The first half of 2025 has underscored the persistent and evolving risks within the Web3 ecosystem. Despite growing awareness and technological advancements, blockchain security remains a critical challenge. According to comprehensive data from Beosin Alert and Footprint Analytics, the total financial loss due to hacking, phishing scams, and rug pulls reached approximately $2.138 billion in the first six months of 2025. This marks a significant increase compared to the same period in 2024, highlighting the urgent need for stronger security measures across decentralized and centralized platforms.
This in-depth analysis explores the key attack vectors, vulnerable project types, compromised blockchains, and the flow of stolen funds. By identifying core patterns and offering actionable insights, this report aims to equip developers, investors, and platform operators with the knowledge needed to navigate an increasingly complex threat landscape.
Major Security Incidents in H1 2025: A $2.09 Billion Toll
In the first half of 2025, Beosin Alert recorded 90 major security incidents across the Web3 space, resulting in cumulative losses of **$2.093 billion**. Two of these events caused damages exceeding $100 million, seven surpassed $10 million, and 18 fell between $1 million and $10 million.
The most devastating single event was the Bybit breach, which accounted for $1.44 billion of the total losses—nearly 67.4% of all attack-related damages. The attack exploited a compromise of the Safe wallet infrastructure, where malicious code was injected into the frontend, tricking signers into approving fraudulent transactions. This incident alone highlights the cascading risks associated with third-party infrastructure dependencies.
Other high-impact breaches include:
- Cetus Protocol on Sui: A contract vulnerability stemming from a flawed implementation of a left-shift operation led to a **$224 million** loss. Fortunately, collaborative efforts froze $162 million of the stolen assets.
- Nobitex Exchange: Suffered a $90 million attack across multiple chains, with a cyber group claiming responsibility.
- Phemex & UPCX: Each lost $70 million, one due to private key exposure and the other from an access control flaw in smart contract administration.
These events reflect a disturbing trend: even well-established platforms remain vulnerable to both technical exploits and operational oversights.
👉 Discover how advanced security protocols can prevent catastrophic losses in your Web3 projects.
Project Types Most Targeted by Attackers
Centralized Exchanges: The Prime Target
Despite the decentralized ethos of Web3, centralized exchanges (CEXs) emerged as the most financially damaging target in H1 2025. Six major attacks on CEXs resulted in **over $1.591 billion** in losses—representing **74.4%** of total attack-related damages. Bybit’s $1.44 billion loss dominates this category, followed by Nobitex ($90M), Phemex ($70M), and BitoPro ($11.5M).
The concentration of assets in centralized custody makes these platforms attractive targets. Even routine operations like wallet upgrades or key management can introduce critical vulnerabilities if not rigorously secured.
DeFi Protocols: Second-Highest Loss Category
Decentralized Finance (DeFi) platforms ranked second in total losses, with **$324 million** stolen across multiple protocols. The **Cetus Protocol** incident on Sui accounted for nearly **69%** of all DeFi losses. Other notable breaches include Abracadabra Finance ($13M), Cork Protocol ($12M), and zkLend ($9.5M).
Most DeFi attacks exploited smart contract logic flaws, emphasizing the importance of rigorous code audits and formal verification before deployment.
Other targeted sectors include:
- Crypto payment platforms: $120 million lost in two incidents.
- Cross-chain bridges, token contracts, meme coin launchpads, and browsers: All experienced smaller but impactful breaches.
Blockchain-Specific Security Risks
Ethereum: Highest Losses and Most Attacks
As in previous years, Ethereum remained the most attacked blockchain in H1 2025. A staggering 81 incidents occurred on Ethereum, leading to $1.739 billion in losses—81.3% of the global total. The sheer volume of high-value transactions and mature DeFi ecosystem continues to attract malicious actors.
BNB Chain: Rising Attack Frequency
BNB Chain ranked second with 33 attacks and $42.53 million in losses. While individual losses were smaller than on Ethereum, the number of attacks surged by over 357% compared to H1 2024, indicating increased targeting of alternative ecosystems.
Emerging Chains Under Pressure
- Arbitrum: $21.2 million lost; attack frequency increased but total damage dropped by 71.8%.
- Base: $13.05 million lost; both attack count and financial impact grew sharply (+294% YoY).
These trends suggest that attackers are expanding their focus beyond Ethereum, probing newer chains for unpatched vulnerabilities as they scale.
Top Attack Vectors: Where Are the Weaknesses?
Contract Vulnerabilities Dominate
A full 70% of all attacks—63 out of 90—leveraged smart contract vulnerabilities, resulting in $408 million in losses. This reaffirms that flawed code remains the Achilles’ heel of Web3 security.
Breakdown by vulnerability type:
- Business logic flaws: Caused $356 million in losses (45 incidents).
- Algorithmic defects: $21.37 million (5 incidents).
- Input validation failures: $12.7 million (7 incidents).
Private key leaks, while less frequent than in 2024, still caused over $102 million in damages—highlighting ongoing risks in key management practices.
👉 Learn how real-time threat monitoring can stop exploits before they execute.
Where Did the Stolen Funds Go?
Recovery Rates Remain Low
Only about $238 million (11.1%) of stolen funds were successfully frozen or recovered—a stark reminder of the challenges in tracing and reclaiming digital assets.
- 4.6% ($97.89M) flowed into centralized exchanges.
- 13% ($278M) passed through cryptocurrency mixers like Tornado Cash and others—a significant increase from 2024.
The decline in funds moving directly to exchanges suggests improved Anti-Money Laundering (AML) systems and better cooperation between exchanges, law enforcement, and security firms. As a result, attackers are increasingly relying on mixers to obscure fund trails.
Key Takeaways & Recommendations
The H1 2025 security landscape reveals several critical insights:
- Centralized infrastructure remains a high-value target.
- Smart contract flaws are still the leading cause of breaches.
- Attackers are diversifying across chains and using sophisticated laundering techniques.
- Global recovery efforts are improving but remain insufficient.
To mitigate risks, project teams should:
- Conduct comprehensive audits using formal verification.
- Implement multi-signature wallets and strict access controls.
- Monitor for anomalous activity in real time.
- Train staff on social engineering and phishing threats.
Individual users must:
- Store private keys offline.
- Verify contract interactions through trusted interfaces.
- Avoid reusing credentials or granting unnecessary permissions.
Frequently Asked Questions (FAQ)
Q: Why were centralized exchanges the most attacked targets in H1 2025?
A: CEXs hold large concentrations of digital assets in hot wallets, making them lucrative targets. Operational lapses—like insecure key management or compromised third-party tools—can lead to massive losses, as seen in the Bybit incident.
Q: What is the most common type of smart contract vulnerability?
A: Business logic flaws are the most frequent and damaging. These occur when the intended functionality of a contract is incorrectly implemented, allowing attackers to manipulate flows for unauthorized fund extraction.
Q: How can stolen crypto funds be traced or recovered?
A: Blockchain analytics tools track fund movements across wallets. Collaboration between security firms, exchanges, and regulators can lead to freezing assets on compliant platforms, though recovery through mixers remains extremely difficult.
Q: Are newer blockchains like Base and Arbitrum safer than Ethereum?
A: Not necessarily. While some chains show lower loss amounts, they’re experiencing rapidly increasing attack volumes. Newer ecosystems may lack mature security tooling and experienced auditors, creating exploitable gaps.
Q: What role do mixers play in post-hack fund flows?
A: Mixers obscure transaction trails by pooling and redistributing funds across multiple addresses. Their rising usage indicates that attackers are adapting to stronger exchange-level AML controls by laundering through decentralized privacy tools.
Q: How effective are smart contract audits in preventing hacks?
A: High-quality audits—especially those using formal verification—are highly effective at catching critical flaws before deployment. However, audits are not foolproof; continuous monitoring is essential post-launch.
👉 Explore proactive security solutions that protect your assets before an attack occurs.