The Web3 ecosystem faced an unprecedented security crisis in 2025, with annual losses skyrocketing to nearly USD 4 billion. A new report by Hacken reveals a stark reality: the majority of these financial devastations stem not from intricate coding errors, but from fundamental failures in operational security and access control, with a significant portion traced back to state-sponsored malicious actors.
Soaring Losses and a Shift in Blame
Hacken's 2025 annual security report paints a grim picture, detailing total Web3 losses reaching USD 3.95 billion – an alarming USD 1.1 billion increase from the previous year. A staggering 52% of these stolen funds are attributed to North Korean-linked entities, highlighted by the monumental Bybit breach of nearly USD 1.5 billion, the largest single theft on record. Crucially, the report challenges conventional wisdom, asserting that these escalating figures are indicative of systemic operational risk rather than isolated smart contract vulnerabilities, marking a critical paradigm shift in understanding Web3 security threats.
The Overlooked Vulnerability: Access Control
The core of Web3's security dilemma, according to Hacken, lies in compromised access control and operational security. These lapses accounted for approximately USD 2.12 billion, or nearly 54% of all losses, dwarfing the USD 512 million attributed to smart contract flaws. Weak keys, compromised signers, and neglected offboarding processes are identified as primary culprits. Despite clear regulatory directives from jurisdictions like the U.S. and EU on best practices such as role-based access control, secure onboarding, and institutional-grade custody, many Web3 companies regrettably continued to employ insecure methods throughout 2025, leaving them exposed to devastating breaches.
A Call for Hard Requirements and Targeted Defenses
Looking ahead, Hacken anticipates a decisive shift from soft security guidelines to stringent regulatory requirements in 2026, urging the industry to elevate its baseline security protocols. Key recommendations include regular penetration testing, incident simulations, custody control reviews, and independent audits, alongside the adoption of dedicated signing hardware and essential monitoring tools. Furthermore, given the pervasive threat from North Korean hacking groups, regulators and law enforcement are pressed to enforce real-time threat intelligence sharing, mandate threat-specific risk assessments focused on phishing, and implement progressive sanctions against non-compliant platforms, while offering safe harbors to those actively maintaining robust, targeted defenses.
