In 2025, only six hacks exceeded $50 million in losses, compared to the eight that met this threshold in 2024. However, the presence of the Bybit hack on this list with its $1.4 billion in losses means that the total for 2025 far exceeds that of the previous year.
Top DeFi Hacks in 2025
In 2025, there were several DeFi hacks with price tags in the millions. However, a much smaller number resulted in losses of over $50 million.
Bybit ($1.4B)
The February 2025 hack of Bybit was the most expensive DeFi hack in history, with an estimated $1.4 billion in losses. The attackers performed a supply chain attack on the project’s signing infrastructure, tricking signers into approving malicious transactions that transferred control over the wallet to the attacker and enabled them to drain funds from the exchange.
Cetus ($223M)
In May 2025, the Cetus Protocol was exploited via a mathematical error in the project’s liquidity calculations. The attacker took advantage of a flawed overflow check to perform an integer overflow and steal an estimated $223 million from the project.
Balancer v2 ($120M)
In November 2025, Balancer v2 pools were exploited via a flaw in the smart contract’s access control code, which allowed the attacker to masquerade as the owner of any account within the pool, and a rounding error that permitted invariant manipulation. Due to the composability of these pools, multiple projects were affected, resulting in about $120 million in losses.
Nobitex ($90M)
In June 2025, Nobitex, Iran’s largest crypto exchange, was the target of a politically-motivated attack by Gonjeshke Darande, a hacking group also known as Predatory Sparrow. The group stole an estimated $90 million from the exchange — likely via compromised private keys — before sending the stolen crypto to unreachable addresses and publicly releasing the platform’s source code.
Phemex ($73M)
The Phemex hack occurred in January 2025, where attackers drained the exchange’s hot wallets across sixteen different blockchains for a total of $73 million stolen. The root cause of the incident is believed to be compromised private keys, a common root cause of CEX incidents.
UPCX ($70M)
In April 2025, UPCX, a crypto payment platform, suffered a malicious update to its smart contract. This incident, attributed to a compromised private key, resulted in an estimated $70 million in losses for the platform.
Lessons Learned from the Attacks
In 2025, many of the biggest hacks involved off-chain attacks, such as compromised private keys. When the scope is narrowed to the top six, this trend continues, with Bybit, Nobitex, Phemex, and UPCX suffering incidents involving compromised private keys or off-chain infrastructure (Bybit).
At the same time, on-chain security also played a role in the biggest hacks of the year. Cetus and Balancer v2 suffered hacks due to smart contract vulnerabilities, and the UPCX hack involved a malicious update to the smart contract code.
This variety of attack vectors underscores the importance of a comprehensive Web3 security strategy that considers both on-chain and off-chain vulnerabilities and attack vectors. Halborn offers a range of security advisory and smart contract auditing services that draw upon its extensive experience in the Web2 and Web3 spaces. Get in touch to find out more.