Overview
- Year‑end tallies from Chainalysis, Beosin/Footprint and others place total losses near $3.3–$3.4 billion across roughly 300 major incidents, with fewer events causing outsized damage.
- The Bybit breach in February was the largest at about $1.5 billion and was attributed by U.S. authorities to North Korea’s Lazarus Group, with related activity tied on‑chain to the earlier Phemex hot‑wallet hack.
- Operational exposures outweighed code flaws, with Hacken estimating $2.12 billion lost to access‑control failures and about $951 million to phishing and social‑engineering schemes targeting employees and users.
- DeFi vulnerabilities still proved costly at roughly $512 million, including Cetus on Sui (~$220 million, with around $160 million frozen or recovered) and Balancer (~$116 million) where funds were heavily traced for potential freezes.
- Losses were concentrated in Q1 and declined through the year, while investigators also flagged emerging AI‑native security failures as a new attack surface requiring updated defenses.