- The amount lost in crypto thefts has doubled compared to the same period last year.
- The $1.4 billion Bybit hack accounts for a large portion of that increase.
- So-called access control attacks accounted for the biggest thefts for the third straight quarter.
Crypto hackers swiped a record $2 billion in the first three months of 2025 as an alarming tactic continues to gain ground among thieves.
They’re called access control attacks, and they accounted for a whopping 83% of theft over the first quarter, according to blockchain security firm Hacken, which broke down the findings in its latest Web3 security report.
The attacks, where hackers target infrastructure such as Amazon Web Services, came into focus as North Koreans used them to steal $1.4 billion from crypto exchange Bybit in February.
Stunned experts
The event stunned security experts — who say it was the largest financial heist ever and a national security emergency.
The attack highlighted the evolving sophistication of malicious actors able to thwart even advanced security remedies, like multi-signature wallets.
“We see these exploits often due to poor operational security practices within projects,” Yehor Rudytsia, an onchain security researcher at Hacken, told DL News.
Hackers use their access to a firm’s infrastructure to compromise its crypto wallets, stealing billions of dollars worth of assets in seconds.
Access control hacks targeting multi-signature wallets have quickly become the biggest cause of theft in the crypto industry.
It’s an alarming development — such wallets are designed to be more secure as they require multiple parties to greenlight transactions.
Compromised infrastructure
However, that extra security is null when hackers utilise compromised infrastructure to trick users into accepting malicious transactions that swipe crypto straight from wallets.
The $2 billion stolen since the start of 2025 marks a 96% increase in the amount stolen compared to the same period in the previous year.
The ByBit hack accounted for a large chunk of that number.
Smart contract vulnerabilities, which have previously been responsible for some of crypto’s biggest hacks, only accounted for 1.5% of all losses over the past quarter.
Unsafe wallets
Hacken found that for the past three consecutive quarters, the largest hacks were all caused by compromised multi-signature wallets involving Safe Wallet.
Safe Wallet is the most popular multi-signature wallet provider.
In October, DeFi protocol Radiant Capital lost $55 million after hackers targeted its Safe Wallet to authorise a malicious withdrawal.
In July, North Korean hackers used social engineering to gain control of one of Indian crypto exchange WazirX’s Safe Wallets, stealing $235 million.
“While this may give the impression that multi-sig wallets are a weak point, the reality is quite the opposite,” Hacken said in its report.
“This is a wake-up call to harden its design, implementation, and surrounding infrastructure.”
In the case of the Bybit hack, North Korean hackers compromised the web hosting behind Safe Wallet’s website.
They injected code designed to switch out a routine Bybit transaction for a malicious one sent by the hackers. The malicious transaction transferred control of Bybit’s wallet to the hackers.
In the aftermath, several crypto security researchers advised projects to update their infrastructure and alert users when a transaction has been swapped out for a malicious one.
One solution is to implement different transaction signatures that allow users to clearly see and verify the transaction details they are approving.
This would reduce the risk of blind-signing malicious transactions, Hacken said in its report.
Laundering techniques
With such large amounts of crypto stolen, bad actors are experimenting with new ways to obfuscate where the stolen funds came from in order to eventually convert it into cash.
One emerging trend is hackers using leverage trading on decentralised perpetual futures exchanges to launder funds.
They do so by using stolen crypto to open large leveraged bets, then hedge those trades with corresponding opposite bets elsewhere using clean capital.
When the leveraged position gets liquidated, the stolen funds are effectively ‘lost.’
Meanwhile, the profit from the hedge remains with the clean capital, making the funds appear legitimate, Rudytsia said.
Another method involves mimicking terrible traders by intentionally losing funds to trading bots.
“By embedding the funds within what looks like normal DeFi arbitrage, attackers may bypass traditional detection models used by exchanges and compliance systems,” the report said.
Such advanced laundering methods are becoming necessary for bad actors, Rudytsia said, due to improved blockchain analytics tools, and anti-money laundering features such as Railgun’s Private Proofs of Innocence.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.