Fact Checked by Coinsbeat Editorial Team | Expert Reviewed by Themiya

The wallet gets drained, the post-mortems go up, Twitter loses its mind for 48 hours, and then the market moves on. That’s the story most people tell themselves about a crypto exploit. It’s also completely wrong.

Immunefi just dropped its “State of Onchain Security 2026” report, and the number that should be keeping every DeFi founder up at night isn’t the $4.67 billion stolen across 2024 and 2025. It’s this: 84% of hacked tokens never recovered to their pre-hack price within six months. Median decline over that window? 61%. Let that sink in.

The theft is the trigger. The slow bleed is the actual kill shot.

$4.67 Billion Stolen, But the Real Story Is in the Distribution

Immunefi tracked 191 hacks across 2024 and 2025. The raw headline number, $4.67 billion, sounds catastrophic. And it is. But the way that number is structured tells you something far more disturbing about where the risk actually lives.

The median hack was $2.2 million. Down from $4.5 million in the 2021-2023 cycle. On the surface, that looks like the industry got smarter. It didn’t. Look closer.

• The average hack still came in at roughly $24.5 million, more than 11 times the median.

• In the prior period, that gap was only 6.8 times. The distribution got more extreme, not less.

• The top five hacks accounted for 62% of all funds stolen. The top ten grabbed 73%.

• Bybit alone, a $1.5 billion exploit confirmed as a North Korean Lazarus Group operation, represented 44% of all funds stolen in 2025.

Here’s the thing about a distribution like this. It creates a false sense of security at the median level. Most projects look at the average hack size and think, “We can survive a $2 million exploit.” Maybe. But the tail risk? That’s where a single catastrophic event rewrites the entire year’s narrative in one afternoon.

The number of hacks per year barely moved. 94 in 2024, 97 in 2025, almost identical to 2023. The industry has essentially normalized this. Hacks are no longer a crisis to be solved. They’re a recurring line item.

Centralized Exchanges: The Biggest Chokepoint Nobody Wants to Talk About

Let’s be real about something the decentralization crowd tends to gloss over. Of the 191 hacks in Immunefi’s dataset, only 20 involved centralized exchanges. Twenty. That’s roughly 10% of all incidents.

Those 20 incidents produced $2.55 billion in losses, or 54.6% of all stolen funds.

Think about that ratio for a second. A tiny fraction of attack vectors is responsible for the majority of actual damage. The problem isn’t just buggy smart contracts or poorly audited DeFi protocols. It’s the places where trust, custody, and key management get concentrated into a single point of failure. Bybit proved this at scale.

Honestly, this is the part of the report that deserves more attention than it’s getting. The DeFi community loves to point at centralized venues as dinosaurs. But if CEXes are generating over half the losses from a tenth of the attacks, the conversation about systemic risk needs to start there, not with some obscure bridge protocol nobody’s heard of.

The Six-Month Cliff: Where Projects Actually Die

This is the section of Immunefi’s report that I think most analysts are underweighting. The price damage data.

Immunefi analyzed 82 hacked tokens. The immediate shock, the two-day median decline, was roughly 10%. Bad, but survivable. Then look at what happens next.

• Six-month median decline: 61%, worsening from 53% in the 2021-2023 study.

• 56.5% of hacked tokens were down more than 50% at the six-month mark.

• 14.5% were down more than 90%.

• Only 16% of projects were trading above their hack-day price six months later.

Why does this happen? Because in crypto, the token isn’t just a speculative asset. It’s the treasury. It’s the recruitment tool. It’s the partnership leverage. It’s the public sentiment barometer that counterparties and investors check before every deal. When it craters and stays down, everything downstream craters with it.

Teams lose security leadership within weeks. Three months get consumed by recovery work instead of shipping product. Partners who were in diligence quietly walk away. The company that was supposed to build something is now spending its energy fighting for basic credibility.

And this plays out in a market environment where information moves faster than any PR team can respond. Counterparties reprice their exposure before the internal cleanup is even finished. That’s a brutal structural disadvantage that most projects simply aren’t capitalized enough to survive.

The Interconnected DeFi Stack Is Making Contagion Worse

Look, DeFi composability is genuinely impressive. Bridges, liquid staking, restaking, lending markets, stablecoins all snapping together like financial Lego. The innovation is real. So is the fragility it creates.

Immunefi’s argument is that this interconnectedness creates longer vulnerability chains. A compromise doesn’t stay contained to the protocol where it originated. It travels. It hits dependent protocols. It drains liquidity from adjacent markets. It triggers collateral cascades.

This isn’t hypothetical. We’ve seen it. Every major DeFi exploit of the last three years has had second and third-order effects that weren’t visible until the dust settled. The more integrated the ecosystem becomes, the farther a single exploit can travel before anything stops it.

To be fair, Immunefi acknowledges it can’t always cleanly separate hack damage from pre-existing project weakness or broader market conditions. Some of these tokens were fragile long before anyone touched the code. Illiquid, overvalued, losing momentum. The hack was the match, but the kindling was already there.

Still. The pattern is hard to dismiss.

The Investor’s Lens: How to Read Hacked Projects Before You Touch Them

From a cold-blooded portfolio perspective, here’s what this data actually means for anyone allocating capital in this space.

• Post-hack dip buyers are almost always early, not smart. 84% of hacked tokens don’t recover in six months. The “buy the fear” trade looks a lot like catching a falling knife most of the time.

• Centralized exchange counterparty risk is real and still massively underpriced by retail participants. If one venue can absorb 44% of a year’s total losses in a single event, that’s not an edge case. That’s a structural problem.

• TVL concentration metrics matter more than most people admit. Before you allocate to any DeFi protocol, understand how many other protocols it’s load-bearing for. The more dependencies, the farther a compromise travels.

• Immunefi’s own bug bounty infrastructure is, predictably, positioned as part of the solution in this report. Worth keeping that commercial angle in mind when reading their conclusions.

Risk Factor: The Survival Window Is Narrower Than You Think

Here’s the real danger the report surfaces for anyone holding tokens in protocols that haven’t been tested yet. The projects most likely to get wiped out post-hack aren’t necessarily the ones with the worst code. They’re the ones that were already undercapitalized, already losing narrative momentum, and already operating with thin liquidity in their token markets.

A hack doesn’t create fragility. It reveals it.

If you’re holding a governance token in a protocol with low TVL, thin trading volume, and a small treasury relative to its market cap, you are already sitting on a recovery-impossible situation if anything goes wrong. The hack is just the event that makes it visible to everyone else.

The industry has 425 hacks and $11.9 billion in losses over five years to learn from. The market hasn’t gotten meaningfully safer. It’s just gotten better at absorbing the shock and moving on. Whether that’s resilience or denial probably depends on which side of the next exploit you end up on.

References & Sources:

• Immunefi State of Onchain Security 2026 Report via CryptoSlate
• FBI Confirms North Korea Lazarus Group Stole $1.5 Billion From Bybit via CryptoSlate

Frequently Asked Questions