Written by editor James Bourne

Web3 saw plenty of breakthroughs in 2024 – but also plenty of break-ins. Many in the industry stressed greater investment and collaboration were needed to help keep the space safe. Yet anyone who hoped 2025 would see smoother sailing were about to be blindsided by the biggest crypto heist of all time.

February saw the small matter of approximately $1.5 billion (£1.1bn) in digital assets stolen from the Ethereum wallet of cryptocurrency exchange Bybit. The FBI, in an official public service announcement, laid the blame squarely at North Korea. At the time of writing, it is understood that around $300m of the haul has been cashed out by the hackers into unrecoverable funds.

Depending on who you read, the losses in Web3 for the whole of 2024 were somewhere in the $2-$3bn mark. Hacken, in its Web3 Security Report, puts the figure at more than $2.9bn, with almost 60% of those losses coming from access control vulnerabilities. The Hack3d 2024 Annual Report, from CertiK, has it at $2.363bn lost across 760 on-chain security incidents; a more than 30% increase in value stolen compared with 2023. Cyvers, in its 2024 report, says over $2.3bn was lost across hacking incidents, with access control accounting for 81% of losses and two in five incidents. 

Two days after the heist, Bybit published a release in which the company said its actions showed a ‘remarkable display of resilience and professionalism.’ The exchange’s withdrawal and product services were uninterrupted – more than 350,000 withdrawal requests were processed within 12 hours of the hack – while the company added its 1:1 reserve guarantee ensured client assets remained fully intact.

“The exchange’s ability to turn a potentially disastrous event into a demonstration of resilience and transparency is a testament to its longstanding culture of responsibility and openness,” the company noted. “This incident highlights not just Bybit’s operational excellence but also the growing maturity and unity of the crypto industry as a whole.”

So how do the 2024 security reports assess the performance of the wider ecosystem? Again, this has to be understood alongside the variance in figures from each provider, but the wider trends are interesting.

CertiK suggests that, excluding phishing – the company’s estimates argue phishing represents almost half of all value stolen last year – ecosystem security is getting better. According to CertiK’s numbers, 2024 saw a drop to 445 total incidents, from 702 the year before. Yet only two incidents totalled more than $100m lost, with three logged in 2023. In 2022, there were 583 total incidents with 10 clocking up a $100m-plus loss.

Hacken argues that cross-chain operability is getting more resilient. According to its numbers, the total value stolen from bridges dropped from $1.89bn in 2022 to $114m in 2024. Bridge developers are increasingly integrating multi-party computation and zero-knowledge cryptography to combat any threats.

Cyvers, meanwhile, noted the threat which AI and quantum computing possess with regard to the complexity of future attacks. Quantum advancements in breaking encryption ‘threaten the backbone of blockchain technology’, the company argues, while AI is ‘turbocharging cybercrime.’ “As technology evolves, so too must the defence strategies that safeguard the digital frontier,” the company noted.

The former is echoed by Nikita Varabei, CEO and co-founder at ChainPatrol. Varabei fears the potential of fully automated phishing scams as AI agents access on-chain systems for transactions. “These AI-powered scams will operate like an assembly line, making them faster, cheaper, and harder to detect,” Varabei wrote in a blog post. “In fact, 2025 could be the year we see the first fully autonomous scam AI agents – functioning like digital viruses that live in the ecosystem.”

For Hacken, the fact that access control attacks were consistently the dominant threat across all aspects of Web3 – from CeFi, to DeFi, to gaming and metaverse – points to a major weakness in private key compromises. This can be down to insecure private key management platforms or social engineering attacks among other methods. CertiK put the value of funds stolen in private key compromises at $855m. The Cryptocurrency Security Standard (CCSS), as Hacken notes, ‘provides a structured approach to these challenges’, including multi-layered security measures, periodic security audits, and stringent access control guidelines.

The message of having robust, multi-layered security frameworks in place is a consistent one. Cyvers notes that audits, while indispensable, represent just one layer of Web3 security. “To truly protect crypto projects and their stakeholders, a holistic security approach is necessary,” the company wrote. “Integrating real-time monitoring, pre-transaction risk assessment, and robust crisis management tools can transform how companies defend against evolving threats, ensuring the resilience and trustworthiness of the Web3 ecosystem.”

Understandably, this is where these security companies can step in. Yet a wider message around collaboration is also evident. Hacken has multiple communities promoting vigilance, from identifying fraudulent activities to advocating for stronger standards in crypto security. Varabei argues that 2025 will see this ‘grassroots effect… become even more vital’, with communities where victims of scams feel validated in sharing their experiences necessary.

“Attackers have long relied on siloed victims,” Varabei wrote. “In 2025, we should focus on building a united community response that will drastically limit their reach.”

---

Want to stay one step ahead of the adversaries? Find out more about the latest Web3 trends at Tokenize : LDN, on 2 - 3 December 2025.