Immunefi CEO Slams ’Willful Negligence’ After $27M Multisig Breach—Here’s Why Web3 Hacks Keep Happening

Another day, another eight-figure crypto heist. The latest? A $27 million multisig breach that has Immunefi's CEO pointing fingers at what he calls 'willful negligence' across the industry.

The Pattern Isn't Random

Forget sophisticated zero-day exploits. The root cause behind most major losses isn't some uncrackable cryptographic puzzle—it's human error, compounded by a culture that sometimes treats security as an afterthought. Multisig wallets, designed as a fortress, get compromised because the keys aren't managed like crown jewels. It's the digital equivalent of installing a vault door and then leaving the combination on a sticky note.

Security Theater vs. Real Defense

The gap between perceived safety and actual security is where attackers thrive. Teams check the 'multisig' box on their roadmap but skip the rigorous operational discipline it requires. Audits get treated as a one-time compliance hurdle, not a continuous process. The result? A predictable parade of preventable incidents that erode user trust faster than any bear market.

Building a Bulletproof Mindset

Fixing this requires more than just better code. It demands a fundamental shift in priorities—where security budgets rival marketing spends, and protocol architects think like attackers from day one. The tools for robust protection exist; the industry just needs the will to use them properly, every single time.

Until that happens, the digital gold rush will keep funding a parallel economy of sophisticated thieves. After all, in a space built on 'don't trust, verify,' some are still learning the hard way that the verification part is non-negotiable. Maybe they're too busy chasing the next ATH to read the fine print.

$27.3M Multisig Breach Exposes Persistent Operational Risks

The incident stemmed from a compromised private key tied to a whale’s multisig wallet, allowing attackers to siphon off roughly $27.3 million.

While multisignature wallets are widely viewed as an institutional-grade security standard, the breach shows how operational weaknesses — rather than smart contract flaws — remain one of the ecosystem’s most dangerous attack vectors. Private key mismanagement, phishing, and insider risk continue to undermine even sophisticated custody structures.

Crypto Losses Approach $90B as 2025 Attacks Accelerate

After more than 15 years of security efforts, the crypto industry has now lost nearly $90 billion to hacks and exploits. The pace of theft has accelerated sharply in recent months, reports Immunefi.

In November alone, more than $276 million was stolen, pushing total losses for 2025 beyond $9.1 billion. That means roughly 10% of all historical crypto losses have occurred within the past 12 months, highlighting a rapidly deteriorating threat landscape.

Immunefi CEO Says ‘Willful Negligence’ Is Fueling Web3 Hacks

Mitchell Amador, founder and CEO of Immunefi, a crowdsourced security platform safeguarding over $180 billion in digital assets, said the sector’s biggest vulnerability is not technical complexity but willful negligence.

“Crypto is facing a security reckoning,” Amador said. “As ecosystems scale, surging on-chain activity is colliding with shrinking post-deployment security budgets and an expanding, fast-moving attack surface.”

Amador notes that 99% of Web3 projects operate without basic firewalls while fewer than 10% deploy modern AI-driven security tools, leaving most protocols dangerously exposed after launch.

Post-Launch Vulnerabilities Drive Majority of 2025 Exploits

According to Amador, the majority of high-impact hacks this year did not result from failed audits. “Most hacks this year haven’t occurred due to poor audits,” he said. “They’ve happened after launch, during protocol upgrades, or through integration vulnerabilities — blind spots that audits alone can’t catch.”

The pattern reflects a broader shift in attacker behavior, targeting operational transitions rather than initial

Why Real-Time Lifecycle Security Must Replace Audit-Only Models

Amador argues the industry must abandon static, audit-centric security approaches in favor of continuous, automated, lifecycle security.

“On-chain security is simply not mature enough,” he said. “It’s still predicated on manual reviews and fragmented systems that prevent organizations from adapting their security posture in real time.”

While the technical solutions already exist, Amador explains adoption has lagged — a gap that continues to expose billions of dollars in user and institutional funds.

As crypto scales into mainstream finance, the latest $27 million multisig breach may serve less as an isolated incident and more as a warning: without a fundamental shift in security culture, losses are likely to keep mounting faster than the industry’s defenses can evolve.

A crypto whale lost about $27.3M after a private key compromise let an attacker drain its multisig wallet and start laundering the funds on-chain.#Multisig #DeFi https://t.co/tk40Vshhbm