This year’s defining security event was not a sophisticated DeFi exploit or new protocol failure, but the theft of $1.46 billion from Bybit, a leading centralized exchange.
This single event, attributed to sophisticated state-sponsored actors, rewrote the narrative of the year. This proved that although the frequency of attacks has decreased, the severity of the damage has reached systemic levels.
Data from blockchain security firm SlowMist paints a picture of an industry besieged by professionalized threats on an industrial scale. There were around 200 security incidents in the ecosystem in 2025, about half of the 410 recorded the previous year.
Still, total losses climbed to about $2.935 billion, up significantly from $2.013 billion in 2024.
The math is merciless: the average loss per event has more than doubled, from about $5 million to nearly $15 million.
This showed that attackers abandoned low-value targets to focus on large liquidity and high-value centralized choke points.
State actors and the industrial supply chain
The escalation of lost value is directly linked to the evolution of the attacker profile.
By 2025, the “lone wolf” hacker has largely been replaced or subsumed by organized crime syndicates and state actors, including groups linked to the Democratic People’s Republic of Korea (DPRK).
These actors have changed their tactics, moving from one-off opportunistic exploitations to organized, multi-stage operations targeting centralized services and relying on structured laundering processes.
Indeed, the distribution of losses by sector confirms this pivot.
While DeFi protocols still absorbed the highest number of hits, with 126 incidents resulting in approximately $649 million in losses, centralized exchanges accounted for the bulk of the capital destruction. Just 22 incidents involving centralized platforms generated losses of approximately $1.809 billion.
These high-level operators are supported by an underground supply chain that operates with the efficiency of a commercial software ecosystem.
Models known as Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) have lowered the barriers to entry, allowing less skilled criminals to rent sophisticated infrastructure.
This industrialization has extended to the market for “drainers”, these toolboxes designed to empty wallets via phishing.
Although total drain losses fell to approximately $83.85 million from 106,106 victims, representing an 83% decline in value from 2024, the sophistication of the tools has matured.
SlowMist noted that organized cybercrime has learned to treat Web3 as a repeatable and reliable source of revenue.
At the same time, supply chain attacks have also added a dangerous dimension to the threat landscape.
Malicious code inserted into software libraries, plugins, and developer tools places backdoors upstream of end applications, allowing criminals to compromise thousands of downstream users simultaneously.
Thus, high-privileged browser extensions have become a favored vector. Once compromised, these tools converted user machines into silent collection points for seeds and private keys.
The pivot of social engineering and AI
As the security of the protocol strengthened, attackers shifted their focus from the code to the human behind the keyboard.
2025 demonstrated that a private key leak, intercepted signature, or poisoned software update is just as devastating as a complex on-chain arbitrage exploit.
The statistics reflect this parity: 56 smart contract exploits and 50 account compromises were recorded during the year. The gap between technical risk and identity risk has indeed narrowed.
To break down these human defenses, criminals have used artificial intelligence as a weapon.
Over the year, the notable increase in synthetic text, voice, images, and video has provided attackers with a low-cost, scalable way to impersonate customer support agents, project founders, recruiters, and journalists.
Additionally, fake calls and voice clones have made traditional verification habits obsolete, increasing the success rate of social engineering campaigns.
At the same time, phishing campaigns have evolved beyond simple malicious links to multi-step operations.
Ponzi schemes have adapted in parallel, abandoning the bare “yield farm” aesthetic of the past for the veneer of institutional finance.
This has given rise to new frauds masquerading as “blockchain finance” or “big data” platforms. These scams also used stable deposits and tiered referral structures to imitate legitimacy.
For context, projects like DGCX illustrated how classic pyramid schemes could operate behind the facade of professional dashboards and corporate branding.
Law Enforcement and Regulatory Hammer
The scale of the year’s losses forced a decisive shift in regulatory behavior, with regulators moving from theoretical debates over jurisdiction to direct on-chain intervention.
As a result, their focus has expanded beyond the entities themselves and into the infrastructure that facilitates crime, including malware networks, dark web marketplaces, and money laundering centers.
A good example of this broadening is the pressure placed on the Huione group, a conglomerate targeted by investigators for its role in facilitating money laundering flows.
Similarly, platforms like Garantex have faced continued enforcement action, indicating that regulators are ready to dismantle the financial system used by cybercriminals.
Stablecoin issuers have emerged as a vital part of this enforcement strategy, effectively acting as adjuncts in efforts to freeze stolen capital. Tether froze USDT on 576 Ethereum addresses, while Circle froze USDC on 214 addresses throughout the year.
These actions have produced tangible results. Over the course of 18 major incidents, approximately $387 million of the $1.957 billion in stolen funds was frozen or recovered.
Although the 13.2% recovery rate remains modest, it represents a significant capacity shift: the industry can now suspend or reverse a portion of criminal flows when compliant intermediaries are in the path of the transaction.
Regulatory expectations have tightened as a result. Robust anti-money laundering (AML) and know-your-customer (KYC) frameworks, tax transparency and custody controls have evolved from competitive advantages to basic survival requirements.
Infrastructure providers, wallet developers and bridge operators are now within the same regulatory reach as exchanges.
The solvency test and the future landscape
The divergence between the Bybit hack and FTX collapse offers the most critical lesson of 2025.
In 2022, the loss of customer funds exposed a hollow balance sheet and fraud, leading to immediate insolvency. By 2025, Bybit’s ability to absorb a $1.46 billion loss suggests that leading platforms have accumulated enough capital to treat massive security failures as operational costs of survival.
However, this resilience comes with a caveat, as the concentration of risk has never been higher. Attackers are now targeting centralized choke points, and state actors are devoting immense resources to breaching them.
For manufacturers and businesses, the era of “move fast and break things” is definitely over. Security and compliance are now thresholds for market access. Projects that cannot demonstrate strong key management, permission design, and credible AML frameworks will find themselves cut off from banking partners and users.
For investors and users, the lesson is stark: passive trust is a liability. The combination of AI-driven social engineering, supply chain poisoning, and industrial-scale hacking means that capital preservation now requires active and ongoing vigilance.
2025 has proven that even as the crypto industry has built stronger walls, the enemies outside the gate have brought bigger battering rams.
