PeckShield: Large-Scale Crypto Hacks in Q1 2025 — Largest Exploits and Record Losses in the Crypto Market Crypto Hacks in Q1 2025: Damages Exceed $1.6 Billion, 131% Growth, and Major Attacks on Bybit and DeFi Protocols

Cryptocurrency Hacks Reach $1.6 Billion in Q1 2025 — PeckShield Analytics

PeckShield, a company specializing in the security of blockchain protocols and cryptocurrency ecosystems, has published a new report in which it notes a significant increase in the damage from hacker attacks in the crypto industry. According to security data, the volume of crypto assets stolen as a result of hacks exceeded $1.63 billion in the first quarter of 2025. This was a record figure, especially considering that more than 92% of this amount was attributed to a single incident – the exploit of the Bybit cryptocurrency exchange.

Key facts for the quarter

Total damage: $1.63 billion in cryptocurrency was stolen in the first three months of 2025.
Biggest Loss: The Bybit exchange incident accounted for over 92% of the total losses.
January: losses amounted to about $87 million.
February: Losses spike to $1.53 billion due to the Bybit attack and other exploits.
March: losses down 97% from February – only $33 million.

Dynamics and causes of losses

In January 2025, losses from hacks were relatively small – about $87 million, which is a relatively stable level for the cryptocurrency market with its known dynamism. This is explained by a smaller number of high-profile incidents and, possibly, increased security measures in individual projects.

However, there was a sharp jump in February, with losses rising to $1.53 billion. The main reason for this was a cyberattack exploit on the Bybit cryptocurrency exchange. This attack became the largest recorded case of theft in the cryptocurrency industry to date.

PeckShield: Large-Scale Crypto Hacks in Q1 2025 — Biggest Exploits and Record Losses in the Crypto Market Crypto Hacks in Q1 2025: Damages Exceed $6.6 Billion, 131% Growth, and Major Attacks on Bybit and DeFi Protocols

Besides Bybit, there were other significant losses of funds in February:

$50M Infini Platform Exploit
zkLend protocol hack with damages of $9.5 million
Ionic attack causes $8.5 million in losses

In March, the situation changed for the better – losses decreased almost 30 times compared to February, to $33 million. Some lost crypto assets were partially returned to users and protocols, which helps to minimize the impact of the attack.

Increase in hacks and damage compared to 2024

PeckShield also noted that the number of hacks recorded in Q1 2025 exceeded 60, indicating high activity by attackers. Compared to Q1 2024, when losses amounted to $706 million, the increase in losses was an impressive 131%. This highlights the ongoing security challenges in the cryptocurrency sector and the need for increased security measures.

Major Incidents of March 2025

Abracadabra.Money Hack: On March 25, attackers withdrew around 6,260 ETH — worth around $13 million at the time — from the DeFi protocol. The attack was the largest incident of March.
Zoth Protocol Hack: On March 21, Cyvers detected a suspicious transaction in which scammers withdrew $8.4 million from the protocol’s wallets, converting the assets into stablecoins and transferring them to other addresses. The protocol operates with real-world assets (RWA), highlighting the growing threat in new areas of DeFi.

Positive trends: partial return of stolen funds

It is worth noting separately that a number of hacked assets were returned in March. Thus, the hacker who hacked the decentralized exchange 1inch and stole $5 million returned 90% of the funds – about $4.5 million. It is noteworthy that this return was conditioned by an agreement: the exchange offered the attacker a reward of 10% of the return amount ($500 thousand) in exchange for the return of the remaining assets. This case demonstrates the possibilities of negotiations and partial mitigation of damage by cooperating with hackers.

Record-breaking volumes of cryptocurrency thefts:

The first quarter of 2025 was a record-breaking year for cryptocurrency thefts, signaling continued risks for investors and platforms. Despite a decline in losses in March, the high growth in the number and scale of attacks highlights the importance of developing technical protection, auditing smart contracts, and implementing progressive incident response methods. Positive examples of partial refunds and flexible policies from affected platforms show new opportunities to reduce overall losses.

Overall, the security situation in the cryptocurrency sector remains one of the key issues. The increase in phishing, exploits, and attacks on DeFi projects requires a comprehensive approach from the entire industry — from developers to regulators and users.

Let’s look at a selection of articles similar in topic to cryptocurrency hack analysis in 2025, focusing on loss statistics, major thefts, and security trends in crypto ecosystems:

“Hackers stole $2 billion from crypto services in 2025. Who is behind the attacks” – the article says that since the beginning of 2025, more than $2.1 billion has been stolen as a result of about 75 hacks, noting an increase in strategic and geopolitically motivated attacks on blockchain services 1 .
“In 2025, hackers stole $2.17 billion in cryptocurrency” (Expert.ru) – details of the largest cryptocurrency thefts, including the $1.46 billion Bybit hack, as well as information that hackers are increasingly attacking personal wallets in the US, Germany and Russia 2 .
“Cryptocurrency hacks have caused record amounts of damage since the start of 2025,” says a report from TRM Labs, which focuses on the involvement of organized crime groups and politically motivated attacks, as well as the largest incident involving Bybit 3 .
“Cryptocrime in 2025: Record amounts, wallet hunting and wrench attacks” – an analysis of the types of attacks and their share in the total damage to the crypto industry, as well as security tips and current threats 4 .
“In 2025, hackers will steal cryptocurrency at a record pace” (Kommersant) – an analysis of the growth in theft volumes and potential consequences, including forecasts for the end of the year and the geography of victims 5 .
Hacken analysts report “Cryptocurrency hack losses exceed $3.1 billion in the first half of 2025” – data on attack types, vulnerabilities and security trends in the cryptocurrency market 6 .
“Coinbase Hack: How Hackers Stole Data of 70,000 Customers” is a case of a major hack of the American crypto exchange in May 2025, a description of the data leak and its consequences for users and the market 7 .

These publications will help to get a comprehensive understanding of the situation in the crypto market in 2025 in terms of security and the scale of damage from hacks. If you want, I can provide links to these articles or select other materials on specific aspects.

Hackers stole more than $2 billion from crypto services in the first half of 2025, and the scale of attacks is reaching record levels in both the amount of funds stolen and the number of incidents, highlighting the growing threat in the cryptocurrency and blockchain space.

Overall overview of damage and attack dynamics

According to various analytics companies, including TRM Labs, Chainalysis, and Hacken, in the first half of 2025, attackers stole more than $2.1-$2.17 billion from crypto services and wallets, which is about 10-17% more than in the same period of 2022 and exceeds the total amount stolen for all of 2024 1 2 3 4 5 6 . This is a massive increase, considering that in 2024, about $2.85 billion was stolen in total for the entire year.

The number of hacks recorded is around 75 incidents in the first six months, indicating high hacker activity 1 3 . A significant proportion of the attacks are carried out by organized crime groups with strong political and geopolitical motivations, which is a new qualitative level of threats 1 3 . Hackers from North Korea (DPRK) have been named as the main players in a number of major attacks, including the world-famous Bybit exchange hack 2 3 5 .

Major incidents and key targets

The Bybit hack in February 2025 was the largest cryptocurrency theft in history, with an estimated $1.46–$1.5 billion stolen . The FBI later blamed the attack on North Korean hackers, highlighting the geopolitical dimension of modern cybercrime 2 3 5 .
In addition to Bybit, there have been major losses amounting to tens of millions of dollars across various DeFi protocols, crypto exchanges, and platforms.
A significant portion of the attacks targeted personal cryptocurrency wallets , from which the attackers withdrew about 23.35% of the total amount of stolen funds. The main victims are located in the United States, Germany, and Russia 2 5 .
Attacks also include private key hacking and phishing, which are key tools that allow hackers to gain control over assets 3 6 .

Types of attacks and security features

Analysts note that:

Most of the vulnerabilities are related to the exploitation of access controls to wallets and smart contracts, which account for a significant portion of the losses – for example, 59% of all damages are related to access control vulnerabilities, and errors in smart contracts led to losses of about $263 million 6 .
There is a shift from typical technical hacks to human factor attacks – phishing, private key theft, blind signature attacks.
There has been an increase in politicized attacks, such as the hack of the Iranian crypto exchange Nobitex, which caused damages of over $90 million, for which an Israeli hacker group claimed responsibility, with a clear political message 3 .

Consequences and forecasts

The total amount of cryptocurrency thefts by the end of 2025, if the trend continues, could exceed $4 billion , which would be almost double the record-breaking 2024 2 5 .
The increase in the number of attacks and the volume of thefts seriously undermines trust in the crypto industry and requires increased security measures at both the technical and organizational levels.
Vulnerable areas include both centralized exchanges and DeFi projects, as well as personal crypto wallets, which requires a comprehensive approach to ensuring security.
Major data loss incidents, such as the Coinbase hack that affected 70,000 customer data, show that the threat extends beyond financial losses to impact user privacy 7 .

Conclusion

The first half of 2025 has been a testing period for the cryptocurrency space, with over 75 hacks resulting in losses of over $2 billion, with the main threat coming from sophisticated, politically motivated groups, especially from North Korea. The largest hack of Bybit, with around $1.5 billion lost, marked a new era of large-scale cyberattacks on the crypto market. The increase in attacks on personal wallets requires increased measures to protect users. At the same time, it is necessary to consider the geopolitical context of the threats and improve the comprehensive security system, including both technical and legal aspects.

What are the main reasons for the increase in cryptocurrency thefts in 2025?

The main reasons for the increase in cryptocurrency thefts in 2025 are the following factors:

Attacks on infrastructure and personal wallets are on the rise: More than 80% of losses are due to the theft of private keys, seed phrases, and hacking of user interfaces. Hackers are increasingly targeting individual cryptocurrency wallets of users, which accounted for 23.35% of the total amount of stolen funds. The main victims are located in the United States, Germany, and Russia 1 3 5 .
Use of new, more sophisticated cyberattack methods: Hacking has become more complex, with new methods including front-end vulnerabilities, fake websites and phishing attacks. Phishing emails and chats are now created using neural networks, creating more convincing fraudulent messages 7 .
Vulnerabilities in Smart Contracts and Access Control: Much of the damage is due to bugs and weaknesses in smart contracts and access control systems, allowing hackers to exploit these flaws to commit thefts 1 .
Increase in strategic, politically motivated attacks: The share of attacks motivated by geopolitical interests and national security has increased. For example, the large-scale hack of the Bybit exchange by hackers from North Korea became the largest theft of cryptocurrency in history. It is noted that as the role of digital assets in national security grows, so does the complexity of attacks 1 .
Increase in physical violence and attacks on users: The number of so-called “wrench attacks” – attacks using physical violence against cryptocurrency asset owners – has increased, indicating an increase in risk in the real world as well 2 .
Rising Value and Popularity of Cryptocurrencies: The rising value and popularity of cryptocurrencies is encouraging criminals to step up their attacks as the potential profit from thefts becomes greater than 2 .
Insufficient protection of users and infrastructure: Many users store private keys insecurely, for example in phone notes or cloud services, which makes it easier for attackers to access accounts 7 .

These factors together explain the sharp increase in the number of incidents and the amount of funds stolen in the cryptocurrency space in 2025, creating new challenges for the security of assets and users 1 2 3 5 7 .

What vulnerabilities allow hackers to hack personal wallets in 2025

The main vulnerabilities that allow hackers to break into personal cryptocurrency wallets in 2025 include the following factors:

Stealing private keys and seed phrases via malware and stealers: Hackers use advanced Trojans such as Lumma Stealer, Amadey, and SparkCat, distributed via phishing sites, malware apps, and fake CAPTCHA. These programs steal credentials, private keys, and even recovery phrases, which are often images recognized by OCR (text recognition) technologies 2 6 .
Phishing and social engineering: Attackers create fake websites, fake apps, and malicious ads to trick users into revealing their wallet credentials. They use automated neural network tools to create convincing messages and send them in bulk 2 5 .
Exploiting vulnerabilities in smart contracts and access control systems: Errors in smart contract programming and weak implementation of access control allow attackers to withdraw funds and bypass protocol protections 2 .
Browser Caching and Browsing Leaks: Hackers can gather information about which cryptocurrency platforms and wallets a victim uses by extracting data from the browser cache, making it easier to plan attacks 3 .
Data theft via fake or infected apps on mobile platforms: Malicious apps in Google Play and Apple App Store that contain embedded frameworks to steal data from wallets are active in 2025 6 .
Clipboard address manipulation: Some malware replaces cryptocurrency wallet addresses in the clipboard with the addresses of attackers, which leads to funds being inadvertently sent to someone else’s account 2 .
“Wrench attacks” and physical violence: Physical pressure and threats against crypto wallet owners to gain access to private keys are becoming an additional threat outside the digital space 5 .

Taken together, these vulnerabilities reflect both technical and human risk factors that are actively exploited by hackers in 2025, making personal wallets some of the most vulnerable targets in the crypto space.

What vulnerabilities in crypto wallets allow hackers to steal funds in 2025

The main vulnerabilities in cryptocurrency wallets that allow hackers to steal funds in 2025 include the following key points:

Demonic vulnerability (CVE-2022-32969): Google Chrome and Mozilla Firefox browsers cache data entered into text fields (not passwords) used by Metamask, Phantom, Brave wallets to disk to enter seed phrases. This allows attackers to gain access to secret recovery phrases and import the wallet to another device, stealing funds 1 .
Stealing private keys and seeds using malware and stealers: Trojans like Lumma Stealer, Amadey, SparkCat infect devices via phishing sites and malicious applications, steal credentials, keys and even recognize seeds using OCR technologies 3 .
Phishing and social engineering: Hackers create high-quality fake websites, fake apps, and use automated neural network tools to send convincing messages that trick users into revealing keys or confirming malicious transactions. For example, the attack on the Bybit exchange was carried out by compromising the working environment of developers and replacing the transaction signing interface 2 5 .
Smart contract bugs and poor access control implementation: Bugs in smart contract logic and weak validator and multi-signature access control allow attackers to withdraw funds. An example is a vulnerability in cross-chain bridges that leads to millions of dollars in losses 2 .
Browser Cache and Clipboard Manipulation: Hackers extract crypto wallet information from the browser cache and replace the wallet addresses in the clipboard with their own, forcing users to send cryptocurrency to the attackers 3 .
Infected or Fake Mobile Apps: Malicious crypto wallets and apps infiltrate official stores (Google Play, Apple App Store) and steal user data 3 .
Physical violence (“wrench attacks”): Used against crypto wallet owners to gain access to private keys outside the digital space 3 .
New methods of confirming malicious transactions: For example, using fake pop-up windows to confirm delegation in Ethereum (EIP-7702), through which users lose significant amounts of money 2 .

Taken together, these vulnerabilities reflect a combination of technical flaws in wallet software and human error that will be actively exploited by hackers in 2025 1 2 3 5 .

How Demonic Vulnerability Allows Hackers to Steal Cryptocurrency

The Demonic vulnerability (CVE-2022-32969) allows hackers to steal cryptocurrency funds by stealing crypto wallet seed phrases. The issue is related to how Google Chrome and Mozilla Firefox browsers cache the contents of text input fields (except passwords) to disk as part of the standard session recovery mechanism.

Many crypto wallets, such as MetaMask, Phantom, and Brave, use text fields to enter seed phrases that are not marked as a password, so the entered seed phrases are automatically cached on disk by the browser in plain text. If an attacker or malware gains access to the victim’s computer, they can extract these seeds from the cache, import the wallet to another device, and gain full control over the funds and NFTs stored in that wallet 1 .

The Demonic vulnerability thus exploits a technical flaw in the way browsers store text data, leading to the compromise of key information for accessing a crypto wallet and the theft of funds.

Why Outdated Security Systems Remain Part of the Problem

Legacy security systems remain part of the problem in 2025 for several key reasons:

Lack of updates and security patches: Outdated systems are often no longer supported by manufacturers and do not receive updates, making them vulnerable to new types of cyberattacks and exploits 1 2 4 .
Difficulties with integration and compatibility. Old systems do not fit well with modern technologies and infrastructure, which leads to a decrease in the overall effectiveness of protection and creates additional vulnerabilities at the junctions of systems 1 3 .
High costs and staff shortages. Support and maintenance of legacy systems require specific knowledge and resources, and finding specialists with such skills is becoming increasingly difficult, while support costs are rising 1 3 .
Limited scalability and functionality: Legacy technologies are often unable to effectively cope with growing workloads and functional requirements, which reduces the quality of protection and ease of use 1 .
Risk of non-compliance with modern regulations: Many legacy systems do not comply with new security standards and legal regulations, which can lead to fines and legal problems 1 .
The growing range and sophistication of cyber threats. Modern attacks use new techniques that legacy systems simply cannot adequately block or detect, increasing the likelihood of successful hacks 2 3 .

Thus, despite their critical role in business processes, legacy systems create a wide attack surface and difficulties in maintaining security. Their continued use without modernization or replacement significantly increases the risks associated with cyberattacks and data loss. An effective solution requires a systematic modernization and transition to modern, integrated and supported security systems 1 2 3 4 .

What measures help protect private keys and seed phrases in 2025

Key measures to help protect your cryptocurrency wallet private keys and seed phrases in 2025 include the following recommendations:

Store your seeds offline only: Do not store your seeds digitally on devices connected to the internet (computers, smartphones, cloud storage). The best way is to write the phrase down on paper or engrave it on a metal plate and store it in a safe place, such as a safe or specialized storage 1 2 3 7 8 .
Making multiple copies and splitting the phrase: Make multiple copies of the seed phrase and store them in different inaccessible places. You can also split the phrase into parts and store them in different locations (Shamir’s method) – this will prevent attackers from having full access if one copy is compromised 1 5 6 .
Encrypting digital copies: If you do need to store the phrase digitally, be sure to use strong encryption so that the data is inaccessible without a special key 1 6 .
Using hardware wallets: Hardware wallets store private keys in an isolated, secure device, reducing the risk of your phrase and keys being compromised via the internet or malware 2 9 .
Two-factor authentication and transaction verification: Enable two-factor authentication to access wallets and exchanges, and carefully check recipient addresses before confirming transactions to avoid address spoofing by attackers 2 9 10 .
Regular Backups and Monitoring: Make regular backups and check them, as well as monitor wallet activity with notifications and analyze transaction history 2 .
Phishing Education and Caution: Never enter your seed phrase online, use only official apps and sites. Be wary of emails, sites, and messages that ask you to enter your seed phrase – this could be phishing 3 6 .
Additional passphrase: Many wallets support adding an additional secret phrase to the seed phrase, which creates an additional layer of security and reduces the risk of theft if the main phrase is leaked 4 6 .
Using multi-signature wallets: These wallets require multiple signatures to conduct transactions, which increases security and prevents one-way debiting of funds if one part of the keys is compromised 5 6 .
Avoid taking photos or storing seed phrases as images in the cloud: Images can be accidentally uploaded to cloud services and stolen 1 .

Together, these measures form a reliable complex for protecting private keys and seed phrases, minimizing the risks of losing crypto assets due to digital and physical threats.

What Common Mistakes Increase the Risk of Seed Loss or Theft in 2025

Common mistakes that significantly increase the risk of losing or stealing crypto wallet seed phrases in 2025 include the following:

Entering the seed phrase on phishing sites or in fraudulent applications. Users often inadvertently reveal the seed phrase by entering it on fake web resources and applications that imitate official services. This allows attackers to gain full access to funds 1 .
Storing your seed phrase digitally on devices with internet access. Saving the phrase on computers, smartphones, cloud storage, or even in notes and photos puts your data at risk from malware, keyloggers, and browser cache vulnerabilities 1 2 5 .
Poor physical storage or loss of backups. Writing the seed phrase on fragile materials (paper), not having multiple copies, storing it in easily accessible or obvious places increases the risk of destruction, theft or accidental loss 1 5 .
Disclosing or sharing the phrase with third parties: Some users trust the seed phrase to scammers posing as support or share it with others, which leads to the wallet being compromised 1 .
Using unencrypted or public networks for wallet transactions. Public Wi-Fi and unsecured devices can be vulnerable to data interception if the seed phrase is entered or used in such conditions 1 .
Human errors when writing or working with the phrase. Incorrect copying, careless writing and lack of checks when saving the phrase can lead to the impossibility of restoring access to the wallet 1 .
Lack of awareness of modern attack methods. Ignoring current threats, such as malware with OCR technologies that replace addresses in the clipboard, or automated phishing mailings using neural networks, contributes to the success of attacks 1 10 .

Taken together, these errors create critical vulnerabilities that hackers will actively exploit in 2025 to compromise crypto assets. The main advice is to carefully store the seed phrase offline in several copies, not to disclose it online, and to use modern security measures when working with crypto wallets.

Final Conclusion on the State of Cryptocurrency Security in 2025

2025 has become a time of unprecedented security challenges for the crypto industry. The record increase in hacks and the scale of digital asset thefts — more than $2 billion in the first six months and more than 75 major incidents — clearly demonstrates that today’s crypto spaces remain extremely vulnerable to both technical and social attacks.

The main factors driving the growth of cybercrime are technical vulnerabilities in crypto wallet and smart contract software, as well as human factors, including phishing and user errors. The threat is exacerbated by the widespread use of malware and stealers, the development of automated social engineering methods using neural networks, and the significant involvement of strategically and politically motivated groups, which raises the issue of cryptocurrency security to the level of national and international security.

Of particular concern are vulnerabilities such as “Demonic” — browser seed caching — and common user errors, including storing private keys and seed phrases in digital files, unverified interactions with suspicious sites and applications. Despite technological progress, many security systems remain outdated and unable to withstand emerging threats, requiring urgent modernization.

However, there are also positive trends emerging, such as partial recovery of stolen funds after hacks, the introduction of multi-signature wallets, the use of hardware key storage, and increased user awareness of security issues. A combination of technical innovation, improved user education, and developed legislation can reduce the vulnerability of crypto assets.

Ultimately, successful protection of crypto assets requires a comprehensive and multi-layered approach: improving technical means of protection (hardware wallets, smart contract auditing, encryption), detailed user security procedures (secure storage of seed phrases, caution against phishing), and adapting the regulatory framework to combat cybercrime.

And only such systemic measures in the interaction of the industry, users and regulators will be able to ensure the sustainable development of the cryptocurrency market, minimizing the risks of losses and strengthening trust in the high-tech digital financial space of the future.

Sources: ibmm.ru 1 , Binance 2 , woolypooly.com 5 , ptsecurity.com 10 .

Sources: PRO32, vc.ru, ibmm.ru, CoinSutra, Woolypooly, crew-c.com, Ledger, RBC, Futureby.info, CryptoCloud.plus 1 2 3 4 5 6 7 8 9 10 .

https://www.itsec.ru/news/uyazvimost-demonic-pzvolayet-opustoshat-chuzhiye-kriptokoshelki

1 itsec.ru — Demonic vulnerability and browser cache with seed phrases
2 bithide.io — DeFi hacking methods, phishing, social engineering, Bybit and MetaMask examples
3 ptsecurity.com — malicious stealers, browser cache, phishing
5 vc.ru — social engineering and AI bots for phishing and interface substitution

Sources: Expert.ru 1 , Ptsecurity 2 , vc.ru 3 , SecurityLab 5 , Kaspersky Lab 6 , Kommersant 7 .

Sources: 1 RBC, 2 Expert.ru, 3 iXBT, 4 BCS Express, 5 Kommersant, 6 Hacken, 7 Block-Chain24 (data on the Coinbase hack).