This year’s defining security event was not a sophisticated DeFi exploit or a novel protocol failure, but the $1.46 billion theft from Bybit, a top-tier centralized exchange.
That single event, attributed to sophisticated state-sponsored actors, rewrote the narrative of the year. It proved that while the frequency of attacks has dropped, the severity of the damage has escalated to systemic levels.
Data from blockchain security firm SlowMist paints a picture of an industry under siege by professionalized, industrial-scale threats. There were approximately 200 security incidents across the ecosystem in 2025, roughly half the 410 recorded the previous year.
Yet, total losses climbed to about $2.935 billion, up significantly from $2.013 billion in 2024.
The math is unforgiving: the average loss per event more than doubled, rising from roughly $5 million to nearly $15 million.
This showed that attackers abandoned low-value targets to focus on deep liquidity and high-value centralized chokepoints.
State actors and the industrial supply chain
The escalation in value lost is directly linked to the changing profile of the attackers.
In 2025, the “lone wolf” hacker has largely been replaced or subsumed by organized crime syndicates and nation-state actors, most notably groups linked to the Democratic People’s Republic of Korea (DPRK).
These actors have shifted tactics from opportunistic, single-point exploits toward organized, multi-stage operations that target centralized services and rely on structured laundering processes.
Indeed, the breakdown of losses by sector confirms this pivot.
While DeFi protocols still absorbed the highest volume of hits, 126 incidents resulting in about $649 million in losses, centralized exchanges accounted for the bulk of capital destruction. Just 22 incidents involving centralized platforms produced roughly $1.809 billion in losses.
Supporting these high-level operators is an underground supply chain that functions with the efficiency of a commercial software ecosystem.
Models known as Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) have lowered the barrier to entry, allowing less skilled criminals to rent sophisticated infrastructure.
This industrialization extended to the “drainer” market, which are toolkits designed to empty wallets via phishing.
Although total drainer losses fell to about $83.85 million across 106,106 victims, representing an 83% drop in value from 2024, the sophistication of the tools matured.
SlowMist noted that organized cybercrime has learned to treat Web3 as a repeatable, reliable revenue stream.
Meanwhile, supply chain attacks also added a dangerous dimension to the threat landscape.
Malicious code inserted into software libraries, plugins, and development tools placed backdoors upstream from final applications, allowing criminals to compromise thousands of downstream users simultaneously.
Thus, high-privilege browser extensions became a favored vector. Once compromised, these tools converted user machines into silent collection points for seeds and private keys.
The pivot to social engineering and AI
As protocol security tightened, attackers shifted their focus from the code to the human behind the keyboard.
2025 demonstrated that a private key leak, an intercepted signature, or a poisoned software update is just as devastating as a complex on-chain arbitrage exploit.
The statistics reflect this parity: there were 56 smart contract exploits and 50 account compromises recorded during the year. The gap between technical risk and identity risk has effectively closed.
To breach these human defenses, criminals weaponized artificial intelligence.
During the year, the noticeable surge in synthetic text, voice, images, and video provided attackers with a cheap, scalable way to mimic customer support agents, project founders, recruiters, and journalists.
Also, deepfake calls and voice clones rendered traditional verification habits obsolete, increasing the success rate of social engineering campaigns.
At the same time, phishing campaigns evolved past simple malicious links into multi-stage operations.
Ponzi schemes adapted in parallel, shedding the naked “yield farm” aesthetics of the past for the veneer of institutional finance.
This resulted in new frauds masquerading as “blockchain finance” or “big data” platforms. These scams also utilized stablecoin deposits and multi-level referral structures to mimic legitimacy.
For context, projects like DGCX illustrated how classic pyramid schemes could operate behind the facade of professional dashboards and corporate branding.
Enforcement and the regulatory hammer
The scale of the year’s losses forced a decisive shift in regulatory behavior as regulatory authorities moved from theoretical debates about jurisdiction to direct, on-chain intervention.
As a result, their focus expanded beyond the entities themselves to the infrastructure that facilitates crime, including malware networks, dark web markets, and laundering hubs.
A prime example of this broadened scope was the pressure applied to the Huione Group, a conglomerate targeted by investigators for its role in facilitating laundering flows.
Similarly, platforms like Garantex faced continued enforcement actions, signaling that regulators are prepared to dismantle the financial plumbing used by cybercriminals.
Stablecoin issuers emerged as a critical component of this enforcement strategy, effectively acting as deputies in the effort to freeze stolen capital. Tether froze USDT on 576 Ethereum addresses, while Circle froze USDC on 214 addresses throughout the year.
These actions yielded tangible results. Across 18 major incidents, approximately $387 million of the $1.957 billion in stolen funds was frozen or recovered.
While a recovery rate of 13.2% remains modest, it represents a significant capability shift: the industry can now pause or reverse portions of criminal flows when compliant intermediaries sit within the transaction path.
Regulatory expectations have hardened accordingly. Robust Anti-Money Laundering (AML) and Know Your Customer (KYC) frameworks, tax transparency, and custody controls have moved from competitive advantages to baseline survival requirements.
Infrastructure providers, wallet developers, and bridge operators now find themselves inside the same regulatory blast radius as exchanges.
The solvency test and future landscape
The divergence between the Bybit hack and the FTX collapse offers the most critical lesson of 2025.
In 2022, the loss of customer funds exposed a hollow balance sheet and fraud, leading to immediate insolvency. In 2025, Bybit’s ability to absorb a $1.46 billion hit suggests that top-tier platforms have accumulated enough capital depth to treat massive security failures as survivable operational costs.
However, this resilience comes with a caveat, as the concentration of risk has never been higher. Attackers are now targeting centralized chokepoints, and state actors are dedicating immense resources to breaching them.
For builders and businesses, the era of “move fast and break things” is definitively over. Security and compliance are now thresholds for market access. Projects that cannot demonstrate strong key management, permission design, and credible AML frameworks will find themselves cut off from banking partners and users alike.
For investors and users, the lesson is stark: passive trust is a liability. The combination of AI-driven social engineering, supply chain poisoning, and industrial-scale hacking means that capital preservation now requires active, continuous vigilance.
2025 proved that while the crypto industry has built stronger walls, the enemies outside the gate have brought bigger battering rams.
