2025’s biggest crypto hacks: From exchange breaches to DeFi exploits

2025 delivered no shortage of crypto hacks and scams, though one incident stood out from the crowd.

A total of around $4 billion was lost, a 37% increase on 2024’s total, with over half linked to North Korea, according to blockchain security firm Hacken.

Protos has put together a rundown of the year’s biggest, strangest, and most significant  incidents, and asks what they told us about crypto security in 2025.

Centralized exchanges plundered

Far and away the year’s biggest loss, both in terms of scale and impact, was February’s ByBit hack.

Over $1.4 billion of crypto assets were drained from the exchange after one of its cold wallets was compromised. The hack was later attributed to North Korean hackers’ crypto-focused campaign dubbed “TraderTraitor.”

After “compromising a Safe {Wallet} developer machine,” the hackers disguised malicious transactions presented to the ByBit team, to take control of the wallet.

Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…

— Ben Zhou (@benbybit) February 21, 2025

Read more: The solution to crypto’s Lazarus problem could be simpler than expected

In response to the “blind signing” problem facing multisig operators, hardware wallet manufacturer Ledger introduced a new “clear signing” feature. However, the announcement was met with backlash after the “free” security upgrade turned out not to be free, at all.

TRM Labs sees this as part of a shifting trend in North Korea’s “industrialization of infrastructure attacks.” The focus appears to have moved from targeting bridges (2021-2022) to service providers (2023-2024) to “CEX Mega-Heists” (2024–2025).

Apart from ByBit, exchanges hit by North Korean hackers in 2025 include Swissborg, which lost $41 million in September, and (most likely) South Korean exchange Upbit, hit for $30 million in November.

Other centralized exchanges (CEXs) hacked in 2025 include CoinDCX ($44 million), WooX ($14 million), BigONE ($27 million), BtcTurk ($49 million, which also lost $55 million in 2024) and BitPro ($11.5 million).

June’s politically-motivated hack of Iranian exchange Nobitex stood out, when the stolen $90 million was sent to irrecoverable addresses containing anti-Iranian messages.

DeFi platforms hacked

The year also saw significant hacks on DeFi projects, though with lower severity and frequency than previous years.

The most serious incident came in November, when Balancer’s v2 pools were exploited for $129 million. In addition to the large loss, the hack was surprising in that it came a full five years after the pools were launched.

Update: @Balancer and its forks are under attack, with total losses across multiple chains reaching ~$128.64M so far. https://t.co/67XGX5RcRR pic.twitter.com/FIwx20ALSz

— PeckShieldAlert (@PeckShieldAlert) November 3, 2025

Read more: Is an AI hacker targeting old DeFi projects in $5M spree?

Balancer wasn’t the only OG DeFi protocol hit this year, either. December’s trio of hacks on Ribbon Finance, Rari Capital and iEarn (now Yearn) Finance had some suspecting a $5 million AI-assisted hacking spree.

Yearn itself was also hit by a $9 million hack, though $2.4 million was recovered, and it later disclosed a malfunction in one of its vaults.

Two hacks also hit Abracadabra in March ($13 million) and October ($1.7 million), while Zoth lost a total of $8.7 million in March.

Elsewhere, a $42 million hack of GMX had USDC’s issuer Circle catching strays over its failure to freeze funds, and an $11 million dose of DeFi “karma” came for blockchain bridge Garden.

.@circle USDC freeze response time is an absolute joke

GMX exploiter address at some point held $30M in USDC and keeps swapping tokens for USDC with no blacklisting in sight

address holds $4.3m USDC right now

its been more than 1h since the exploit took place pic.twitter.com/3iGmCyI2Kf

— ultra (@0x_ultra) July 9, 2025

Read more: Circle rarely freezes stolen funds but wants reversible transactions

One hacker showed particular flair, sending stolen ether to Tornado Cash developer Roman Storm’s defence fund after taunting auditors on-chain.

Plenty of phish

A monster $27 million loss initially caused worries of a large-scale hack of Venus Protocol in July. However, the transaction turned out to be a single “whale” who had fallen victim to a phishing scam.

There were more reminders that even experienced experts sometimes get hooked, as crypto veteran Jill Gunter was drained and the UXLINK hacker lost their loot phishing.

Disaster also struck the ZKLend hacker who was phished for $9.5 million after reportedly using a malicious Tornado Cash front-end.

Another user recently lost $2.3 million, seemingly to the same issue.

Uhhhhh whoever the hacker is they appear to have been rugged by a fake TC frontend. 💀

Funds are here
0x9e8ccfbedeffbf58a7ad9df574296d778e8d6e95

Relayed by 0x7598004ff2e3f7bb326956fcb12454d1655a74a4

— Tay 💖 (@tayvano_) December 23, 2025

Read more: Refund of $70M ‘address poisoning’ scam ongoing, over 50% returned

Shortly before Christmas, a mammoth address poisoning scam saw a victim lose $50 million of USDT.

Despite all the bad news, some light relief came in September when what was dubbed “likely the largest supply chain attack in history,” managed to steal just $0.05.

DeFi drama

Hacks and scams aside, there were plenty of other dramas played out on the DeFi stage.

The collapse of intertwined yield vaults, precipitated by Stream Finance, saw hundreds of millions evaporate as the “daisy chain” unravelled.

The fallout saw many of the firms involved go quiet, or opt for threatening troublesome users seeking answers. 

DAO debates heated up, with Aave DAO and Labs squabbling over rights to the brand and Gnosis firing its treasury manager.

The recent DAO alignment proposal has been moved to Snapshot after extensive discussion. We realize the community is very interested in a path forward and is ready to make a decision.

Time for tokenholders to weigh in and vote.https://t.co/QwoPeglhmU

— Stani.eth (@StaniKulechov) December 22, 2025

Read more: AAVE whale crashes token 10% amid ‘disgraceful’ governance vote

After almost three years on the OFAC’s naughty list, sanctions placed on crypto mixer Tornado Cash were lifted in March.

This didn’t help developer Roman Storm, however, who was convicted four months later, despite rather dubious evidence from the prosecution.

Developers of another mixer, Samourai Wallet, pled guilty in July, but are now seeking one of Trump’s famously trigger-happy pardons.

Have we learned anything?

The ByBit hack, in its complexity and level of preparation needed, showed that crypto’s weakest link is humans, not code. A need for clear, tamper-proof signing methods remains a crucial space to improve, both for teams and individuals.

The willingness of politically-motivated actors to target foreign CEXs demonstrates an additional, geopolitical, danger to traders. (As if they didn’t already have enough risks to deal with.)

Maturing codebases also proved their worth in that many of the year’s DeFi hacks were on legacy protocols.

After years being plagued by blackhats, perhaps devs are learning to avoid the pitfalls of previous incidents.

We also saw that, while 2025 has underperformed expectations, a less hardline SEC has led to increased confidence.

After years of flying under the radar, major DeFi projects are now reconsolidating, and targeting mainstream audiences.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.