—a $330 million theft from an individual and more than $100 million via phone-based impersonation—underscore how quickly single points of failure can cascade.
Private key mismanagement remains one of the most preventable root causes. A private key is the cryptographic secret that authorizes transfers, and once exposed, assets can be irreversibly moved with limited recourse. The analysis links losses to human error, single-key dependencies, misconfigured multisignature setups, weak off-boarding, and failure to revoke former employees’ access.
The operational uplift required is concrete and programmatic, not theoretical. Treasuries and trading organizations should prioritize signer-interface governance, enforce least-privilege access, deploy endpoint detection and response (EDR), automate access revocation, and rehearse incident response to reduce time-to-containment. The laundering layer also remains a practical constraint. Routing stolen funds through third-country infrastructure and OTC networks can materially complicate recovery and attribution, raising the premium on rapid detection and coordinated response.
Hacken’s 2025 picture reframes Web3 risk as an operational security problem at scale. Well-resourced state actors and organized cybercriminals are increasingly winning through access, process, and human compromise, making key governance and control discipline the critical risk differentiators.