Cryptocurrency investors have experienced significant losses in the first half of 2025, with approximately $2.5 billion lost to hacks, scams, and exploits. This figure, reported by blockchain security firm CertiK, surpasses the total losses recorded in all of 2024, which amounted to $2.42 billion. CertiK's "Hack3d: Web3 Security Report for Q2 + H1 2025" highlights a shifting threat environment where wallet compromises and phishing attacks have become the most prevalent dangers.

The report indicates that the majority of the stolen funds were a result of compromised crypto wallets, accounting for over $1.7 billion across 34 incidents. Phishing attacks followed, siphoning more than $410 million in 132 cases. Code vulnerabilities led to losses exceeding $283 million across 114 incidents. While less frequent, exit scams and price manipulation resulted in combined losses of nearly $20 million. Access control exploits accounted for $42 million in damages.

A significant portion of the total losses, around 72% or $1.78 billion, stemmed from two large-scale incidents: the Bybit hack in Q1 and the Cetus Protocol exploit in Q2. The Bybit hack in February, suspected to be carried out by the North Korean state actor Lazarus Group, involved the theft of over $1.5 billion in liquid-staked ETH and MegaETH, making it the largest single exploit of 2025. The Cetus Protocol incident in May resulted in a loss of approximately $225 million due to a smart contract flaw. However, Sui validators managed to freeze and return $162 million of the stolen assets following a governance proposal for user repayment. Excluding these two major incidents, the total losses for the first half of 2025 would be around $690 million.

While the pace of attacks slowed significantly in the second quarter, several major incidents still contributed to substantial losses. Q1 of 2025 accounted for $1.67 billion in losses, more than double Q2's $801 million. Phishing was the most widespread attack vector in Q2, accounting for over $395 million in losses across 52 incidents. Code vulnerabilities and access control weaknesses followed, resulting in losses of $235.7 million and $36.1 million, respectively. Wallet compromises, which had dominated Q1, caused $112 million in losses from 9 incidents in Q2.

Ethereum was the most targeted blockchain, suffering losses of more than $1.58 billion across 164 incidents. Bitcoin came in second, with over $373 million lost across 10 incidents.

Despite the scale of attacks, some funds were recovered. CertiK reported that $187 million was returned to victims through law enforcement action, whitehat efforts, and exchange cooperation. Of this, $180 million was recovered in Q2 alone. After accounting for assets that were eventually returned or frozen by trading platforms, the total net loss for the first half of 2025 is a slightly lower $2.29 billion, still up from the $1.98 billion that CertiK estimated was stolen last year.

CertiK urges users to be cautious, double-check URLs, avoid suspicious links, and use hardware wallets for storage. The report underscores the ongoing challenges faced by the crypto market in securing its assets and protecting against various forms of cyber threats.