From Bybit to Coinbase, 2025 has shaped up as the most damaging year on record for crypto crime, with digital asset platforms collectively losing an estimated $2.72 billion to hackers, according to data from TRM Labs. After a brutal 2024, many hoped the worst was over. Instead, falling token prices, thinning liquidity, and mounting economic pressure created a perfect storm for increasingly sophisticated attackers.
The year’s defining moment came in February, when centralized exchange Bybit suffered what has been described as the largest single crypto exploit in history. North Korean state-linked hackers allegedly orchestrated a coordinated attack that drained roughly $1.5 billion in digital assets. Beyond the staggering dollar figure, the incident highlighted how well-resourced and methodical some threat actors have become: multiple wallets, layered obfuscation techniques, and rapid asset laundering across chains made the operation resemble a military campaign more than a simple heist.
That early catastrophe effectively set the tone for the rest of 2025. Analysts at TRM Labs characterized this year’s wave of intrusions as “even more organized and professionalized” than those of previous cycles. Attackers are no longer just opportunistic coders hunting for a bug bounty in disguise. Many now operate like full-fledged cybercrime enterprises: they specialize, they share tooling, they automate reconnaissance, and they rehearse complex chain-hopping strategies to move stolen funds before exchanges or investigators can react.
Major centralized platforms were not the only targets, but they remained the most visible. Coinbase, one of the industry’s largest and most heavily regulated exchanges, confirmed it was probing an incident that could ultimately account for losses of up to $400 million. While the exact mechanics and final damage tally are still being assessed, the very fact that such a well-capitalized, compliance-heavy institution could face a breach of that scale underlines an uncomfortable reality: there is no such thing as perfect security in crypto, only varying degrees of vulnerability.
Decentralized finance, long touted as “code is law,” continued to demonstrate that law can be rewritten by anyone who finds an overlooked edge case. Cetus Protocol, a DeFi platform focused on automated liquidity and trading infrastructure, saw about $223 million drained after attackers exploited smart contract logic. Whether via price oracle manipulation, permission bugs, or flawed upgrade mechanisms, sophisticated DeFi exploits showed that composability—a core strength of the ecosystem—remains a double-edged sword when one vulnerable contract can cascade risk across multiple interconnected protocols.
The damage was widespread geographically as well. Iranian exchange Nobitex reportedly lost around $90 million after what investigators described as a targeted intrusion against its hot wallet infrastructure. UPCX, another digital asset platform, was hit for roughly $70 million, while Turkish exchange BtcTurk suffered a breach that cost it close to $50 million. In South Korea, Upbit—already battle-tested by previous years’ incidents—faced yet another exploit, with attackers stealing about $36 million despite improved monitoring and incident response measures.
These headline cases only scratch the surface of 2025’s broader security crisis. Behind the mega-hacks are dozens of smaller incidents: rug pulls disguised as yield farms, governance token takeovers that allowed attackers to push malicious proposals, front-end compromises that quietly redirected user transactions to attacker-controlled addresses, and targeted phishing campaigns aimed at VIP clients, project founders, and even security engineers. Taken together, they form a picture of an ecosystem under sustained, multi-vector assault.
What stands out this year is the speed and coordination of attacks. TRM Labs experts note that once a vulnerability is identified—whether in an exchange’s infrastructure or in a DeFi contract—exploit execution and funds movement now often play out in minutes, not hours. Automated bots probe known codebases and forked protocols for misconfigurations. Attacker playbooks include pre-funded wallets across several chains, pre-arranged bridges, and mixers ready to receive inflows at a moment’s notice. The goal is simple: ensure that by the time a project notices abnormal withdrawals, the assets have already been atomized into dozens of addresses and swapped into harder-to-trace assets.
Another defining feature of 2025’s hacks is the blending of old-school social engineering with cutting-edge on-chain manipulation. Several incidents, including those involving well-known platforms, reportedly began not with a line of vulnerable Solidity code but with compromised credentials, spear-phishing emails, or poisoned software dependencies. Once inside an organization’s internal systems, attackers were able to bypass multi-signature protections by gradually escalating privileges or tricking human operators into approving seemingly routine transactions. This convergence of human and technical attack surfaces makes defense far more complex than simply “auditing the smart contracts.”
Regulatory pressure and compliance requirements, paradoxically, have also created new attack angles. Centralized exchanges, which are bound by strict know-your-customer and anti-money laundering policies, must maintain extensive customer databases and internal access layers. These rich data environments and permissioned control systems become attractive targets for hackers seeking not only funds but also identity data that can be resold or reused in future fraud. While no major identity breach on that front has yet rivaled the monetary exploits in size, security specialists warn that the line between “fund theft” and “data theft” is blurring in the digital asset world.
From an industry perspective, the 2025 hack wave is forcing uncomfortable conversations about risk, accountability, and user protection. Many retail investors still treat centralized exchanges like banks, assuming deposits are effectively guaranteed. Yet, unlike traditional finance, there is no universal deposit insurance framework for crypto. Some exchanges have established internal insurance funds or reimbursed users directly after major incidents, but those measures remain voluntary and uneven. Each new billion-dollar exploit raises questions about who ultimately bears the cost: users, platforms, token holders, or insurance providers—if they exist at all.
DeFi projects, meanwhile, are grappling with the limits of “use at your own risk” disclaimers. As protocols scale and begin to interface with traditional institutions, the tolerance for catastrophic losses diminishes. Some teams are responding by introducing circuit breakers, time-locked upgrades, and formal verification of core contracts. Others are working with specialized insurance protocols and auditors in an attempt to rebuild trust. Still, the sheer pace of innovation—new chains, new token standards, new interoperability layers—often outstrips the ability of security tools and auditors to keep up.
For individual users, 2025’s breaches deliver a stark set of lessons. Keeping all assets on an exchange, regardless of its brand strength, is no longer seen as prudent. The push toward self-custody of core holdings, combined with the use of hardware wallets and multi-signature setups, has intensified, especially among more experienced participants. At the same time, the complexity of doing self-custody safely—backups, seed phrase management, phishing awareness—remains a barrier for many, illustrating that the industry still hasn’t solved the usability–security trade-off.
On the technical front, the arms race is far from over. Attackers continue to explore bridge infrastructure, cross-chain communication layers, and restaking protocols as fresh hunting grounds. Defenders are responding with on-chain analytics, real-time anomaly detection, and collaborative incident response teams that can quickly flag suspicious flows across multiple platforms. But even the best tools are reactive by nature: they can mitigate damage and occasionally help recover funds, yet preventing the first breach still hinges on thorough design, rigorous testing, and a relentless security-first mindset.
Looking back across this year’s major incidents—from the $1.5 billion Bybit disaster and the high-stakes Coinbase probe to the Cetus Protocol exploit and the series of regional exchange breaches—the message to the market is blunt: systemic risk in crypto has not gone away; it has evolved. As long as billions of dollars in liquid, permissionless assets can be moved with a few clicks or a single signed transaction, the incentive for attackers will remain enormous. Whether 2026 becomes a turning point toward more resilient infrastructure or simply the next chapter in escalating crypto heists will depend on how seriously builders, exchanges, and users treat the hard lessons of 2025.