2025 Full-Year Crypto Attack Review

#2025 #CryptoAttack

In the previous article, “2025 Crypto Privacy Technology Review,” we mentioned a set of figures circulating online: in 2025, the entire cryptocurrency industry suffered cumulative losses exceeding USD 3.4 billion, setting a new historical high. Of this amount, May alone saw as many as 20 security incidents, averaging nearly one security incident every 1.5 days.

Here are just a few examples:

In February, Bybit suffered a crypto asset theft of approximately USD 1.46 billion;
In May, Cetus Protocol experienced a crypto asset theft of USD 220 million;
In June, Alex Protocol was hacked, resulting in a loss of USD 8.3 million in digital assets;
In September, UXLINK encountered a severe security incident, with losses exceeding USD 10 million.
Today, we will conduct a detailed chronological review of the major security incidents of 2025.

January 2025
In January 2025, losses caused by vulnerabilities, hacks, and scams totaled approximately USD 98 million, with 28 cryptocurrency hacking incidents, of which around USD 8 million was attributed to phishing attacks.

On January 8, users of Orange Finance (a DeFi protocol on Arbitrum) suffered losses exceeding USD 800,000. Attackers gained access to the protocol’s administrative keys and used them to perform malicious upgrades to the protocol’s contracts, thereby stealing funds from all user wallets that had granted valid token approvals to the protocol.

January was a relatively calm month in 2025.

February 2025
In February 2025, losses from vulnerabilities, hacks, and scams reached approximately USD 1.782 billion, with 20 cryptocurrency hacking incidents, causing losses of about USD 1.51 billion.

The largest security incident in February was undoubtedly the Bybit exchange hack. On February 21, the cryptocurrency exchange Bybit suffered a theft of approximately USD 1.46 billion. According to official disclosures, attackers used malware to trick the exchange into approving transactions that transferred funds to the attackers’ accounts.

After the attack, Bybit swiftly initiated its emergency response mechanism, immediately suspending all withdrawals on the platform and establishing a dedicated investigation team. Together with cybersecurity experts, it launched a comprehensive investigation into the incident. At the same time, Bybit promptly issued announcements via social media and its official website, detailing the incident, the current progress of the investigation, and the remedial measures to be taken, in order to maximize transparency and protect users’ right to information.

March 2025
In March 2025, a total of 8 security incidents occurred, with total losses of approximately USD 14.43 million, a significant decrease compared to February. The incident types were diverse, with account compromises and smart contract vulnerabilities being the most common, accounting for 62.5% of cases.

On March 5, 1inch was exploited due to a vulnerability in its legacy Fusion v1 contract, resulting in the theft of approximately USD 5 million in USDC and wETH. The stolen funds belonged to resolvers (entities that execute orders on behalf of users), not end-user assets. Post-incident investigations revealed that the vulnerability existed in outdated smart contracts; attackers constructed carefully designed transaction paths to invoke the affected functions. The current contract version was not impacted.

April 2025
In April 2025, losses caused by vulnerabilities, hacks, and scams totaled approximately USD 357 million, with 17 cryptocurrency hacking incidents, resulting in about USD 100 million in losses.

The largest security incident in April was undoubtedly the Upcx permission theft attack. On April 1, the official Upcx address was suspected of unauthorized access. Attackers upgraded the ProxyAdmin contract and invoked the withdrawByAdmin function, transferring a total of 18.4 million UPC tokens (approximately USD 70 million) from three administrative accounts.

May 2025
In May 2025, direct losses in the cryptocurrency sector from hacks, scams, and vulnerability exploitation reached approximately USD 480 million. Cross-chain protocols and DeFi vulnerabilities remained the hardest-hit areas, with 13 major security incidents.

The attack on Cetus Protocol was the largest security incident of May. Hackers exploited a smart contract vulnerability to extract approximately USD 220 million in assets, accounting for the majority of that month’s losses. Cetus Protocol is a decentralized exchange protocol whose security architecture exposed critical flaws in permission management and contract logic. Attackers executed carefully crafted transaction paths to drain funds.

Become a member
Encouragingly, following the incident, security teams and on-chain institutions responded rapidly. Using on-chain multisignature freezing mechanisms, USD 157 million of the stolen funds — approximately 71% of the total — were successfully locked. This demonstrated significant progress in emergency response and asset tracking, substantially reducing the final loss.

June 2025
In June 2025, losses from hacks, scams, and vulnerabilities totaled approximately USD 184 million. Hacker attacks were particularly prominent, with 15 incidents, accounting for roughly 70% of total losses.

On June 18, Iran’s largest cryptocurrency exchange, Nobitex, was attacked by the pro-Israel hacker group Gonjeshke Darande. The attackers infiltrated the exchange’s hot wallets and stole multiple cryptocurrencies, including TRX, BTC, and DOGE. Some funds were transferred to inaccessible vanity addresses for destruction. Preliminary estimates placed the loss at approximately USD 81.7 million.

Notably, during the fund transfers, attackers deliberately sent a large amount of assets to specially constructed burn addresses, effectively destroying nearly USD 100 million worth of assets. Although Nobitex covered all user losses using its reserve fund, the exposed technical vulnerabilities triggered a crisis of market trust.

July 2025
In July 2025, losses from hacks, scams, and vulnerability exploitation totaled approximately USD 255 million, across 17 major security incidents.

CoinDCX exchange suffered a server intrusion, with internal operational accounts compromised, resulting in losses of USD 44.2 million;
The decentralized derivatives protocol GMX suffered a management vulnerability attack, losing approximately USD 42 million. Notably, the vulnerability was not inherent but introduced during the team’s attempt to patch an earlier issue, creating a situation of “fixing vulnerabilities by creating new ones”;
BigONE exchange lost USD 27 million from hot wallets due to a third-party attack. Attackers compromised the CI/CD pipeline, deployed malicious code, disabled risk control checks, and transferred BTC, ETH, USDT, and other assets.
August 2025
In August 2025, the crypto industry’s security situation came under renewed pressure. Approximately 16 major attacks and security incidents were disclosed, with cumulative losses of about USD 163 million.

The Turkish crypto exchange BtcTurk suffered its second major security breach in just over a year. Following a USD 54 million theft in June 2024, it lost more than USD 50 million again in August 2025, pushing its cumulative losses beyond USD 100 million and making it a highly scrutinized case.

The five largest incidents by single-loss amount in August included: a Bitcoin whale losing approximately USD 91.4 million; BtcTurk losing USD 54 million; ODIN FUN losing about USD 7 million; BetterBank losing around USD 5 million; and CrediX Finance losing approximately USD 4.5 million. These incidents highlighted that centralized platforms, high-net-worth individual accounts, and DeFi projects remain prime targets.

September 2025
In September 2025, losses from hacks, scams, and vulnerabilities totaled approximately USD 116 million, across 32 security incidents. The single largest loss was USD 44.7 million, from the hack of Singapore-based exchange BingX. The most high-profile incident involved UXLINK, which suffered losses exceeding USD 10 million.

In the early hours of September 23, UXLINK, known as the “world’s largest Web3 social platform,” experienced a severe security incident, losing more than USD 11.3 million. The token price briefly collapsed by over 70%, accompanied by a dramatic on-chain minting of 1 billion UXLINK tokens by the attacker.

October 2025
In October 2025, 21 hacking incidents involving active attacks (including vulnerability exploitation and permission theft) resulted in direct losses of approximately USD 620 million.

Abracadabra contract logic vulnerability attack: loss of USD 1.8 million, no user funds affected
BNB Chain cross-chain bridge vulnerability attack: USD 105 million, the largest single hack of 2025
Astra Nova AI platform hack: USD 10.3 million, no secondary losses
Moola Market lending protocol attack: USD 10.3 million, no secondary losses
Bunni DEX contract vulnerability attack: USD 8.4 million, no secondary losses
402Bridge cross-chain bridge theft: 17,600 USDC (approximately USD 17,600)
Rug pulls and scam incidents: 15 cases, involving more than USD 120 million
November 2025
In November 2025, losses from hacks, scams, and vulnerabilities totaled approximately USD 172.4 million, across 53 security incidents.

On November 4, attackers exploited a rounding logic flaw in Balancer’s stable pools, amplifying errors through high-frequency batch swaps to extract funds, resulting in losses of approximately USD 113 million. This became the largest single security incident of the month and once again highlighted the risks of complex DeFi mathematical models under extreme interaction scenarios.

On November 27, Upbit announced that some of its assets on the Solana network had been attacked, with approximately 54 billion KRW (around USD 36 million) transferred to unknown external wallets. Upbit stated it would fully cover user losses, ensuring customer assets were unaffected. The incident reignited market concerns over cross-chain asset custody and hot wallet risk controls.

Conclusion
Security incidents are not merely crises for individual projects — they are alarm bells for the entire Web3 industry. They remind all participants that no matter how dazzling technological innovation or financial models may be, long-term success ultimately depends on one fundamental question: Can users’ assets truly be kept safe?