Top white hats hunting vulnerabilities across decentralized protocols in Web3 are earning millions, dwarfing the $300,000 salary ceiling in traditional cybersecurity roles.
“Our leaderboard shows researchers earning millions per year, compared to typical cybersecurity salaries of $150-300k,” Mitchell Amador, co-founder and CEO of bug bounty platform Immunefi, told Cointelegraph.
In crypto, “white hats” refers to ethical hackers paid to disclose vulnerabilities in decentralized finance (DeFi) protocols. Unlike salaried corporate roles, these researchers choose their targets, set their own hours and earn based on the impact of what they find.
So far, Immunefi has facilitated more than $120 million in payouts across thousands of reports. Thirty researchers have already become millionaires.
“We’re protecting over $180 billion in total value locked across our programs,” Amador said, adding that the platform offers bounties of up to 10% for critical bugs. “These million-dollar payouts reflect the reality that many protocols have tens or hundreds of millions at stake from single vulnerabilities,” he said.
Related: New ModStealer malware targets crypto wallets across operating systems
$10 million bug bounty saved billions
The largest single payout to a Web3 white hat was $10 million, awarded to a hacker who found a fatal flaw in Wormhole’s crosschain bridge. Amador said that vulnerability could have vaporized billions.
Despite that vulnerability being uncovered, Wormhole suffered a $321 million exploit on its Solana bridge in 2022, the largest crypto hack of the year. In Feb. 2023, Web3 infrastructure firm Jump Crypto and Oasis.app conducted a “counter exploit” on the Wormhole protocol hacker, clawing back a total of $225 million.
Amador revealed that critical vulnerabilities account for the biggest rewards. Top researchers have pulled in between $1 million and $14 million, depending on the severity and scope of their findings. “These are the 100x hackers who can find vulnerabilities others miss,” he said.
While the early years of DeFi were plagued by smart contract bugs, 2025 has seen a rise in “no-code” exploits like social engineering, compromised keys, and lapses in operational security. Despite that shift, bridges remain the most lucrative targets due to their crosschain complexity and the vast sums they secure.
Patterns have emerged in the types of projects that get breached most often. “DeFi protocols handling significant TVL and lacking strong bounty programs are the most exposed,” Amador said. He warned that early-stage teams rushing to market without security measures, as well as complacent established players, carry elevated risks.
Related: DeFi whale loses $40M as Kinto winds down and SwissBorg suffers hack: Finance Redefined
Crypto hackers stole $163 million in August
As Cointelegraph reported, crypto-related hacks and scams hit $163 million in losses in August, a 15% rise from July’s $142 million. Despite the spike, overall incidents trended downward, with only 16 attacks recorded compared to 20 in June.
The majority of losses came from two major incidents. These include a $91 million social engineering scam targeting a Bitcoiner and a $50 million breach of Turkish exchange Btcturk.
Magazine: Meet the Ethereum and Polkadot co-founder who wasn’t in Time Magazine
