$2B Lost in 90 Days: The State of Web3 Security in 2025 (Q1 Recap)

The first quarter of 2025 marked one of the most alarming periods in Web3 security history — with over $2 billion lost in just three months. A 96% increase compared to Q1 2024. What’s behind this staggering number? The story points to operational failures, access control exploits, and a persistent pattern of multisig compromises.

---

What’s inside the report?

Access Control Exploits:
The #1 threat to Web3 today — responsible for over $1.6B in losses in Q1 alone. Multisig-related incidents continue to dominate, with Bybit suffering the largest hack in crypto history.

The Multisig Crisis:
Three quarters in a row, the biggest hacks involved Safe multisig wallets — not due to smart contract flaws, but due to weak operational security. Extractor, Hacken’s detection engine, shows how teams can defend against these failures.

DeFi vs. CeFi:
While DeFi losses remain under control, major CeFi platforms took severe hits, including Bybit ($1.46B) and Phemex ($85M) due to access control failures and compromised signer workflows.

Rugpulls & Phishing:
The infamous $LIBRA token rugpull (~$300M) shocked the community, fueled by political promotion and insider trading. Phishing scams also led to nearly $100M in losses, exploiting poor user security hygiene.

Smart Contract Exploits:
While smart contract bugs accounted for less than 2% of the total losses, they still resulted in $29M in damages. Notable cases like zkLend (Starknet) and 1inch Fusion v1 highlight persistent coding and maintenance issues.

Emerging Money Laundering Techniques:
Hackers are getting smarter — using perpetual exchanges and fake sandwich attacks to launder funds.

---

Learn from the real incidents.

Discover original research, expert insights, and practical recommendations to secure your assets and protocols.