2025 was a big year for the crypto industry, but it came as a double-edged sword when looking at the bigger picture.
On one hand, the industry matured in terms of institutional adoption, with a record number of mergers and acquisitions.
There were 267 deals totalling $8.6 billion, making it a profitable year for those positioned on the right side of the trade.
On the other hand, losses from hacks and exploits hit a record high, exposing how far the space still has to go on the security front.
Data from security firms like SlowMist and CertiK reported that the number of security incidents dropped by 50% year-over-year, from over 400 in 2024 to approximately 200 in 2025.
But the extent of financial losses tells a different story. Total stolen funds jumped by 55% compared to the previous year, climbing to over $3.4 billion.
While basic security hygiene, such as routine smart contract audits and automated bug detection, is successfully eliminating the low-hanging fruit that amateur hackers used to target, the nature of attacks has fundamentally shifted.
Modern attackers are no longer casting a wide net for small protocol vulnerabilities.
Instead, professionalised groups, most notably the North Korean Lazarus Group, are spending months on reconnaissance and infrastructure infiltration to execute single, catastrophic strikes.
The industry is now facing a quality over quantity crisis, where fewer attacks are taking place, but the ones that do happen are far more damaging.
As 2026 begins, here’s a look back at four of the biggest security incidents of 2025, which exposed many of the industry’s weak points.
Bybit Exchange: $1.5 billion
The biggest incident of the year unfolded at the Dubai-based crypto exchange Bybit, which became the largest confirmed theft ever linked to North Korea’s state-backed Lazarus Group.
Attackers spent months building trust with a developer at Safe{Wallet}, a leading multisig infrastructure provider, before they managed to introduce a malicious Docker project that quietly established a persistent backdoor.
Once inside, the attackers injected malicious JavaScript into the frontend code of the Safe wallet interface used by Bybit’s internal signing team.
As Bybit executives logged in to sign what appeared to be routine internal transactions, the user interface displayed correct wallet addresses and amounts.
At the code level, however, the destination address was silently swapped for attacker-controlled wallets.
Approximately $1.46 billion to $1.5 billion in ETH was drained, impacting a large number of users who were left exposed to one of the most severe security failures the industry has seen.
The incident exposed a critical industry weak point around UI trust, reinforcing that hardware wallets and multisig thresholds offer little protection if the software layer presenting the transaction details has been compromised.
Og Bitcoin whale: $330 million
Back in April, a Satoshi-era Bitcoin whale who had been holding their coins untouched for over a decade became the victim of a devastating social engineering attack that resulted in the loss of 3,520 BTC, worth approximately $330.7 million at the time.
The incident became etched in history as the largest individual theft in the history of the industry, as was framed by on-chain sleuth ZachXBT.
Unlike attacks that target code, this one weaponised AI-powered deepfakes and voice cloning to bypass the victim’s psychological defences over a period of several months.
The perpetrators, suspected to be an organised syndicate operating out of a sophisticated call centre in Camden, UK, using aliases like “Nina” and “Mo”, built a false sense of security with the elderly victim by impersonating trusted legal and technical advisors.
Eventually, the attackers directed the victim to a fake “security verification” portal that mimicked a well-known wallet provider’s official support site, where the victim was manipulated into entering their private credentials or signing a specific transaction on their hardware device under the guise of an “account upgrade.” The funds were instantly moved.
Funds were quickly laundered through “peel chains” and converted into the privacy coin Monero (XMR), causing a 50% price spike in Monero due to the sudden, massive demand.
The incident ultimately exposed the extreme vulnerability of high-net-worth individuals who lack institutional-grade custody services, showing that no amount of encryption can protect assets if the human layer is effectively manipulated.
Cetus Protocol exploit: $223 million
Cetus Protocol, which is the largest decentralised exchange on the Sui network, was exploited in May due to a technical failure in its smart contract logic.
The exploiter identified a critical arithmetic flaw in a shared open-source math library used for liquidity calculations, which allowed them to drain roughly $223 million in liquidity assets.
Specifically, the function was designed to safely scale fixed-point numbers by shifting them left by 64 bits.
However, it contained a logic error in its overflow check. The comparison used a mask that was too large, which permitted bitwise shifts that should have been rejected.
By using a flash loan to create a liquidity provider position with an extremely narrow tick range, the attacker triggered an arithmetic overflow, more precisely a bitwise truncation, which caused the contract to calculate a required deposit of just 1 unit of a token while still crediting the attacker with massive liquidity.
The attacker then simply removed the liquidity, claiming the pool’s real reserves based on the falsely inflated accounting.
While Sui validators managed to coordinate an emergency freeze on $162 million of the assets before they could be bridged out, the net loss still remained one of the largest in 2025.
It proved to the decentralised finance ecosystem that modern, safety-oriented languages like Move are not inherently immune to math bugs, and reinforced that mathematical rigor remains a non-negotiable requirement in protocol design.
Balancer V2: $128 million
Balancer suffered a sophisticated economic engineering exploit across multiple chains (Ethereum, Arbitrum, and Base) in November, as an attacker managed to weaponise a tiny discrepancy in how the protocol handled precision rounding during internal swaps.
Balancer’s Composable Stable Pools utilised different rounding directions for upscaling and downscaling token amounts to protect the protocol’s Invariant, which serves as the mathematical anchor for the StableSwap algorithm, ensuring the pool maintains a constant total value and equilibrium during asset exchanges.
The attacker discovered that by pushing pool balances into a specific 8 to 9 Wei range, they could cause the integer division to drop up to 10% of value through rounding-down errors.
Subsequently, using an automated contract, the attacker initiated a single transaction containing over 65 micro-swaps.
Each swap repeatedly shaved off a few Wei of value, compounding the precision loss until the pool’s internal accounting was completely distorted.
As a result, they were able to take advantage of the compounded precision loss until the pool’s internal accounting was completely distorted, after which they could mint LP tokens at a suppressed price and redeem them for their full value instantly, extracting millions without triggering any of the protocol’s safety checks.
The post Top crypto hacks of 2025: incidents that exposed the industry’s weak points appeared first on Invezz
