Leading ethical hackers in Web3 are earning millions by identifying flaws in decentralized finance (DeFi) protocols, significantly exceeding the traditional cybersecurity salary limit of $300,000.
Mitchell Amador, co-founder and CEO of the bug bounty platform Immunefi, explained that some researchers on their leaderboard make millions annually, while conventional cybersecurity roles typically offer between $150,000 to $300,000.
In the crypto industry, “white hats” are ethical hackers who receive payments for responsibly reporting vulnerabilities in DeFi protocols. Unlike fixed corporate jobs, these professionals select their targets, manage their schedules, and earn rewards based on the significance of their discoveries.
Immunefi has processed over $120 million in payouts from thousands of vulnerability reports. So far, thirty white hats have become millionaires through these programs.
Amador emphasized that the platform safeguards assets worth over $180 billion locked across various programs. Critical bugs can earn bounties as high as 10% of the affected assets, reflecting the high stakes many protocols hold.
The highest single bug bounty reached $10 million, awarded to a white hat who discovered a critical vulnerability in Wormhole’s cross-chain bridge—potentially averting loss of billions.
Despite this, Wormhole was exploited for $321 million in 2022, the largest crypto hack that year. In 2023, Web3 firms Jump Crypto and Oasis.app reclaimed $225 million through a counter-hack against the attacker.
Amador revealed that critical vulnerabilities yield the largest rewards, with top ethical hackers earning between $1 million and $14 million depending on the bug’s severity and reach. These elite hackers excel at uncovering issues others miss.
While early DeFi faced many smart contract bugs, 2025 has seen a rise in “no-code” exploits such as social engineering, key compromises, and operational security failures. Yet, bridges remain the primary high-value targets due to their complexity and the massive funds involved.
Common trends show that DeFi projects with significant total value locked (TVL) but weak bounty programs are especially vulnerable. Early-stage teams rushing to market and complacent established projects face increased security risks.
Crypto hackers stole $163 million in August 2025, marking a 15% increase over July’s losses, though overall attack frequency declined. Major losses included a $91 million social engineering scam and a $50 million breach of Turkish exchange Btcturk.
