4 hours ago
671
In 2025, crypto exploits started off slow, but ended up accumulating a record sum of over $4B. Based on PeckShield alert data, the year set a new record and a shift in the types of exploits.
Crypto exploits and hacks accelerated in 2025, leading to a record-breaking year for crypto theft. The past 12 months were marked by highly directed attacks against systemic vulnerabilities on both centralized exchanges and smart contract protocols.
The other approach to stealing crypto included malware, social engineering, and targeting individual holders.
PeckShield estimates the total losses for the past year at $4.04B, up 34.2% year-on-year. For 2024, the final estimate was for $3.01B in losses. The biggest addition to the 2025 bottom line was the Bybit hack, which led to over $1.4B in losses, mostly from ETH thefts.
In total, crypto hacks stole $2.67B, rising by 24.2%. The rise in scams was even more dramatic, stealing $1.37B, up 64.2% against the previous year. Tracking and freezing tokens managed to salvage only $334.9M, down from $488.5M in 2024.
North Korea takes up to 52% of the Web3 haul
DPRK hackers continued targeting Web3 projects, taking 52% of the haul from those types of projects, based on Hacken’s data. DeFi exploits accelerated significantly in the second half of 2025, with attacks against new DEXs. This time around, there were fewer bridging attacks, as bridges were not as important to ecosystems.
Crypto exploits were more diverse in 2025, with a high share of access control attacks. | Source: Hacken.
DeFi exploits in 2025 could rely on much more robust systems to swap or hide funds. Tornado Cash remained the go-to mixed for ETH, while hackers also relied on standard DEX routing to quickly swap funds.
Smart contract vulnerabilities made up around 12.8% of all exploits, and the theft depended on the amount of value locked in various protocols. Even small vaults or contracts were targeted when a known and relatively easy vulnerability was spotted, as some of the Web3 projects were cloned from previous contracts.
Crypto exploits target Web3 developer teams
Instead of broad attacks with malicious links, threat actors are targeting high-value wallet holders directly. Web3 teams are often selected for access to high-value vaults and token wallets.
One of the recent vectors of attack is legitimate-sounding projects, which then set out ads to hire Web3 developers. The interviewing process then relies on malware to infect both personal and corporate computers, gaining access to wallets.
The malware is usually downloaded through a legitimate meeting link, allowing it to access existing private keys on the infected machine.
The attackers can often access the machines of Web3 projects or exchanges, gaining access to wallets or admin rights to change smart contracts.
Access control was one of the major sources of exploits, with up to 53% of hacks ascribed to some form of direct access to multisig wallets. The remaining thefts depended on user error, as well as smart contract vulnerabilities, especially unauthorized DeFi token mints, withdrawals, or bridging.
The first big hack for 2026, on TrueBit protocol, used a similar model, where the hacker minted and withdrew unauthorized amounts of tokens, stealing up to $26M.
Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.
English (US)