Crypto hacks in 2025 and early 2026 exceeded every prior annual record by dollar value, with losses reaching as high as $3.4 billion across a landscape of smart-contract bugs, supply-chain compromises, oracle manipulation, key theft, and politically motivated sabotage that together exposed how concentrated trust points — not just bad code — remain the industry's most dangerous vulnerability.
The State of Crypto Hacks in 2025–2026
The numbers are hard to dispute, though they vary by methodology.
Chainalysis estimated that total crypto theft in 2025 reached $3.4 billion, making it the worst year on record. TRM Labs and TechCrunch separately reported a figure of $2.7 billion. CertiK published its H1 2025 tally at $2.47 billion across 344 incidents, already exceeding the full-year 2024 total of $1.98 billion in net losses.
For context, TRM Labs had calculated that $2.2 billion was stolen across all of 2024. That means the first six months of 2025 alone surpassed the entire previous year.
What makes this stretch distinctive is not the number of incidents. It is the concentration.
Immunefi reported that Q1 2025 was the worst quarter for crypto hacks in history, with $1.64 billion lost across just 40 events — a 4.7x increase over Q1 2024. Two incidents alone, Bybit and Cetus, accounted for roughly $1.78 billion, or 72 percent of CertiK's H1 total.
The categories of attack have not changed much. Smart-contract exploits, oracle manipulation, private key compromise, exchange operational failures, and state-sponsored cyberattacks are all present. What changed is scale. The average hack size doubled in H1 2025 compared to the same period a year earlier, and the damage became heavily top-loaded into a handful of catastrophic events.
The thread connecting the worst cases below is not complexity. It is trust — concentrated in single keys, single vendors, single governance structures, or single liquidity venues.
Also Read: Trump's 48-Hour Iran Warning: What It Did To BTC, ETH And XRP
Resolv: How an Unbacked Mint Turned a Stablecoin Into a Balance-Sheet Crisis
On Mar. 22, 2026, an attacker compromised a privileged private key stored in Resolv's AWS Key Management Service, then used it to authorize two massively inflated minting operations on the protocol's USR stablecoin.
The first created 50 million USR against a deposit of roughly $100,000 in USDC (USDC). The second minted another 30 million.
In total, approximately 80 million unbacked tokens entered circulation. The minting key was a single externally owned account — not a multisig — and the contract lacked maximum mint limits, oracle checks, or amount validation.
The attacker converted minted USR through wstUSR and stablecoins into approximately 11,400 Ether (ETH), worth roughly $24 million to $25 million. USR's price crashed to as low as $0.025 on Curve Finance within 17 minutes — a 97.5 percent drop.
What makes stablecoin exploits particularly damaging is that they instantly expose whether collateral backing is real or fragile.
The protocol's original collateral pool of roughly $95 million remained technically intact, but with 80 million new unbacked tokens in circulation, Resolv was left with approximately $95 million in assets against roughly $173 million in liabilities. DeFi protocols including Aave, Morpho, Euler, Venus, and Fluid took precautionary steps to isolate their exposure.
The chain reaction — exploit, forced selling, depeg, liability gap, panic — played out in less than a day.
Also Read: Bitcoin's S&P 500 Correlation Just Flashed A Crash Warning
Bybit: The $1.5B Mega-Breach That Defined the Year
No single event in the history of cryptocurrency theft compares in dollar terms to what happened to Bybit on Feb. 21, 2025.
On-chain investigator ZachXBT first flagged suspicious outflows of more than $1.46 billion from the exchange's Ethereum (ETH) cold wallet. The FBI later attributed the theft to North Korea's TraderTraitor cluster, part of the Lazarus Group, and pegged the figure at approximately $1.5 billion.
Around 401,347 ETH was stolen. That exceeded the combined totals of the Ronin Network and Poly Network hacks, previously the two largest in crypto history.
The breach was not a failure of Bybit's own code. Forensic investigations by Sygnia and Verichains traced the root cause to a supply-chain compromise of Safe{Wallet}, a third-party multisig platform. Attackers compromised a Safe developer's macOS workstation as early as Feb. 4, stole AWS session tokens, and on Feb. 19 injected malicious JavaScript into the Safe web interface.
The code activated only when Bybit's specific Ethereum cold wallet initiated a transaction. Three of six multisig signers approved the transaction without detecting the manipulation.
Bybit CEO Ben Zhou confirmed the exchange remained solvent, backed by pre-hack reserves exceeding $16 billion. Within 72 hours, Bybit replenished its ETH reserves through emergency loans from Galaxy Digital, FalconX, Wintermute, and Bitget. But by March 20, roughly 86 percent of stolen ETH had been converted to Bitcoin (BTC) across nearly 7,000 wallets.
The lesson is straightforward. One venue, one breach, one event — and the annual industry loss profile shifts entirely. Some of the worst crypto failures happen where users assume scale equals safety.
Also Read: After A $44M Hack, CoinDCX Now Faces A Fraud FIR
Cetus on Sui: How a $223M Exploit Froze a Flagship DEX
In May 2025, Cetus, the largest decentralized exchange on the Sui (SUI) network, was hit by an exploit that drained roughly $223 million from its liquidity pools. The root cause was an integer overflow bug in the protocol's concentrated liquidity math library.
A function compared values against a threshold that was off by one bit, allowing the attacker to deposit a single token but receive liquidity positions worth millions.
Sui validators took the extraordinary step of freezing approximately $162 million of stolen funds on-chain, a move approved by governance vote with 90.9 percent support. Approximately $60 million had already been bridged to Ethereum before the freeze.
Cetus resumed operations after a 17-day outage, refilling pools with recovered funds, $7 million from its cash reserves, and a $30 million USDC loan from the Sui Foundation.
When a flagship liquidity venue breaks, the entire chain's credibility takes a hit. Token prices, chain reputation, user confidence, and the need for emergency intervention by ecosystem actors — the blast radius extends far beyond the protocol itself.
Also Read: Brazil Freezes Crypto Tax Rules
GMX: Why a Top Perpetuals Venue Still Lost More Than $42M
In Jul. 2025, GMX was exploited for more than $42 million through a cross-contract reentrancy vulnerability in its V1 deployment on Arbitrum. The function responsible for executing decrease orders accepted a smart contract address as a parameter instead of requiring a standard wallet.
During the ETH refund step, execution passed to the attacker's malicious contract, enabling reentrancy that manipulated internal pricing data to roughly 57 times below the actual market price.
GMX offered a 10 percent white-hat bounty, worth approximately $5 million, with a 48-hour deadline and a threat of legal action. The attacker returned approximately $37.5 million to $40.5 million in tranches, retaining the bounty. GMX later completed a $44 million compensation plan for affected GLP holders.
The fact that funds were returned does not mean the system worked. White-hat framing, bounty offers, and partial recovery can soften the market reaction without removing the underlying security failure.
The vulnerability had been ironically introduced during a 2022 fix for a previous bug. GMX V2 was unaffected.
Also Read: Bitcoin Drops In Hours After Trump Threatens Iran Power Plants
Nobitex: When a Crypto Hack Becomes Geopolitical Warfare
In Jun. 2025, Nobitex, Iran's largest cryptocurrency exchange, was hacked for approximately $90 million across multiple blockchains including Bitcoin (BTC), Ethereum, Dogecoin (DOGE), XRP (XRP), Solana (SOL), Tron (TRX), and TON (TON).
The pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility.
The attack took place during active Israel-Iran military hostilities.
This was not a financially motivated theft. Stolen funds were sent to vanity burner addresses containing anti-IRGC messages with no recoverable private keys — effectively burning $90 million as a political statement.
The next day, the attackers publicly released Nobitex's entire source code, infrastructure documentation, and internal privacy R&D.
Some crypto hacks are not profit-maximizing attacks at all. They are sabotage, signaling, or cyberwarfare. That makes them different from protocol exploits in practically every dimension: motivation, method, aftermath, and the impossibility of recovery. Nobitex reported a partial resumption of operations afterward, but incoming transaction volumes dropped more than 70 percent year-over-year in early July.
Also Read: SBF Backs Trump's Iran Strikes From Prison
Abracadabra: The Exploit That Hit DeFi Borrowing Through GMX-Linked Cauldrons
On Mar. 25, 2025, an attacker drained approximately 6,260 ETH — worth about $13 million — from Abracadabra Finance's lending markets, known as cauldrons. The targeted cauldrons used GMX V2 liquidity pool tokens as collateral, and the exploit relied on a flash-loan-assisted self-liquidation technique that took advantage of state tracking errors within the gmCauldron contracts.
Stolen funds were bridged from Arbitrum to Ethereum. PeckShield was among the first security firms to flag the incident. GMX confirmed its own contracts were not affected.
Abracadabra offered a 20 percent bug bounty. This was the protocol's second major hack; a $6.49 million exploit had hit Abracadabra in January 2024.
The episode illustrates composability risk. A protocol may look secure on its own but become vulnerable through integrations and dependencies.
For DeFi users, what sits under the hood — which collateral types a protocol accepts, which external contracts it calls — matters more than the top-level brand they deposit into.
Also Read: CFTC And SEC Align On Crypto Haircuts
Hyperliquid and JELLY: Market-Structure Drama and Centralization Questions
On Mar. 26, 2025, an attacker opened a $4.1 million short position on the illiquid JELLY memecoin on Hyperliquid, alongside two offsetting long positions, then pumped the token's spot price by more than 400 percent.
When the short was liquidated, Hyperliquid's automated HLP vault inherited the underwater position, and the vault's unrealized losses reached approximately $13.5 million.
Hyperliquid's validators then force-closed all JELLY positions, settling at the attacker's original short entry of $0.0095 rather than the $0.50 that external oracles were reporting.
The maneuver was executed within two minutes and revealed that the protocol relied on only four validators per set.
The scandal here is not just the loss.
Bitget CEO Gracy Chen publicly called Hyperliquid "FTX 2.0." The protocol's total value locked collapsed from $540 million to $150 million in the following month, and the HYPE token fell 20 percent. Hyperliquid later upgraded to on-chain validator voting for asset delisting decisions.
What happens when a decentralized venue acts centrally in a crisis? That question is useful for any research audience even when the dollar loss is smaller than the biggest breaches. It exposed a credibility fault line.
Also Read: Strategy Holds 3.6% Of All Bitcoin
Meta Pool: Infinite Mint Risk and Why Low Liquidity Can Mask a Bigger Bug
In Jun. 2025, Meta Pool suffered a smart-contract exploit that allowed an attacker to mint 9,705 mpETH — worth approximately $27 million — without depositing any ETH collateral.
The vulnerability sat in the ERC-4626 mint function. The attacker bypassed the normal cooldown period through the protocol's fast unstake functionality.
But the realized loss was only around $132,000. Thin liquidity in the relevant Uniswap swap pools meant the attacker could extract only 52.5 ETH.
An MEV bot front-ran part of the attack, extracting roughly 90 ETH in liquidity that was later returned to the protocol. The 913 ETH originally staked by users remained safe with SSV Network operators.
Sometimes the bug is far worse than the realized loss. The exploit path in this case implied catastrophic theoretical damage, but poor liquidity capped extraction. That distinction matters for anyone evaluating DeFi risk, and it gives this case more depth than a simple ranking by dollar losses would suggest.
Also Read: UK Set To Block Crypto Donations
Cork Protocol: a16z-Backed, Still Exploited
On May 28, 2025, Cork Protocol was exploited for approximately $12 million. The attacker extracted 3,761 wstETH by exploiting flaws in the Cork Hook's beforeSwap logic and missing access controls.
The root cause was a lack of input validation combined with permissionless market creation without guard rails, which allowed the attacker to create a fake market using a legitimate DS token as the redemption asset.
Cork had received investments from a16z crypto and OrangeDAO in September 2024.
The takeaway is simple. Institutional investors, top-tier venture capital backing, and polished branding do not eliminate technical risk. Readers should not confuse fundraising quality with protocol safety, and audits — however thorough — are not guarantees. All contracts were immediately paused after detection, but the money was gone.
Also Read: Early Ethereum Whale Buys $19.5M In ETH
KiloEx: Oracle Manipulation as a Recurring DeFi Weakness
In Apr. 2025, KiloEx lost approximately $7 million to $7.5 million across Base, opBNB, and BNB Smart Chain after an attacker exploited an access-control vulnerability in the platform's MinimalForwarder contract. The flaw allowed anyone to call price-setting functions.
The attacker manipulated the oracle to report an absurdly low price for ETH — $100 — when opening leveraged positions, then closed at $10,000.
KiloEx offered a 10 percent white-hat bounty of $750,000. Four days later, the attacker returned all stolen funds, and KiloEx announced it would not pursue legal action.
The platform resumed after a 10-day pause and published a compensation plan for users whose trades remained open during the outage.
This is the cleanest case for explaining oracle risk. Bad pricing data can let attackers open and close positions at false values. Many exploits marketed as sophisticated are still built on old primitives — bad price feeds, predictable assumptions, poor validation. Oracle manipulation remains one of DeFi's most persistent weaknesses.
Also Read: Gold's Worst Week Since 1983
What the Pattern Reveals
The 10 cases above are different in mechanism, scale, and motive. But they share a structural pattern.
The most financially devastating incidents — Bybit and Resolv — were not caused by on-chain bugs at all. They were infrastructure-level failures: a compromised developer machine in one case, a single unguarded minting key stored in cloud infrastructure in the other. The damage in both cases was catastrophic specifically because centralized trust points existed where users assumed they did not.
Protocol-level exploits like Cetus and GMX did involve code bugs, but the blast radius was determined by governance responses — whether validators could freeze funds, whether bounty negotiations succeeded, and whether ecosystem actors stepped in with emergency financing.
Nobitex was not a protocol exploit in any meaningful sense; it was an act of geopolitical sabotage.
The overall picture is not encouraging. Fewer incidents do not mean less damage. Average severity is increasing. North Korea alone accounted for more than $2 billion in 2025 theft, a 51 percent year-over-year increase.
The security perimeter that matters most in crypto has shifted from on-chain logic to off-chain infrastructure, key management, and human operational security.
For retail users, token investors, and protocol teams alike, the data suggests the same conclusion. The question is no longer whether a protocol's smart contracts have been audited. The question is where the concentrated trust sits — and what happens when it breaks.
Read Next: Bitcoin Mining Difficulty Falls 7.76%