In December 2025, there were only five DeFi hacks that incurred losses that exceeded $1 million. In total, these incidents resulted in approximately $20 million being stolen from the protocols.
This represents a decrease in both attack numbers and impacts when compared to the previous month. November saw six major DeFi hacks to December’s five, and its $175 million in total losses dwarfs December’s totals.
Biggest DeFi Hacks of December 2025
In December 2025, five DeFi hacks involved losses in excess of $1 million. These include the following:
USPD: USPD suffered a CPIMP attack, in which an attacker inserted a malicious proxy between the platform’s upgradeable proxy and implementation code via a frontrunning attack. Later, the attacker took advantage of their malicious access to mint about 98 million USPD and steal about 232 stETH from the project, resulting in about $1 million in losses.
Aevo: An update to Aevo’s oracle code introduced a precision mismatch and access control vulnerabilities. The attacker created malicious options products designed to expire and provide excessive rewards, allowing them to steal approximately $2.7 million from the project.
Trust Wallet: A supply chain attack targeting version 2.68 of Trust Wallet’s browser extension introduced malicious functionality into the code. The attacker stole an estimated $8.5 million from users who installed and used the malicious version of the code.
Flow: In a December hack, vulnerabilities in Flow’s execution layer were targeted by an attacker. An estimated $3.9 million was stolen and moved off-network before the attack was halted by the network validators.
Unleash Protocol: Unleash Protocol, a project hosted on Story Protocol, suffered a $3.9 million hack. The attackers manipulated the governance protocols for the project’s multi-sig wallet to perform a malicious upgrade and transfer assets from the protocol.
Lessons Learned from the Attacks
The major DeFi hacks of December 2025 are unusual for this year in that they largely involved code exploits rather than the increasingly common off-chain attack. USPD, Aevo, and Flow were all exploited via vulnerabilities in their on-chain code, while Trust Wallet’s browser extension was compromised by an attacker and modified to include malicious functionality within the legitimate codebase. In contrast, many of the biggest hacks of 2025 to date involved compromised private keys or sophisticated social engineering attacks targeting multi-sig validators or other off-chain infrastructure, like the Unleash Protocol hack.
These December 2025 hacks demonstrate that comprehensive security audits are still an essential component of a DeFi security strategy. All code, whether on-chain or off-chain, should be reviewed before deployment, and deployment processes should be carefully designed and implemented to avoid threats like the frontrunning attack that targeted USPD. To learn more about securing your project against exploitable code vulnerabilities with Halborn, get in touch.