• Economy Insights
  • Posts
  • The Crypto Market Has Suffered $22.7 Billion in Losses From Hacks and Scams

The Crypto Market Has Suffered $22.7 Billion in Losses From Hacks and Scams

The Price Of Trust In A Decentralized World

The Big, Uncomfortable Number

Since Bitcoin’s early days, crypto’s great promise—self-custody, permissionless access, programmable money—has come paired with a hard truth: if you hold the keys, you also hold the risk. That risk has been tallied in a new way this year. A comprehensive longitudinal study by Crystal Intelligence estimates that, from 2011 through mid-2025, the crypto industry has suffered $22.7 billion in losses to hacks and scams across 785 incidents. The researchers found that Ethereum-based platforms were the most targeted, followed by multi-chain and Bitcoin-based systems.

That headline number sits alongside annual snapshots from other analytics firms that track the ebb and flow of illicit activity. Chainalysis calculates that hackers stole ~$2.2 billion in 2024 alone (up about 21% from 2023), with private-key compromise against centralized platforms playing an outsized role—think of the 2024 breaches at Japan’s DMM Bitcoin (~$305 million) and India’s WazirX (~$235 million).

In 2025, the trend intensified due to a single catastrophic event: Bybit’s February exploit, which drained roughly $1.4–$1.5 billion in ether from a wallet—widely reported as the largest crypto theft on record and attributed by law-enforcement and multiple analysts to North Korean actors. The incident instantly reshaped the year’s totals and, frankly, the security conversation.

The point isn’t to litigate whose methodology is “best.” Crystal’s multi-year compilation, Chainalysis’ rolling annual tallies, and incident-driven coverage from Reuters, Bloomberg, the Journal and CoinDesk triangulate a simple reality: billions have been lost, and losses cluster in patterns that are no longer random.

How We Got Here: A Brief Timeline

2011–2016: Exchanges as Single Points of Failure

Crypto’s first mass-market lesson in counterparty risk came with Mt. Gox, which at its peak handled the majority of Bitcoin trading. A series of breaches and mismanagement ended in a 2014 bankruptcy and an oft-cited loss tally around $500 million in BTC at contemporaneous prices. The reputational shock still echoes in the market’s reflexive fear of centralized honeypots.

Two years later, Bitfinex lost ~120,000 BTC (about $72 million then) in one of the most consequential exchange hacks ever. In a remarkable twist underscoring blockchain’s forensic traceability, U.S. authorities later seized ~94,000 BTC tied to the heist—~$3.6 billion at the time of seizure—after unraveling laundering trails years later.

2017–2020: ICO Boom, Ponzi Schemes, and Mega-Heists

As ICOs boomed, outright fraud surged. The most infamous example is OneCoin, a multi-billion-dollar pyramid scheme posing as a cryptocurrency; U.S. prosecutors say victims invested over $4 billion. Subsequent convictions and sentences for key operators underscore the expanding prosecutorial reach over crypto fraud.

Meanwhile, traditional exchange vulnerabilities persisted. In 2018, Coincheck suffered a $530 million NEM theft, prompting Japanese regulators to tighten oversight.

2021–2022: The DeFi Bridge Era

Programmable finance unlocked remarkable utility—and new attack surfaces. Cross-chain bridges and DeFi composability became favorite targets. In 2021, Poly Network saw ~$610 million drained (most of it later returned). In 2022, the Ronin/Axie Infinity bridge exploit hit ~$620 million, while Wormhole lost ~$320 million before backer Jump stepped in to recapitalize. These incidents crystallized an uncomfortable truth: bridging value between chains adds enormous complexity, often with privileged signer sets or brittle assumptions.

2023–2024: Fewer Mega-Hacks, More Professionalized Scams

Chainalysis reported that overall funds stolen fell >50% in 2023, even as incident counts rose—suggesting better security on the largest targets, but a steady drumbeat of smaller thefts. In 2024, hacks rebounded to ~$2.2 billion, with key compromises at centralized platforms back in the headlines. Alongside, “pig-butchering” romance-investment scams and wallet-drainer phishing kits industrialized consumer-level theft. Researchers estimate drainers siphoned ~$295–$300 million from ~320,000 wallets in 2023 alone, and Chainalysis says scam revenue likely hit record levels in 2024, boosted by AI-assisted social engineering.

2025: The Super-Hack and State Actors

This year’s Bybit theft, paired with a surge in state-linked activity, frames a sobering reality. Elliptic assesses that North-Korean-linked groups have already stolen over $2 billion in 2025, helped by the Bybit incident, taking DPRK’s cumulative crypto haul to well over $6 billion. Chainalysis’ mid-year update likewise shows >$2.17 billion stolen across services by July, outpacing 2024.

What the $22.7 Billion Is Actually Made Of

Crystal’s long-horizon view and incident catalogs from Chainalysis, TRM, and media reporting point to five dominant buckets of loss. Let’s unpack each—how they work, why they succeed, and which cases defined them.

1) Exchange Hacks: Keys, Cold Wallets, and Operational Debt

How they work: Attackers compromise private keys, exploit MPC/threshold-signing misconfigurations, abuse withdrawal whitelists, or leverage insider access. Because centralized exchanges aggregate liquidity, one key failure can be existential.

Case studies:

  • Mt. Gox (2011–2014): A mix of theft and mismanagement culminated in roughly $500 million in BTC losses (at the time) and a decade-long bankruptcy proceeding.

  • Bitfinex (2016): ~120,000 BTC stolen, later partially recovered through record DOJ seizures, a milestone for crypto forensics.

  • Coincheck (2018): $530 million in NEM stolen, catalyzing tighter oversight in Japan.

  • DMM Bitcoin (2024): ~$305 million loss, highlighting that large, regulated markets remain targets.

  • Bybit (2025): $1.4–$1.5 billion ether theft—the largest ever—and a case study in cold-to-warm transfer risk and operational controls.

Why they succeed: Centralization concentrates risk. Even with multi-sig and hardware security modules, any gap in key ceremony, infrastructure privilege boundaries, or withdrawal controls can yield catastrophic single-point failures. The 2024 Chainalysis review emphasized the resurgence of key compromise at centralized services.

2) DeFi Exploits: Composability’s Double-Edged Sword

How they work: Logic bugs in smart contracts, oracle manipulation, flash-loan-amplified attacks, and bridge validator compromises. Cross-chain bridges are especially fraught due to complex trust assumptions and large TVL.

Case studies:

  • Poly Network (2021): $610 million exfiltrated via cross-chain message vulnerabilities; most funds returned.

  • Ronin/Axie (2022): ~$620 million via validator key compromise; later linked to DPRK with partial recoveries.

  • Wormhole (2022): ~$320 million, later made whole by backer Jump Trading—proof that deep pockets can plug technical holes, but not systemic exposure.

  • Nomad, Euler, Mixin (2022–2023): A reminder that even well-regarded projects can harbor latent assumptions or operational risks.

Why they succeed: DeFi’s strength—composability—means any bug in a core building block can cascade. Audits help but do not eliminate unknown unknowns; economic design, oracle integrity, and formal verification matter as much as code linting. Chainalysis’ multi-year analyses frame bridges as repeat offenders.

3) Rug Pulls and Developer Exit Scams

How they work: Creators whitelist themselves to mint or withdraw funds, or they hype tokens and pull liquidity once retail capital floods in. In 2021, Chainalysis flagged rug pulls as a major share of scam revenue, a trend that evolved but did not vanish.

Representative pattern: Anonymous teams launch tokens with buzzy narratives, promise staking yields and roadmaps, then disappear or exercise backdoors. Many never reach mainstream headlines, but collectively they add up.

4) Phishing, Drainers, and “Ice-Phishing”

How they work: Social engineering meets wallet UX. “Drainer” kits trick users into signing malicious approvals; address-poisoning and Create2 tricks exploit interface assumptions; fake support, fake mints, and seeded search ads close the trap.

The toll: ScamSniffer tracked roughly $295–$300 million drained across ~320,000 wallets in 2023; CoinDesk chronicled a single Ethereum drainer with $60 million in six months. Chainalysis warns that measuring drainers is hard, but the vector is growing. (

5) Ponzi Schemes and Off-Chain Fraud

How they work: Old wine, new bottles. Multi-level marketing pitches and sham “exchanges” solicit fiat and crypto, report fake returns, then implode. The blockchain is incidental; the psychology is classic.

Case studies:

  • OneCoin: A $4+ billion global fraud, with co-founder Karl Sebastian Greenwood sentenced to 20 years in 2023 and other executives convicted thereafter; the “Cryptoqueen” Ruja Ignatova remains a fugitive.

  • PlusToken: A China-centered high-yield scheme that at its height controlled billions in crypto, later unwound by authorities (widely covered in prior reporting).

The State Actor Factor

No modern review is complete without North Korea. Chainalysis and Elliptic have tracked a multi-year campaign of high-stakes intrusions tied to DPRK-linked groups, funding sanctions-strained state programs. In 2024, trilateral statements from the U.S., Japan, and South Korea cited ~$650 million attributed to DPRK-linked hacks; in 2025, Elliptic says DPRK-linked crews have already exceeded $2 billion, driven by Bybit, pushing cumulative regime-linked steals past $6 billion.

Seizure and disruption are real, though not automatic. In 2022, U.S. authorities clawed back ~$3.6 billion in BTC tied to the 2016 Bitfinex hack—an unprecedented recovery that showcased years of blockchain tracing and interagency work. In 2022, investigators even seized >$30 million from funds traced to the Ronin/Axie hack. These successes don’t neutralize the threat, but they do demonstrate that public ledgers cut both ways.

Annual Patterns: What the Totals Tell Us

  • 2018, 2021–2024 stand out as billion-dollar hack years. Chainalysis tallied >$1B stolen in each of those years, with 2022 peaking above $3B due to DeFi/bridge super-heists. 2023 saw a marked dip, then 2024 rebounded to about $2.2B—and 2025 is tracking higher again because of Bybit.

  • Scams professionalized: Chainalysis estimates at least $9.9B in 2024 scam inflows, likely revised upward as new addresses are linked. WSJ reporting has mapped the global “pig-butchering” infrastructure, from Cambodian safe-havens to money service intermediaries.

  • Concentration risk persists: A handful of mega-incidents still drive yearly totals, indicating that operational security at centralized custodians and validator key management at bridges remain systemic weak points.

Platforms Most Affected

Crystal’s 2011–2025 dataset points to Ethereum-based platforms as the most frequently targeted, followed by multi-chain protocols and then Bitcoin. That aligns with common sense: Ethereum’s DeFi density and composability multiply attack surfaces, while multi-chain bridges and wrappers stretch trust models. Bitcoin’s simpler scripting surface reduces smart-contract risk, though exchange custody remains a perennial issue.

How Defenders Are Adapting

Regulation: From Proof-of-Reserves to Qualified Custody

Post-FTX, exchanges rushed to publish proof-of-reserves (PoR) attestations, while auditors and regulators cautioned that PoR without liabilities disclosure is incomplete. At the same time, U.S. regulators have pressed on custody rules for investment advisers, debating whether crypto venues qualify as “qualified custodians” and what safeguards are necessary for institutions to participate at scale. Europe’s MiCA regime, entering force in phases since late 2024, gives the EU a baseline framework on market abuse and consumer protections for crypto assets.

The regulatory arc is uneven, but the direction is clear: segregated client assets, surprise examinations, capital requirements, and operational risk mandates are moving closer to the crypto stack. Even the FATF “Travel Rule”—KYC information accompanying transfers between VASPs—has seen broader adoption, with ~99 jurisdictions implementing or moving to implement guidance as of mid-2025, aiming to curb laundering pipelines.

Cybersecurity: Key Management, Segmentation, and Kill-Switch Playbooks

On the technical front, centralized custodians are re-architecting wallet infrastructure—MPC/threshold schemes, air-gapped key ceremonies, withdrawal velocity limits, and just-in-time signing. DeFi protocols have leaned into formal verification, battle-tested libraries, timelocks and circuit breakers, and oracle hardening. The Bybit episode has further elevated interest in transaction-level risk controls and out-of-band consensus before funds move from cold to warm wallets.

Forensics and Seizures: The “Public Ledger Effect”

Even when thieves vanish into mixers, the trail persists. The Bitfinex recoveries and subsequent guilty pleas illustrated how blockchain analytics, exchange compliance, and court orders can converge years later. In Asia, recent multi-stakeholder actions froze tens of millions linked to pig-butchering—again, a testament to collaboration between exchanges, stablecoin issuers, analytics firms, and law enforcement.

Sanctions and Mixers

The policy response to mixers has evolved. Governments have sanctioned mixing services over money-laundering concerns, then revisited measures as courts and policy makers debate software speech, decentralization, and due-process. Regardless of the legal back-and-forth, the message to bad actors is clearer: laundering at scale is harder than it used to be.

Why This Matters: Trust, Institutions, and Stability

Investor Trust

The repeated cycle—breach, panic, withdrawals, autopsy—erodes retail confidence and can dissuade new entrants. Each mega-hack spawns copycats and fuels a cottage industry of drainer kits and scam farms. The 2023–2025 wave of AI-assisted phishing raises the baseline skill of scammers, widening the pool of potential victims. That’s one reason law-enforcement and media have focused on the human-trafficking-linked scam compounds behind a share of the pig-butchering economy.

Institutional Adoption

Institutions care about governance and guardrails. After FTX, large funds demanded segregated custody, insurance, and clear legal claims on assets in bankruptcy. U.S. regulators’ scrutiny of adviser custody, plus MiCA’s risk regime in Europe, are gating functions for broad adoption. In this sense, high-profile failures paradoxically accelerate maturation, pushing the industry toward SOC-audited processes, redundant custody, and board-level risk oversight.

Market Stability

Liquidity concentrates on a handful of custodians, venues, and bridges. When one fails spectacularly, systemic tremors follow—spreads widen, funding costs rise, and risk assets sell off. Research and market coverage around Mt. Gox repayments in 2024 show how legacy shocks can still ripple a decade later. Concentration risk is the quiet macro story underneath the headline hacks.

Practical Lessons the Industry Can’t Ignore

  1. Design for Key Compromise
    Assume a signing key will eventually leak. Architect defense-in-depth—velocity caps, multi-person approval, anomaly detection, time-delayed withdrawals, and kill-switches. The largest losses in 2024–2025 were, at root, key-control failures.

  2. Bridges Need Institutional-Grade Governance
    Validator sets, attestation logic, and upgrade processes must be as robust as bank-grade settlement systems. The biggest DeFi losses came from trust-assumption failures in bridging.

  3. DeFi Needs Economic Security, Not Just Code Audits
    Oracle manipulation and incentive misalignments can be just as deadly as re-entrancy bugs. Projects are embracing formal verification, but game-theory-aware design and battle-tested primitives matter just as much.

  4. Fight Scams Like a Supply Chain
    Pig-butchering and drainers operate as professionalized ecosystems. The counter must be ecosystemic too—exchange blacklists and freezes, wallet warnings, SEO takedowns of fake sites, and rapid-response takedowns of drainer infrastructure. The $295–$300 million drained from wallets in 2023 should be treated as a preventable layer-7 failure.

  5. Prove Solvency With Rigor, Not Optics
    PoR without liabilities is a half-measure. The industry needs attestations that tie assets to obligations, subject to rigorous auditing and regulatory review, or it will keep relearning the same painful lessons.

Will Things Get Better?

Yes—and no.

Yes, because the toolbox is richer. Public ledgers give defenders an enormous asymmetric advantage once they have cooperation across exchanges, stablecoin issuers, analytics firms, and police. The Bitfinex recovery and recent multi-jurisdictional freezes of scam proceeds demonstrate that recoveries at scale are possible, even years later. MiCA, FATF Travel Rule uptake, and tighter custody regimes harden the legal-operational perimeter.

No, because incentives still favor attackers. The prize pool grows with adoption and prices; composability and cross-chain interoperability add complexity faster than auditors can certify it; and AI-augmented social engineering lowers the cost of high-quality deception. As long as compromised keys and naive approvals can drain nine or ten figures in a few transactions, the offense will keep trying.

The Bottom Line

The $22.7 billion figure is more than a grim statistic. It is a decade-long ledger of what breaks under pressure: key management, bridge governance, incentive design, user interfaces, and basic human psychology. The fix is not a single patch or new buzzword. It is the unglamorous convergence of secure engineering, institutional risk controls, and boring, repeatable processes—wrapped in a regulatory framework that clarifies responsibilities and consequences.

Crypto will never be risk-free. Neither is the internet, banking, or email. But the market can become risk-literate. If the last ten years taught us how attackers think, the next ten must codify how defenders operate—by default, not after the fact.

And if there is a single durable lesson from all of this, it’s the same one every security veteran knows: assume breach, minimize blast radius, and plan the recovery before you need it.