Crypto Hack Losses Hit $17B as DeFi Exploits Keep Climbing

Steady attention without excessive speculation.

The milestone underscores a persistent problem for the crypto industry. Despite years of investment in audits, bug bounties, and formal verification, the losses keep growing. Only 5.8% of stolen funds have been recovered across all tracked incidents, according to analysis of the DefiLlama dataset.

Where the Money Went

DeFi protocols account for the largest share of crypto hack losses at roughly $7.71 billion. Cross-chain bridges follow at approximately $2.91 billion. The rest spans centralized exchanges, wallets, infrastructure providers, and other crypto services.

The top historical incidents tell the story. The Ronin Bridge exploit drained roughly $636 million in 2022. The Poly Network attack cost approximately $616 million in 2021. Both remain among the largest on-chain thefts ever recorded.

More recently, April 2026 brought two major events. KelpDAO lost approximately $293 million, and Drift Protocol suffered roughly $285 million in net losses. Those two incidents alone rivaled some full months of previous years.

2025 Set a Record for Crypto Hack Losses

Last year was particularly brutal. Chainalysis reported more than $3.4 billion stolen in hacks and thefts during 2025. The Bybit compromise accounted for roughly $1.5 billion of that total, making it the single largest centralized exchange hack in recent history.

North Korean state-sponsored hackers drove a significant portion of 2025 losses. The Lazarus Group stole approximately $2 billion last year alone, according to Chainalysis. Their all-time total now stands at roughly $6.75 billion.

Immunefi, a web3 security platform, separately tracked 191 incidents during 2024 and 2025 totaling approximately $4.67 billion. Over a five-year window, the platform logged around 425 hacks for $11.9 billion in total losses, with an average of $25 million per major incident.

Recovery Remains the Exception

The 5.8% recovery rate highlights one of the industry’s hardest truths. Once funds leave a compromised protocol, they are usually gone for good. Attackers launder stolen crypto quickly through mixers, cross-chain bridges, and decentralized exchanges.

White-hat recoveries and law enforcement seizures do occur, but they remain the exception. Most affected protocols never see meaningful restitution. In many cases, the project itself dies alongside the stolen funds.

According to Immunefi research, hacked projects suffer a median token price decline of 61% over the six months following an exploit. Roughly 84% of affected tokens never recover to their pre-hack price levels.

Different Trackers, Similar Conclusions

DefiLlama focuses specifically on verifiable on-chain hacks and exploits. It does not include social-engineering scams or off-chain fraud. Other trackers use slightly different definitions, so numbers vary across sources.

Crystal Intelligence, which compiled 13 years of data through early 2024, reported approximately 785 incidents (including both hacks and scams) for a combined total near $19 billion. PeckShield publishes monthly and quarterly incident reports that largely corroborate the trend.

One important distinction: Chainalysis and others separately reported roughly $17 billion lost to scams, fraud, and impersonation in 2025 alone. That figure covers social engineering, fake apps, and AI-powered phishing. It is a different category from the on-chain exploits DefiLlama tracks. Some headlines have conflated these two figures, so the distinction matters.

Audits Help, but Attacks Evolve

The persistence of crypto hack losses reflects an evolving threat landscape. Smart contract bugs and flash loan attacks still occur, but private-key compromises now account for some of the largest thefts. Insider attacks and infrastructure-level breaches add another layer of risk.

State-sponsored actors like North Korea’s Lazarus Group represent a qualitatively different challenge. They combine sophisticated social engineering with technical expertise and operate with state resources behind them. Four separate years in the past decade each exceeded $1 billion in total hack losses.

Early 2026 data shows the pattern continuing. Q1 saw approximately $169 million stolen across 34 incidents, according to DefiLlama. February 2026 was relatively quiet at $26.5 million across 15 incidents, per PeckShield. Then April arrived with the KelpDAO and Drift Protocol exploits, pushing totals sharply higher.

What the Numbers Mean for Crypto Security

The $17 billion figure is a stark reminder that security vulnerabilities can dwarf market volatility as a source of user losses. For many affected projects and their users, a single exploit erases years of development and trust.

Self-custody best practices, hardware wallets, multisig setups, and on-chain transparency tools all reduce individual risk. Insurance protocols like Nexus Mutual offer coverage for some smart contract failures. The industry continues building these safeguards.

Still, the gap between security spending and actual losses suggests the crypto ecosystem has not yet found an adequate answer. As DefiLlama’s running total climbs past $17 billion, the data makes the case that crypto security remains the industry’s most expensive unsolved problem.

This article is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.