Top White Hats Earning Millions in Web3 Vulnerability Hunting
Leading ethical hackers hunting for vulnerabilities in decentralized protocols within Web3 are making millions, surpassing the $300,000 salary limit typically seen in traditional cybersecurity positions.
“Our leaderboard shows researchers earning millions per year, compared to typical cybersecurity salaries of $150-300k,” said Mitchell Amador, co-founder and CEO of the bug bounty platform Immunefi, in an interview.
In the crypto space, the term “white hats” refers to ethical hackers who are compensated for identifying vulnerabilities in decentralized finance (DeFi) protocols. Unlike conventional salaried positions, these researchers have the freedom to select their targets, determine their work hours, and earn based on the significance of their discoveries.
Up to now, Immunefi has managed over $120 million in payouts across thousands of submissions. A total of thirty researchers have already become millionaires through this platform.
“We’re protecting over $180 billion in total value locked across our programs,” Amador stated, noting that the platform offers rewards of up to 10% for critical bugs. “These million-dollar payouts illustrate the reality that many protocols risk tens or hundreds of millions from single vulnerabilities,” he added.
The largest single payout to a Web3 white hat amounted to $10 million, given to a hacker who identified a critical flaw in Wormhole’s crosschain bridge. Amador mentioned that this particular vulnerability could have resulted in billions being lost.
Despite the discovery of that vulnerability, Wormhole experienced a $321 million exploit on its Solana bridge in 2022, marking the largest crypto hack of the year. In February 2023, the Web3 infrastructure firm Jump Crypto, along with Oasis.app, executed a “counter exploit” against the Wormhole protocol hacker, successfully recovering a total of $225 million.
Amador disclosed that critical vulnerabilities yield the highest rewards. Top-tier researchers have earned between $1 million and $14 million, depending on the severity and nature of their findings. “These are the 100x hackers who can uncover vulnerabilities that others overlook,” he said.
More Read
While the initial years of DeFi were marred by smart contract bugs, 2025 has observed a surge in “no-code” exploits such as social engineering, compromised keys, and lapses in operational security. Regardless of this trend, bridges continue to be the most profitable targets due to their crosschain complexities and the significant funds they hold.
Patterns have emerged concerning the types of projects that are frequently breached. “DeFi protocols with substantial total value locked (TVL) and inadequate bounty programs are the most vulnerable,” Amador noted. He cautioned that early-stage teams rushing to market without proper security measures, as well as complacent established organizations, face heightened risks.
Recent Crypto Hack Trends
As reported, crypto-related hacks and scams resulted in $163 million in losses in August, representing a 15% increase from July’s $142 million. However, the overall number of incidents showed a decline, with only 16 attacks recorded compared to 20 in June.
The majority of losses stemmed from two significant incidents: a $91 million social engineering scam targeting a Bitcoin user and a $50 million breach of the Turkish exchange, Btcturk.
