Crypto Industry Losses $4.67 Billion to Hacks in Two Years, Five Incidents Did Most of It

The typical crypto protocol that gets hacked loses around $25 million immediately. Then its token drops 10% within two days. Then, over the following six months, the median token gives back 61% of its pre-hack value, and only about 16% of hacked projects ever trade back above where they started. 

That is the baseline picture Immunefi, the blockchain security firm, lays out in its 2026 State of Onchain Security report, a two-year analysis of every publicly disclosed crypto exploit from 2024 and 2025.

The figure driving the average is a single event: Bybit’s $1.5 billion breach in February 2025, the largest crypto hack on record, which represented 44% of all losses in 2025 and 32% of the two-year total. Strip it out and the picture shifts. 

The median hack, the midpoint of the distribution, less distorted by outliers, shrank to $2.2 million from $4.5 million in the prior dataset, a sign that routine exploits are getting harder to execute. The tail is a different story. 

The five largest exploits across 2024 and 2025 claimed 62% of all funds stolen; the top ten took 73%. The gap between median and average reflects a market where incremental defensive progress at the routine end coexists with rare, catastrophic events that dwarf everything else.

Centralised Exchanges Still Anchor the Worst Losses

Centralised exchanges, platforms that hold user funds in custody, meaning users do not control their own private keys, were responsible for just 20 of the 191 incidents. 

They absorbed $2.55 billion, more than half of all losses. That concentration reflects custodial risk: when a single entity controls large pools of assets on behalf of many users, a single breach can be enormous. Immunefi frames this as a persistent structural problem rather than a streak of bad luck.

The Longer-Term Damage

For protocol builders, the damage extends beyond day one. Many projects hold their native tokens as treasury reserves, so a 61% drawdown over six months directly cuts operating budgets, hiring capacity, and development timelines. 

The report cites a 2025 stablecoin failure involving deUSD as a case study in contagion: losses cascaded through collateral dependencies, freezing withdrawals and triggering forced selling across connected protocols.

Internally, the damage is consistent across incidents. Security leadership turns over within weeks of a breach. Product work stalls as engineering teams redirect resources to remediation. Recovery typically consumes at least three months of focused effort before a team can return to its original roadmap.

The pattern holds whether the breach is a $2 million routine exploit or a $1.5 billion outlier. The difference is that an outlier rarely leaves the team intact long enough to run that three-month recovery clock.