From Bybit to Coinbase, 2025 will go down as one of the darkest years in crypto security. Digital asset firms collectively lost an estimated $2.72 billion to hackers and fraudsters, according to figures compiled by blockchain intelligence company TRM Labs. After a record‑breaking 2024, many hoped the worst was over. Instead, attackers doubled down, refining their tactics and widening their targets across both centralized exchanges and decentralized finance (DeFi) protocols.
The single most devastating incident struck in February, when North Korea–linked hackers allegedly breached major exchange Bybit. The intrusion led to an eye‑watering $1.5 billion loss, making it the largest single crypto heist on record. Beyond the sheer size of the theft, the Bybit hack was a wake‑up call: if a leading, well‑funded exchange with sophisticated security tools could suffer such a blow, no platform could afford complacency.
Bybit’s meltdown set the tone for the rest of the year. TRM Labs described 2025 attacks as more “organized and professionalized,” reflecting how cybercrime operations now function more like disciplined corporations than chaotic hacker collectives. Many incidents showed signs of extensive reconnaissance, multi‑stage intrusion chains, and careful laundering strategies designed to evade detection across multiple blockchains.
Centralized platforms were not the only victims. DeFi, once seen as a more transparent and possibly safer alternative, remained a high‑value hunting ground. One of the biggest DeFi‑related incidents was the attack on Cetus Protocol, which reportedly lost about $223 million. The exploit appeared to involve a combination of smart contract manipulation and complex on‑chain maneuvering, underscoring how code vulnerabilities can be just as dangerous as weak operational security on traditional exchanges.
Even household‑name companies were not spared. Coinbase, one of the most heavily regulated and scrutinized exchanges in the world, faced a serious security incident in 2025, with estimated losses of up to $400 million. While not as catastrophic as the Bybit breach in absolute terms, the Coinbase case demonstrated that size, regulatory status, and compliance frameworks do not guarantee immunity from sophisticated attackers. For many institutional investors, this was a sobering reminder that counterparty risk in crypto remains very real.
Outside the marquee names, a series of sizable regional and niche platform hacks added to the mounting toll. Iranian exchange Nobitex reportedly lost around $90 million, while UPCX, a growing trading venue, saw approximately $70 million drained. Turkish platform BtcTurk suffered a $50 million breach, and South Korean exchange Upbit was hit for roughly $36 million. Individually, these incidents may seem small compared to the Bybit disaster, but collectively they reflected a broad, global pattern of attackers probing exchanges of all sizes.
TRM Labs’ analysis suggests that attackers have continued to diversify their techniques. Traditional phishing and social engineering campaigns still feature prominently, but are now often paired with zero‑day exploits, supply‑chain compromises, and clever abuse of inter‑chain bridges and liquidity pools. The line between a “DeFi hack” and a “centralized exchange hack” is increasingly blurred as attackers move funds rapidly between on‑chain and off‑chain venues, exploiting gaps in monitoring and compliance tools.
One notable trend in 2025 was the growing use of cross‑chain infrastructure as an attack vector. Protocols that allow users to move assets between different blockchains have become integral to the crypto ecosystem—but they also expand the attack surface. Several of the year’s major breaches, including those affecting DeFi platforms, involved manipulating cross‑chain bridges, oracle feeds, or liquidity aggregation logic, enabling attackers to drain funds without triggering obvious alarms.
The geopolitical dimension of crypto crime also intensified. The alleged involvement of North Korean state‑linked groups in the Bybit incident highlights how nation‑state actors now view crypto heists not only as a way to enrich themselves but also as a tool to circumvent international sanctions. These groups often reinvest stolen funds into weapons programs or espionage infrastructure, turning what might once have been seen as “just” digital theft into a matter of global security.
From the perspective of exchanges and protocols, 2025 has forced a hard re‑evaluation of security priorities. Many companies are moving from a perimeter‑based model—relying on firewalls, cold storage, and internal controls—toward a layered, “assume breach” approach. That includes continuous real‑time monitoring of on‑chain activity, automated incident response systems that can freeze or quarantine suspicious transactions, and more robust key management solutions such as multi‑party computation (MPC) and hardware security modules.
Insurance has become another central topic. After the year’s record‑breaking losses, underwriters are tightening terms and demanding higher security standards before offering coverage. Premiums for hot‑wallet and infrastructure coverage are rising, and many smaller platforms are discovering that comprehensive insurance is either prohibitively expensive or simply unavailable. This, in turn, is pushing exchanges and DeFi teams to build more resilient, self‑contained risk‑mitigation strategies rather than relying on insurance as a safety net.
For individual users, the message from 2025 is stark: even the most trusted platforms can fail. While exchanges and protocols bear the bulk of the responsibility, investors are reassessing their own practices. Self‑custody solutions, hardware wallets, and multi‑sig arrangements are seeing renewed interest, particularly among long‑term holders and high‑net‑worth individuals. At the same time, users are learning to scrutinize the security track record, audit history, and incident response policies of any platform they entrust with funds.
Regulators are also paying close attention. The sheer scale of the 2025 losses is likely to accelerate efforts to formalize security and reporting standards for crypto institutions. Authorities in several jurisdictions are already discussing mandatory disclosure rules for breaches, minimum technical standards for custody, and clearer obligations around consumer protection when hacks occur. While some in the industry fear heavier regulation could stifle innovation, others argue that consistent, enforceable security baselines are now essential to restore trust.
Behind the headlines, the 2025 hacks have also reshaped how security teams think about talent and collaboration. Exchanges and protocols are investing more in in‑house security researchers, bug bounty programs, and red‑team exercises that simulate real‑world intrusions. Some are building dedicated threat‑intelligence units focused specifically on tracking the behavior of known attacker groups, mapping their wallet clusters, and anticipating new techniques before they are deployed in the wild.
The development side of the industry is being forced to mature as well. Smart contract teams are beginning to accept that one‑off audits before launch are not enough. Continuous auditing, formal verification for critical code, real‑time anomaly detection on contract interaction patterns, and rapid “kill switch” or circuit‑breaker mechanisms are becoming more common features of serious DeFi projects. Those that fail to adopt such measures risk being sidelined by both users and institutional partners.
Investors, meanwhile, are incorporating security posture into their valuation and due‑diligence frameworks. A protocol or exchange with a strong security record, transparent communication around past incidents, and clear recovery plans is increasingly seen as more valuable than a competitor offering slightly higher yields but carrying unquantified security risks. In a market already pressured by weak prices and macro uncertainty, one serious exploit can wipe out not only user funds but years of brand building.
Looking ahead, the lessons of 2025 point in two directions at once. On one hand, attackers have never been more capable, more coordinated, or better funded. On the other, the industry’s understanding of security has never been deeper. Tools for behavioral analytics, on‑chain forensics, and automated response are improving rapidly. Collaboration between security vendors, exchanges, and analytic firms is helping to track stolen funds more effectively and, in some cases, recover assets or pressure attackers to return part of the haul.
Yet there is no returning to a pre‑2025 sense of safety. The Bybit, Coinbase, Cetus, Nobitex, UPCX, BtcTurk, and Upbit incidents collectively mark a turning point: the end of any illusion that crypto can achieve mass adoption without treating security as a first‑order priority on par with liquidity, user experience, and regulation. Every new protocol, bridge, or exchange feature now has to be designed under the assumption that it will be targeted by highly motivated adversaries.
For participants trying to navigate the space after such a brutal year, the practical takeaways are clear. Diversify custodial risk across multiple platforms and, where possible, use self‑custody for long‑term holdings. Favor platforms with transparent security practices, recent third‑party audits, and clear public communication around any past incidents. Be wary of complex, high‑yield products that rely heavily on bridges and thinly audited smart contracts. And above all, treat security not as an optional extra, but as a fundamental cost of participating in the crypto economy.
If 2024 was the year that signaled crypto’s vulnerability, 2025 cemented the idea that security will define the industry’s future. Whether the next cycle brings renewed growth or prolonged stagnation, the platforms that survive will be those that internalize the harsh lessons of this year’s $2.72 billion in losses—and rebuild their infrastructure, governance, and culture with security at the core.