The comprehensive report, shared with Cointelegraph, painted a concerning picture of the Web3 security landscape throughout 2025, detailing how losses surged dramatically to over $2 billion in the first quarter alone, before gradually receding to around $350 million by the fourth quarter. Despite the quarterly decline, Hacken’s analysis underscored a deeper, more systemic problem: the pattern of breaches points unequivocally to pervasive operational risks rather than isolated, remediable coding bugs. This critical insight reshapes the narrative around Web3 security, moving the focus from the inherent vulnerabilities of smart contract code to the more fundamental flaws in human processes and access management. Hacken positioned 2025 as a pivotal year where, while the financial figures worsened considerably, the underlying causes of these massive losses became unequivocally clear. While smart contract vulnerabilities continue to be a concern, their impact pales in comparison to the colossal, often irrecoverable losses stemming from weak cryptographic keys, compromised signers, and severely inadequate off-boarding procedures. This shift represents a maturation in understanding the attack surface of Web3, highlighting that the "human layer" remains the most exploitable vector.

Digging deeper into the report’s findings, Hacken unequivocally stated that access control failures and broader operational security breakdowns were the primary drivers of financial losses, accounting for an astounding $2.12 billion, or nearly 54% of all Web3 losses in 2025. This figure dwarfs the approximately $512 million attributed to smart contract vulnerabilities, solidifying the argument that robust operational security is now paramount. Operational security encompasses a wide array of practices, including how private keys are generated, stored, and managed; the protocols for granting and revoking access to critical systems and funds; the robustness of identity verification; and the overall resilience against social engineering and insider threats. The report emphasizes that weaknesses in these areas create single points of failure that, when exploited, can lead to catastrophic losses far exceeding those from purely technical code exploits. Weak keys, for instance, might refer to private keys that are poorly generated, stored in easily accessible environments, or not protected by multi-factor authentication (MFA) or hardware security modules (HSMs). Compromised signers often result from phishing attacks or malware targeting individuals with the authority to approve transactions, effectively turning legitimate personnel into unwitting accomplices. Sloppy off-boarding practices, such as failing to revoke access for former employees or contractors, leave gaping backdoors for malicious actors to exploit long after an individual has left an organization. These human and process-centric vulnerabilities are often more difficult to detect and prevent than technical code bugs, which can often be identified through rigorous auditing and formal verification.

A singular event that profoundly skewed the 2025 loss figures was the Bybit breach, which alone accounted for nearly $1.5 billion in stolen assets. This incident is described as the largest single theft on record within the Web3 space, underscoring the immense scale of damage that a targeted, sophisticated attack can inflict. The report directly linked this massive theft to North Korea-linked clusters, which collectively accounted for approximately 52% of the total stolen funds across all incidents. North Korean state-sponsored hacking groups, notably the Lazarus Group, have long been identified as highly sophisticated and persistent threat actors in the crypto space. Their primary motivation is typically to fund the nation’s weapons programs and circumvent international sanctions. Their playbook often involves highly targeted spear-phishing campaigns, supply chain attacks, and sophisticated social engineering tactics designed to gain initial access to critical systems or to compromise key personnel. Once inside, they meticulously map networks, escalate privileges, and ultimately exfiltrate digital assets, often moving them through complex mixing services and multiple blockchain layers to obfuscate their trail. The sheer scale of the Bybit breach highlights the effectiveness of these groups in exploiting not just technical vulnerabilities but, more critically, the human and operational weaknesses within even large, established Web3 entities. This persistent threat from state-sponsored actors underscores the geopolitical dimensions of Web3 security, making it not merely a technical challenge but a matter of national and international security.

Yehor Rudystia, head of forensic at Hacken Extractor, articulated to Cointelegraph that while the industry grapples with these escalating threats, regulatory bodies across major jurisdictions – including the US, European Union, and others – are progressively laying down explicit guidelines for robust security practices within their licensing regimes. These regulations, often evolving from general principles to highly specific mandates, outline what constitutes "good" security posture on paper. Key elements of these regulatory expectations include the implementation of role-based access control (RBAC) to ensure that individuals only have access to the resources absolutely necessary for their job functions, thereby minimizing the potential impact of a compromised account. Comprehensive logging and continuous monitoring systems are deemed essential for detecting suspicious activities in real-time and providing crucial forensic data post-incident. Secure onboarding and stringent identity verification (KYC/AML) processes are fundamental to prevent illicit actors from entering the ecosystem. Furthermore, regulators increasingly mandate institutional-grade custody solutions, which involve sophisticated mechanisms like Hardware Security Modules (HSMs) for secure key generation and storage, Multi-Party Computation (MPC) for distributed key management, multi-signature (multi-sig) wallets requiring multiple approvals for transactions, and robust cold storage solutions for assets not actively in use. The overarching goal is to ensure a high level of operational resilience and accountability within the Web3 ecosystem.

Despite these clear regulatory frameworks emerging, Rudystia lamented that "as regulatory requirements are only becoming mandatory principles, a lot of Web3 companies continued to follow insecure practices throughout 2025." This disconnect between prescriptive guidelines and actual industry adoption highlights a critical lag. Many companies, driven by rapid innovation, cost considerations, or a lack of understanding, failed to integrate these essential security measures into their core operations. Rudystia pointed to several pervasive and insecure practices, such as the failure to revoke developers’ access privileges during off-boarding, which leaves a significant backdoor for potential insider threats or exploited accounts. Another dangerous practice observed was the reliance on a single private key for managing an entire protocol, creating a catastrophic single point of failure that, if compromised, could lead to the total loss of associated assets. The absence of Endpoint Detection and Response (EDR) systems also left many Web3 companies vulnerable, as these tools are critical for monitoring and responding to threats on individual devices and servers, providing a vital layer of defense against sophisticated attacks. To bridge this gap, Rudystia emphasized the non-negotiable importance of regular penetration testing, incident simulations to practice response protocols, comprehensive custody control reviews, and independent financial and controls audits. He stressed that for large exchanges and custodians, these practices must become foundational in 2026 to genuinely enhance security.

Looking ahead, Hacken anticipates a significant elevation of security standards as supervisory bodies transition from issuing mere guidance to enforcing hard requirements. Yevheniia Broshevan, Hacken’s co-founder and CEO, conveyed to Cointelegraph that this shift presents a "significant opportunity for the industry to raise its security baseline." She particularly highlighted the need for universal adoption of clear protocols for utilizing dedicated signing hardware – devices specifically designed for secure transaction signing – and the implementation of essential monitoring tools that provide real-time visibility into operational activities and potential threats. Broshevan expressed optimism that overall security within the Web3 sector would notably improve in 2026, driven by these evolving regulatory requirements and the widespread adoption of "the most secure standards" necessary to safeguard users’ funds effectively. This regulatory push is expected to force companies to invest more substantially in their security infrastructure and processes, moving away from reactive measures towards a more proactive and preventative posture. The industry’s maturation, coupled with regulatory pressure, is seen as a catalyst for establishing a more trustworthy and resilient Web3 environment, crucial for attracting broader institutional and retail adoption.

Given the overwhelming influence of North Korea-linked clusters, which were responsible for roughly half of all attributed losses in Hacken’s report, Rudystia strongly advocated for regulators and law enforcement to treat the country’s specific playbooks as a distinct supervisory concern. He argued that a generic approach to cybersecurity is insufficient when facing such a dedicated and well-resourced state actor. Instead, Rudystia proposed that authorities should mandate real-time threat intelligence sharing focused specifically on North Korean indicators of compromise, enabling platforms to proactively defend against known tactics. Furthermore, he suggested requiring threat-specific risk assessments that are tailored to counter phishing-led access attacks, a common entry vector for these groups. To ensure compliance and incentivize robust defenses, Rudystia recommended pairing these mandates with "graduated penalties for non-compliance" and offering safe-harbor protections for platforms that fully participate in intelligence sharing and maintain North Korea-specific defenses. This multi-pronged approach acknowledges the unique and severe threat posed by state-sponsored actors, advocating for a coordinated and targeted defense strategy that integrates regulatory enforcement with industry collaboration, ultimately aiming to disrupt the funding mechanisms of these malicious entities and protect the integrity of the global Web3 ecosystem. The future of Web3 security, therefore, hinges not just on technological advancements but on a holistic approach that integrates regulatory mandates, industry best practices, and international cooperation against sophisticated adversaries.