2025 was a turbulent year for crypto security. According to blockchain analytics firm Chainalysis, over $3.4 billion<\/strong><\/a> <\/strong>was stolen through hacks and thefts<\/strong>, and about $17 billion<\/strong> was stolen in crypto scams and fraud<\/strong> in 2025 (with at least $14 billion identified onchain so far). PeckShield reported<\/a> ~$4.04 billion <\/strong>in combined losses in 2025, split between ~$2.67 billion<\/strong> (up ~24.2% YoY) from hacks and ~$1.37 billion<\/strong> from scams and phishing. CertiK reported<\/a> $3.35 billion <\/strong>lost in 2025 across hacks, scams, and exploits (about +37% vs. 2024), while stressing the theme of fewer but larger\u00a0attacks<\/strong>.<\/p>\n According to Chainalysis<\/a>, total value stolen from centralized services<\/strong> hit $2.5 billion<\/strong> across fewer incidents in 2025: the top three hacks<\/strong> accounted for 69% of all service losses<\/strong>. The number of personal wallet compromises<\/strong> is rising and DeFi hack losses stayed comparatively muted even as TVL recovered. PeckShield<\/a> reported that attackers shifted from DeFi to CEXs and large organizations, using supply-chain attacks<\/strong> and private-key compromises<\/strong>, driving these targets\u2019 share of total losses to 75%, up 46%<\/strong> from\u00a02024.<\/p>\n In this blog post, we focus on software-related attacks, excluding phishing and scam. We rely on major reports for metrics like total value stolen (TVS), incident counts, and year-over-year changes, and include hands-on technical examples from forensic investigations showing how vulnerabilities were exploited. One pattern stands out: While DeFi hack losses<\/strong> stayed comparatively muted<\/strong> even as TVL recovered, attackers shifted attention to<\/strong> personal wallets<\/strong> and centralized services<\/strong>.<\/p>\n Source: Peckshield<\/a><\/p>\n Certik called the Supply Chain (exploits of blockchain-based dependencies, CI\/CD, and wallet integrations) \u201cthe most costly attack vector\u201d, totaling $1.4 billion<\/strong> losses across 2<\/strong> incidents.<\/p>\n Centralized platforms breaches often blend social engineering<\/strong> with operational access<\/strong>. A common method involves \u201cembedded IT worker\u201d infiltration and related recruiter impersonation, which can yield privileged access to systems, source code, and signing workflows. Once inside, attackers exploit private key infrastructure by bypassing cold wallet controls\u200a\u2014\u200ae.g., tricking multisig signers into approving malicious transactions via altered interfaces.<\/p>\n Bybit \/ Safe{Wallet} UI Compromise<\/strong><\/a> (February 2025)<\/strong>: Bybit suffered the largest cryptocurrency theft ever. Attackers induced signer to sign a malicious transaction during what appeared to be a routine cold-to-hot transfer, stealing ~401,000 ETH<\/strong> (~$1.5 billion<\/strong>). Post-incident analyses<\/a> revealed that attackers injected malicious JavaScript code into the Safe{Wallet} UI on a compromised developer machine, altering transaction displays to deceive signers into authorizing fund transfers. Chainalysis reported<\/a> that an experienced group of hackers was behind the\u00a0attack.Trust Wallet Extension Exploit <\/strong><\/a>(December 2025)<\/strong>: Trust Wallet posted<\/a> about a malicious Chrome Web Store browser extension (v2.68) <\/strong>published outside its normal release process. The malware could access sensitive wallet data, transmit recovery phrases to phishing domains like metrics-trustwallet.com and trigger unauthorized transactions. Trust Wallet reported 2,520<\/strong> affected wallet addresses<\/strong>, with ~$8.5M<\/strong> in impacted assets tied to 17<\/strong> attacker-controlled addresses.AI-generated npm Drainer<\/strong><\/a> (Jul 2025): <\/strong>Malware showed up as \u201cdeveloper tooling,\u201d like the AI-generated npm package @kodane\/patch-manager<\/strong>, reported to have 1,500+ downloads<\/strong> before takedown and designed to drain Solana\u00a0wallets.BigONE Exchange Back-End Logic Tampering<\/strong><\/a> (Jul 2025)<\/strong>: BigONE reported<\/a> abnormal movements of some platform\u2019s assets. Halborn explained<\/a> that the attackers exploited their access to alter BigONE\u2019s backend account<\/strong> and risk-control logic to auto-approve withdrawals. A back-end logic tampering <\/strong>allowed them to submit unauthorized withdrawal requests to steal about $27 million<\/strong> in total across multiple\u00a0chains.SwissBorg \/ Kiln Endpoint Compromise (Sep 2025): <\/strong>Swissborg reported<\/a> a third-party endpoint compromise, a malicious transaction path leading the loss of funds from SOL Earn. Blockchain investigator ZachXBT reported that Swissborg lost approximately $40 million worth of\u00a0SOL.<\/p>\n DeFi hacks declined relatively to 2024, with losses suppressed despite Total Value Locked (TVL) growth. Chainalysis<\/a> attributes this to improved security and \u201ctarget substitution\u201d toward wallets and centralized services. CertiK reported<\/a> DeFi total value stolen around $500\u2013700 million<\/strong> across 344<\/strong> incidents in\u00a02025.<\/p>\n Common DeFi smart contract flaws include: reentrancy (recursive calls draining funds), faulty input validation (34.6% of cases), oracle manipulation, access-control mistakes, and governance logic weaknesses. Flash loans, <\/strong>borrowing uncollateralized funds to manipulate markets, remain a frequent accelerator for\u00a0attacks.<\/p>\n Cetus DEX Exploit<\/strong><\/a> (May 2025)<\/strong>: Cetus, a leading DEX on the Sui blockchain, was exploited<\/a> via a flaw in its math<\/strong> logic, allowing the attacker to drain liquidity across 46 liquidity pairs. Reported estimates put the stolen amount at ~$230\u00a0million.Balancer v2 Pools Exploit<\/strong><\/a> (November 2025)<\/strong>: About $128 million<\/a> was drained from Balancer v2 Composable Stable Pools after attackers exploited the incorrect rounding behavior<\/strong> in the protocol. Using carefully crafted batchSwap sequences, the attackers manipulated pool balances and extracted value repeatedly across multiple chains. Some believe that the attack was vibe-coded<\/a>.Source: Slowmist<\/a>UPCX Malicious Smart Contract Upgrade<\/strong><\/a> (Apr 2025): <\/strong>The attackers, according to Halborn\u2019s analysis<\/a>, compromised private key of a privileged admin account, probably via social engineering or malware. They exploited this access to perform an unauthorized upgrade of the ProxyAdmin contract to steal 18.4 million UPC tokens<\/strong> (~$70 million<\/strong>) from multiple management accounts.Shibarium Bridge Exploit<\/strong><\/a> (September 2025)<\/strong>: Attackers combined a flash loan<\/strong> with compromised validator keys <\/strong>to steal $2.4\u200a\u2014\u200a4.1<\/strong> million in assets. They used the flash loan to acquire a large amount of BONE, then delegated it to gain over two-thirds of voting power and push a fake network update<\/strong>. With validator key access, they were able to sign the malicious update and execute unauthorized withdrawals<\/strong> from the\u00a0bridge.<\/p>\n Key and signing infrastructure compromises happen when attackers gain or abuse the ability to sign transactions<\/strong>, rather than exploiting smart contract code. These incidents look like attackers stealing keys, extracting signing shares, or subverting approval workflows so legitimate-looking signatures authorize malicious withdrawals across one or many\u00a0chains.<\/p>\n These attacks target hot wallets, signing servers, MPC\/HSM systems, validator keys, or approval workflows, so malicious withdrawals look legitimate onchain. Once signing authority is compromised, funds can be moved quickly across multiple networks with little chance of reversal.<\/p>\n Wemix Auth Keys Compromise<\/strong><\/a> (detected Feb 2025, disclosed later):<\/strong> Halborn\u2019s analysis reports that attackers allegedly stole authentication<\/strong> keys<\/strong> used to access a service monitoring system<\/strong> (NILE). The keys may have been exposed via a shared repository. The attacker then executed withdrawals of 8.6 million<\/strong> WEMIX tokens, with the incident resulting in over $6 million<\/strong> in losses per Halborn<\/a>, and disclosure lagged by\u00a0weeks.ModStealer (reported in Sep 2025):<\/strong> MetaMask\u2019s security report<\/a> described ModStealer as cross-platform infostealer<\/strong> (Windows, Linux, macOS) that hunts for browser wallet extensions and credentials. <\/strong>Campaigns were distributed through fake job postings<\/strong> aimed at developers, trying to lure targets into running an installer. MetaMask warned that stolen private keys and seed phrases<\/strong> can provide direct access to\u00a0funds.Upbit Hot Wallet Breach <\/strong><\/a>(Nov 27, 2025): <\/strong>Upbit exchange disclosed abnormal withdrawals from a Solana-based hot wallet<\/strong>, revising loss estimate to KRW 44.5 billion (~$33 million)<\/strong>. Halborn\u2019s analysis supposed<\/a> that the incident was potentially related to weaknesses in Upbit\u2019s digital signature algorithm.<\/strong>Phemex Hot Wallet Hack<\/strong><\/a> (Jan 2025)<\/strong>: Phemex exchange disclosed<\/a> that they detected unusual activity in their hot wallet. About $73 million <\/strong>were <\/strong>stolen across 16 blockchains. Halborn<\/a> frames the likely root cause as compromised private keys<\/strong>. TheBlock reported<\/a> that the hack was likely perpetrated by an experienced group of\u00a0hackers.<\/p>\n 2025 made one thing obvious: strong cryptography and audited contracts don\u2019t stop losses when attackers compromise the software and workflows that sit around them. The biggest incidents weren\u2019t \u201cblockchain bugs\u201d as much as failures in distribution and signing: tampered wallet interfaces, poisoned dependencies, back-end logic changes, and stolen credentials that turned invalid withdrawals into valid ones. DeFi exploits stayed comparatively muted even as TVL recovered, but centralized services and personal-wallet infrastructure became the easiest way to capture outsized\u00a0value.<\/p>\n Going into 2026, the priority should be hardening the full signing path: We need better digital asset management tools, which are built on multi-factor authentication but without introducing centralization risks, as we notice that attacks target every bit of supply chain. We need to tighten operational controls, secret handling, and transaction verification, because attackers are increasingly targeting wallet infrastructure and signature flow.<\/p>\n Note: OKcontract is building <\/em>Chainwall<\/em><\/a>, a fully decentralized asset management suite for yield products.<\/em><\/p>\n Navigating the Storm: Lessons From 2025 Crypto Attacks in<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" Navigating the Storm: Lessons From 2025 Crypto\u00a0Attacks 2025 was a turbulent year for crypto security. According to blockchain analytics firm Chainalysis, over $3.4 billion was stolen through hacks and thefts, and about $17 billion was stolen in crypto scams and fraud in 2025 (with at least $14 billion identified onchain so far). PeckShield reported ~$4.04 […]<\/p>\n","protected":false},"author":0,"featured_media":129627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-129626","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/129626"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=129626"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/129626\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/129627"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=129626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=129626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=129626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Supply Chain and Software Distribution Compromises<\/h3>\n
Technical Details and Attack\u00a0Examples<\/h4>\n
Protocol Exploits<\/h3>\n
Technical Details and Attack\u00a0Examples<\/h4>\n
Key and Signing Infrastructure Compromises<\/h3>\n
Technical Details and Attack\u00a0Examples<\/h4>\n
Conclusion<\/h3>\n