Navigating the Storm: Lessons From 2025 Crypto Attacks in

Navigating the Storm: Lessons From 2025 Crypto Attacks

2025 was a turbulent year for crypto security. According to blockchain analytics firm Chainalysis, over $3.4 billion was stolen through hacks and thefts, and about $17 billion was stolen in crypto scams and fraud in 2025 (with at least $14 billion identified onchain so far). PeckShield reported ~$4.04 billion in combined losses in 2025, split between ~$2.67 billion (up ~24.2% YoY) from hacks and ~$1.37 billion from scams and phishing. CertiK reported $3.35 billion lost in 2025 across hacks, scams, and exploits (about +37% vs. 2024), while stressing the theme of fewer but larger attacks.

According to Chainalysis, total value stolen from centralized services hit $2.5 billion across fewer incidents in 2025: the top three hacks accounted for 69% of all service losses. The number of personal wallet compromises is rising and DeFi hack losses stayed comparatively muted even as TVL recovered. PeckShield reported that attackers shifted from DeFi to CEXs and large organizations, using supply-chain attacks and private-key compromises, driving these targets’ share of total losses to 75%, up 46% from 2024.

In this blog post, we focus on software-related attacks, excluding phishing and scam. We rely on major reports for metrics like total value stolen (TVS), incident counts, and year-over-year changes, and include hands-on technical examples from forensic investigations showing how vulnerabilities were exploited. One pattern stands out: While DeFi hack losses stayed comparatively muted even as TVL recovered, attackers shifted attention to personal wallets and centralized services.

Supply Chain and Software Distribution Compromises

Certik called the Supply Chain (exploits of blockchain-based dependencies, CI/CD, and wallet integrations) “the most costly attack vector”, totaling $1.4 billion losses across 2 incidents.

Technical Details and Attack Examples

Centralized platforms breaches often blend social engineering with operational access. A common method involves “embedded IT worker” infiltration and related recruiter impersonation, which can yield privileged access to systems, source code, and signing workflows. Once inside, attackers exploit private key infrastructure by bypassing cold wallet controls — e.g., tricking multisig signers into approving malicious transactions via altered interfaces.

• Bybit / Safe{Wallet} UI Compromise (February 2025): Bybit suffered the largest cryptocurrency theft ever. Attackers induced signer to sign a malicious transaction during what appeared to be a routine cold-to-hot transfer, stealing ~401,000 ETH (~$1.5 billion). Post-incident analyses revealed that attackers injected malicious JavaScript code into the Safe{Wallet} UI on a compromised developer machine, altering transaction displays to deceive signers into authorizing fund transfers. Chainalysis reported that an experienced group of hackers was behind the attack.
• Trust Wallet Extension Exploit (December 2025): Trust Wallet posted about a malicious Chrome Web Store browser extension (v2.68) published outside its normal release process. The malware could access sensitive wallet data, transmit recovery phrases to phishing domains like metrics-trustwallet.com and trigger unauthorized transactions. Trust Wallet reported 2,520 affected wallet addresses, with ~$8.5M in impacted assets tied to 17 attacker-controlled addresses.
• AI-generated npm Drainer (Jul 2025): Malware showed up as “developer tooling,” like the AI-generated npm package @kodane/patch-manager, reported to have 1,500+ downloads before takedown and designed to drain Solana wallets.
• BigONE Exchange Back-End Logic Tampering (Jul 2025): BigONE reported abnormal movements of some platform’s assets. Halborn explained that the attackers exploited their access to alter BigONE’s backend account and risk-control logic to auto-approve withdrawals. A back-end logic tampering allowed them to submit unauthorized withdrawal requests to steal about $27 million in total across multiple chains.
• SwissBorg / Kiln Endpoint Compromise (Sep 2025): Swissborg reported a third-party endpoint compromise, a malicious transaction path leading the loss of funds from SOL Earn. Blockchain investigator ZachXBT reported that Swissborg lost approximately $40 million worth of SOL.

Protocol Exploits

DeFi hacks declined relatively to 2024, with losses suppressed despite Total Value Locked (TVL) growth. Chainalysis attributes this to improved security and “target substitution” toward wallets and centralized services. CertiK reported DeFi total value stolen around $500–700 million across 344 incidents in 2025.

Technical Details and Attack Examples

Common DeFi smart contract flaws include: reentrancy (recursive calls draining funds), faulty input validation (34.6% of cases), oracle manipulation, access-control mistakes, and governance logic weaknesses. Flash loans, borrowing uncollateralized funds to manipulate markets, remain a frequent accelerator for attacks.

• Cetus DEX Exploit (May 2025): Cetus, a leading DEX on the Sui blockchain, was exploited via a flaw in its math logic, allowing the attacker to drain liquidity across 46 liquidity pairs. Reported estimates put the stolen amount at ~$230 million.
• Balancer v2 Pools Exploit (November 2025): About $128 million was drained from Balancer v2 Composable Stable Pools after attackers exploited the incorrect rounding behavior in the protocol. Using carefully crafted batchSwap sequences, the attackers manipulated pool balances and extracted value repeatedly across multiple chains. Some believe that the attack was vibe-coded.

• UPCX Malicious Smart Contract Upgrade (Apr 2025): The attackers, according to Halborn’s analysis, compromised private key of a privileged admin account, probably via social engineering or malware. They exploited this access to perform an unauthorized upgrade of the ProxyAdmin contract to steal 18.4 million UPC tokens (~$70 million) from multiple management accounts.
• Shibarium Bridge Exploit (September 2025): Attackers combined a flash loan with compromised validator keys to steal $2.4 — 4.1 million in assets. They used the flash loan to acquire a large amount of BONE, then delegated it to gain over two-thirds of voting power and push a fake network update. With validator key access, they were able to sign the malicious update and execute unauthorized withdrawals from the bridge.

Key and Signing Infrastructure Compromises

Key and signing infrastructure compromises happen when attackers gain or abuse the ability to sign transactions, rather than exploiting smart contract code. These incidents look like attackers stealing keys, extracting signing shares, or subverting approval workflows so legitimate-looking signatures authorize malicious withdrawals across one or many chains.

Technical Details and Attack Examples

These attacks target hot wallets, signing servers, MPC/HSM systems, validator keys, or approval workflows, so malicious withdrawals look legitimate onchain. Once signing authority is compromised, funds can be moved quickly across multiple networks with little chance of reversal.

• Wemix Auth Keys Compromise (detected Feb 2025, disclosed later): Halborn’s analysis reports that attackers allegedly stole authentication keys used to access a service monitoring system (NILE). The keys may have been exposed via a shared repository. The attacker then executed withdrawals of 8.6 million WEMIX tokens, with the incident resulting in over $6 million in losses per Halborn, and disclosure lagged by weeks.
• ModStealer (reported in Sep 2025): MetaMask’s security report described ModStealer as cross-platform infostealer (Windows, Linux, macOS) that hunts for browser wallet extensions and credentials. Campaigns were distributed through fake job postings aimed at developers, trying to lure targets into running an installer. MetaMask warned that stolen private keys and seed phrases can provide direct access to funds.
• Upbit Hot Wallet Breach (Nov 27, 2025): Upbit exchange disclosed abnormal withdrawals from a Solana-based hot wallet, revising loss estimate to KRW 44.5 billion (~$33 million). Halborn’s analysis supposed that the incident was potentially related to weaknesses in Upbit’s digital signature algorithm.
• Phemex Hot Wallet Hack (Jan 2025): Phemex exchange disclosed that they detected unusual activity in their hot wallet. About $73 million were stolen across 16 blockchains. Halborn frames the likely root cause as compromised private keys. TheBlock reported that the hack was likely perpetrated by an experienced group of hackers.

Conclusion

2025 made one thing obvious: strong cryptography and audited contracts don’t stop losses when attackers compromise the software and workflows that sit around them. The biggest incidents weren’t “blockchain bugs” as much as failures in distribution and signing: tampered wallet interfaces, poisoned dependencies, back-end logic changes, and stolen credentials that turned invalid withdrawals into valid ones. DeFi exploits stayed comparatively muted even as TVL recovered, but centralized services and personal-wallet infrastructure became the easiest way to capture outsized value.

Going into 2026, the priority should be hardening the full signing path: We need better digital asset management tools, which are built on multi-factor authentication but without introducing centralization risks, as we notice that attacks target every bit of supply chain. We need to tighten operational controls, secret handling, and transaction verification, because attackers are increasingly targeting wallet infrastructure and signature flow.

Note: OKcontract is building Chainwall, a fully decentralized asset management suite for yield products.

Navigating the Storm: Lessons From 2025 Crypto Attacks in was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.