QUICK TAKE
Crypto attackers siphoned an estimated $2.2 billion across 2025’s 10 largest incidents, matching 2024’s full-year tally.
The year’s damage was far more concentrated in a handful of giant incidents, as Bybit suffered a record $1.4 billion breach, the largest crypto theft ever recorded, after attackers drained 401,000 ETH from multisig wallets.
The top attacks blended infrastructure failures — including compromised keys and server breaches — with protocol-logic flaws such as rounding errors, oracle manipulation, and overlooked admin permissions.
2025 was another bruising year for blockchain and cryptocurrency security.
Across centralized exchanges, DeFi protocols and infrastructure providers, attackers siphoned an estimated $2.2 billion in the 10 largest incidents — roughly on par with the "nearly $2.2 billion" stolen in 2024, according to Chainalysis-based analysis previously reported by The Block.
But the damage was far more concentrated. While the sheer number of mid-tier exploits climbed from a year earlier, 2025 also saw the largest crypto theft ever recorded: Bybit's $1.4 billion breach in February.
Several major infrastructure failures followed, alongside sophisticated protocol-level attacks that targeted liquidity, oracle design, and privileged access pathways. The Block reviewed data from DeFiLlama and cross-referenced each case with our newsroom's coverage to compile a definitive list of 2025's largest crypto hacks, ranked by losses.
Bybit: $1.4 billion
Dubai-based exchange Bybit suffered the largest crypto theft on record on Feb. 21, when attackers drained approximately 401,000 ETH, worth a staggering $1.4 billion at the time, from wallets tied to the platform.
Onchain security firms said funds were siphoned from Safe-based multisig wallets across several networks, including and Arbitrum, before being quickly moved through a web of fresh addresses. Investigators later pointed to a likely signing-key compromise or phishing event involving Bybit's internal wallet system.
Several independent reports highlighted abnormal approval patterns in the affected Safe contracts, suggesting the attacker had obtained sufficient control to authorize multi-chain transfers without tripping standard safeguards.
Bybit paused withdrawals, launched an internal probe, and coordinated with external analytics and law enforcement contacts. The exchange said user balances would be honored and began rebuilding wallet infrastructure, while chain trackers followed the hacked funds as they were fragmented across bridges and mixing services.
Cetus: $223 million
On May 22, Cetus, a concentrated-liquidity DEX built on Sui, was hit by an exploit that ultimately affected around $223 million in onchain liquidity at peak impact.
The attacker deployed spoofed tokens that mimicked legitimate assets at the pool level, then abused a flaw in the protocol's logic for handling those assets to manipulate pricing and drain liquidity.
As bogus tokens were swapped through the affected liquidity pools, onchain prices diverged sharply from external markets. Automated market maker math and downstream integrations treated the spoof assets as valid, allowing the attacker to extract value while leaving LPs with worthless or mispriced positions. Several Sui ecosystem projects that routed order flow through Cetus saw knock-on pricing distortions.
Cetus halted trading, paused affected contracts, and later initiated a staged restart after applying contract patches and coordinating with ecosystem partners. The team said it was able to recover a portion of the impacted funds via countermeasures and negotiations, though net losses remained substantial even after remediation.
Balancer V2: $128 million
Balancer, a decentralized finance protocol, disclosed a multi-chain exploit on Nov. 3 that ultimately impacted around $128 million in assets across its V2 composable stable pools. The attack traced back to a rounding-error bug in the pool math, which allowed carefully crafted swaps to extract value by exploiting discrepancies between internal accounting and actual pool balances.
Onchain, the attacker repeatedly cycled assets through affected pools, using a sequence of deposits and withdrawals that capitalized on the rounding behavior. Each loop shifted value in their favor while leaving the pool state appearing superficially valid, which let the exploit run across multiple chains before Balancer and partners could react.
The protocol urged LPs to exit specific at-risk pools and then began disabling vulnerable configurations. In a post-mortem, Balancer confirmed the bug was present in composable stable pools only, not the broader V2 architecture, and said a combination of white hat actions and mitigation steps helped recover tens of millions of dollars, which are now being distributed back to impacted users.
Bitget: $100 million
Crypto exchange Bitget disclosed a roughly $100 million loss tied to trading in its VOXEL market. Onchain data audits revealed a small cluster of eight accounts repeatedly interacting with Bitget's market-making infrastructure in a way that exploited a flaw in the exchange's internal trading bot logic.
On April 20, the attackers appeared to trigger and front-run abnormal market-maker quotes, allowing them to buy VOXEL at artificially depressed prices and sell into inflated bids. This produced outsized, low-risk profits that were quickly withdrawn, effectively turning the internal bot into a loss engine for Bitget's own treasury.
Bitget treated the episode as a market manipulation and infrastructure exploit, pledging to pursue legal action against the accounts involved and reviewing its market-making stack. The exchange also said it paused VOXEL trading, strengthened surveillance rules around thinly traded markets, and reiterated that user spot balances and derivatives positions remained intact.
Phemex: $85 million
Centralized exchange Phemex suffered a major breach on Jan. 23 that saw roughly $85 million in crypto siphoned from its hot wallets. Blockchain data showed assets flowing out of addresses labeled as Phemex-controlled into newly created wallets, suggesting a private key compromise involving the exchange's operational wallets.
Security firms that monitored the theft reported a series of large transfers in BTC, ETH, and stablecoins over a relatively short window, with a portion of funds later routed into mixing services. Phemex quickly froze withdrawals, moved remaining assets to secure storage, and opened an investigation into whether the compromise stemmed from an external intrusion or internal credential misuse.
The exchange said it would cover user balances and began working on improved architecture with tighter key management and access controls. Authorities and analytics firms continued tracking the stolen funds across chains, but there has been no public indication that a meaningful portion of the stolen assets has been recovered.
Nobitex: $80 million
June 18 marked the day hackers attacked the Iran-based crypto exchange Nobitex and withdrew around $80 million to $90 million from its hot wallets. Blockchain investigators, including onchain sleuth ZachXBT, spotted large, suspicious outflows spanning BTC, ETH, and other tokens from addresses long associated with Nobitex, prompting immediate speculation of a hot-wallet hack.
Nobitex initially paused some services, and later confirmed that a subset of its wallets had been compromised. White hat security experts traced funds through multiple hops, with portions appearing on mixing services or being swapped into more liquid assets to obfuscate their trail. The exchange said that cold wallets remained secure and that it would work to restore user balances.
As the probe continued, Nobitex gradually restored platform functionality, while local reports in Iran highlighted the regulatory and banking challenges of responding to a large crypto theft in that jurisdiction. The company has not publicly disclosed a detailed technical breakdown of the root cause beyond noting that the impacted wallets have been rotated and hardened.
Infini: $49.5 million
Stablecoin-focused neobank Infini was exploited on Feb. 24 for roughly $49.5 million, in an incident that security analysts tied to overlooked developer privileges in the project's smart contracts. Shortly after the attack, onchain observers watched as an address with elevated permissions began draining protocol-controlled funds into an attacker's wallet.
The exploit hinged on a misconfigured or insufficiently restricted admin function, which allowed the attacker to move collateral and stablecoins out of protocol reserves without passing through normal user workflows. Analysts noted that the permissions structure gave the exploiter far-reaching control over core money flows, raising questions about Infini's internal review and audit processes.
Infini paused operations, disabled affected contracts, and urged users not to interact with the protocol while it assessed the damage. Post-incident updates framed the attack as a wake-up call on governance and access controls, and the team opened discussions with white hats and auditors about clawback options and a potential relaunch path.
BtcTurk: $48 million
On Aug. 14, Turkish exchange BtcTurk disclosed "unusual outflows" from some of its hot wallets after blockchain trackers noticed more than $48 million in crypto leaving addresses associated with the platform.
Over a short window, funds in multiple assets were moved to new destinations, with the pattern consistent with compromised private keys on part of the exchange's infrastructure. BtcTurk quickly halted deposits and withdrawals, stating that the majority of its reserves were held in cold storage and remained safe. The exchange began rotating its wallet infrastructure and working with partners — including Binance, which later said it had frozen a slice of suspected stolen funds — to limit further movement of the assets.
Turkish authorities and local media closely followed the incident, given BtcTurk's role as one of the country's oldest crypto venues. The company has signaled its intention to reinforce its security model, but has not publicly shared a full technical post-mortem of the initial compromise.
CoinDCX: $44.2 million
Indian exchange CoinDCX reported a $44.2 million exploit on July 19, later attributing the incident to a server-side breach that allowed an attacker to gain unauthorized access to critical systems. Funds were drained from specific hot wallets and moved across chains in quick succession, with analytics platforms flagging suspicious transfers almost immediately.
CoinDCX said its internal logs pointed to compromised infrastructure rather than a traditional protocol bug. In subsequent updates, local police investigations led to the arrest of an employee alleged to have played a role in facilitating the theft, underscoring that the breach blended external intrusion with internal compromise.
The exchange froze affected services, rotated keys, and pledged to cover customer losses. As the incident response continued, CoinDCX noted that its cold storage remained untouched and that it was working with law enforcement and cybersecurity firms to recover assets and strengthen its controls.
GMX: $42 million
Decentralized perpetuals exchange GMX suffered a roughly $42 million exploit on July 9 targeting its V1 system on the Arbitrum network. According to security analyses, the attacker exploited a reentrancy-style vulnerability in a contract connected to the protocol's GLP liquidity pool, repeatedly calling functions in a way that allowed them to withdraw more assets than intended.
By looping through the vulnerable contract, the exploiter gradually drained liquidity from the GLP pool, leaving LPs with a significant hole while maintaining the appearance of regular operations during the early stages of the attack. Once the abnormal flows were detected, GMX moved to disable the affected pathways.
GMX halted trading on the impacted venues and disabled minting and redemption for GLP on V1, stressing that its V2 system and the GMX token itself were not directly affected. The team began working on contract fixes and engaged with auditors and the broader community on remediation options, including possible compensation frameworks for affected LPs.
