Crypto Hacks Cost Nearly $3 Billion in 2025, Despite Fewer Attacks
The cryptocurrency industry faced a paradoxical challenge in 2025, losing nearly $3 billion to hacks and exploits, a significant increase from the previous year. This alarming figure comes despite a notable reduction in the total number of security incidents, indicating a trend toward larger, more sophisticated, and devastating attacks.
The Escalating Cost of Crypto Crime
A recent report by blockchain security firm SlowMist, supported by earlier data from Chainalysis, reveals that the crypto sector lost approximately $2.935 billion to malicious actors in 2025. This represents a substantial 46% surge in stolen funds compared to 2024's $2.013 billion. Curiously, this spike in monetary losses occurred alongside a 51% decrease in the number of reported incidents, with only 200 hacks in 2025, down from 410 the previous year. This stark contrast underscores a shift in attacker strategy, focusing on fewer but far more impactful exploits.
Deep Dive into Vulnerabilities and Attack Evolution
Decentralized Finance (DeFi) platforms remained the most frequent targets, accounting for 126 incidents and approximately $649 million in losses, or 63% of all hacks. However, the largest single incident of the year impacted a Centralized Exchange (CEX), with Bybit's February hack resulting in an estimated $1.46 billion in stolen funds, contributing heavily to the $1.809 billion total lost by CEXs. Attack methodologies are also evolving, moving beyond simple phishing to complex chains involving permission hijacking, malicious code execution, supply-chain poisoning, and hybrid lure strategies, making detection increasingly challenging.
Regulatory Action and Path Forward
In response to the escalating threat, regulatory and law enforcement efforts worldwide have intensified, leading to direct interventions in cases of money laundering, fraud, and sanctions evasion within the crypto space. These actions have shown some success, with approximately $387 million of the $1.95 billion stolen in recoverable incidents successfully returned or frozen in 2025. SlowMist emphasizes that for the Web3 industry to achieve long-term resilience, organizations must prioritize stronger internal security controls, greater transparency in fund governance, and robust Know Your Customer (KYC) and Anti-Money Laundering (AML) capabilities.
