Hacken, a globally known cybersecurity firm, has released its Web3 Security Report for Q1 2025. As per the report, the first quarter of 2025 reveals substantial financial losses due to exploits and vulnerabilities within the Web3 ecosystem.
The overall financial losses reached $2 billion while displaying a 96% increase from the previous year. The Hacken’s report demonstrates that Web3 infrastructure requires better security safeguards along with continuous protection at each operational level. In this report, Hacken has revealed major security breaches, losses, access control failures, and emerging laundering techniques.
Hacken Highlights Major Security Breaches and Exploits
Exploits deriving from compromised multisig-based operations remain the most damaging and largest ever recorded during the first quarter of 2025. During the first quarter and in the entire history of Web3 the biggest exploit happened when Bybit was hacked for $1.46 billion.
Signers authorized malicious transactions that a compromised Safe{Wallet} frontend enabled which resulted in a loss of This marks the third consecutive quarter that the largest exploit was related to a multisig-based attack following Q4 2024 and Q3 2024.
Access Control Exploits Dominate Losses
Most of the quarter’s losses stemmed from access control failures that amounted to $1.63 billion representing 83 percent of overall quarter losses. Hacken significantly highlighted in its report that CeFi exchanges caused most of the incidents which led to losses this quarter. A malicious Safe transaction signed by compromised frontend software caused the Bybit hack resulting in losses of $1.46 billion.
The Phemex ($85 million) hack resulted from a stolen hot wallet whereas INFI ($50 million) lost funds after a developer kept administrative control and ZOTH ($9 million) experienced an exploitation through externally owned account access instead of multisig protocols.
DeFi Vulnerabilities and Smart Contract Bugs
The total amount lost by DeFi protocols reached $81 million which followed the downward trend observed during the previous year. The total smart contract bugs contributed only $29.4 million to all reported losses at 1.5% throughout the analyzed period.
The zkLend heist resulted in $9.6 million in losses due to a rounding error in SafeMath that enabled flash loan manipulation while the Ionic attack cost $12.3 million through social engineering tricks on protocol owners to approve harmful collateral.
Emerging Money Laundering Techniques
Analysis based on Hacken’s Web3 Security Report examines current organized crime techniques for money laundering that hackers use. The trend shows increasing use of perpetual exchanges like Hyperliquid by cybercriminals to clean their stolen funds through trading platforms.
The criminals use two dominant laundering methods involving intense trading transactions and organized MEV profit masquerading attacks. ZachXBT conducted wallet investigations that led to the discovery of a cybercrime offender who obtained more than $20 million from phishing attacks and online casino exploitations on Hyperliquid and GMX platforms.
