$1.5 billion. Gone in one afternoon. That was Bybit, February 2025. North Korea's Lazarus Group did not bother trying to crack Ethereum's cryptography. They went after the people instead — injected malicious JavaScript into the wallet interface Bybit's team used, hijacked an AWS session token, slipped past multi-factor auth, and walked out with 401,347 ETH. The FBI confirmed the attribution within weeks.
Here is what makes that number hard to sit with: it was more money than every DeFi exploit in 2025 combined. One operational mistake at one exchange, and $1.5 billion disappeared. Chainalysis counted $3.4 billion in total blockchain theft for 2025, up 55% from $2.2 billion the year before. The blockchain itself was fine. The humans running things on top of it were not.
How blockchain keeps your transactions secure#
A blockchain is a distributed ledger — a database copied across thousands of computers worldwide. When you send Bitcoin or interact with a smart contract on Ethereum, that transaction gets validated by the network before it becomes permanent. Three things make this process hard to tamper with.
Cryptographic hashing ties every block to the one before it. Each block contains a hash — a mathematical fingerprint — of the previous block's data. To alter one transaction, you would need to recalculate every hash in the chain after it. On Bitcoin, with millions of miners running SHA-256 calculations, that requires more computing power than exists in most countries.
Decentralization spreads the ledger across thousands of nodes. A traditional bank database lives on servers in one location. Hack those servers, and you own the data. A blockchain network has no single point of failure. The ledger exists everywhere at once. Compromising it means compromising the majority of those nodes at the same time, across different countries, networks, and operators.
Consensus mechanisms force the network to agree before anything gets recorded. Bitcoin miners burn electricity solving cryptographic puzzles to earn the right to validate transactions. Ethereum validators stake their own ETH as collateral — if they approve a fraudulent transaction, they lose their stake. Both approaches make cheating expensive. Attacking Bitcoin's Proof of Work consensus would cost billions in hardware and electricity. Attacking Ethereum's Proof of Stake would mean buying and risking billions in ETH.
Those three layers working together are why no one has ever hacked the Bitcoin or Ethereum blockchain itself. But the infrastructure people build on top of it? That is a different story.
Different types of blockchain have different security trade-offs#
People say "blockchain" like it is one thing. It is not. There are different types of blockchain with very different security assumptions.
| Type | Who joins | Who validates | Security depends on | Used by |
|---|---|---|---|---|
| Public | Anyone | All nodes | Economic cost of attack | Bitcoin, Ethereum |
| Private | Invited only | Selected nodes | Access controls, trust | Hyperledger Fabric |
| Permissioned | Approved members | Designated validators | Governance + identity | Ripple, Corda |
| Hybrid | Both public and private | Varies | Combined approach | Dragonchain |
Public blockchain networks have thousands of validators checking each other. To pull off an attack on Bitcoin you would need to outspend the entire mining industry. Nobody has done it. The trade-off is that all that distributed validation is slow.
JPMorgan runs a private blockchain because they need to control who participates. Makes sense for a bank. But an enterprise blockchain with 20 validators is a completely different animal from one with 20,000. Compromise a handful of nodes and you own the network. That is the deal you make when you choose private over public.
Hybrid blockchains try to grab the upside of both. In practice, they also grab the attack surface of both.
The biggest blockchain attacks and what actually went wrong#
Look at the numbers and you will notice something. Almost none of these were attacks on the blockchain protocol itself. They were operational failures. Someone reused a password. Someone left a private key on a server. Someone deployed a smart contract without checking it properly.
| Attack | Amount | Year | Root cause |
|---|---|---|---|
| Bybit | $1.5B | 2025 | Malicious JS in wallet UI, hijacked AWS tokens |
| DMM Bitcoin | $305M | 2024 | Private key compromise at Japanese exchange |
| PlayDapp | $290M | 2024 | Private key vulnerability, gaming platform |
| WazirX | $230M | 2024 | Multi-sig wallet exploit via custody interface |
| Cetus DEX | $223M | 2025 | Missed overflow check in exchange code |
| Balancer | $128M | 2025 | Rounding direction bug |
| Orbit Chain | $80M | 2024 | Cross-chain bridge drained |
Wallet compromises and private key theft were behind 69% of all stolen value in the first half of 2025. Compromised employee accounts caused 55.6% of all incidents in 2024. Nobody cracked any encryption. People clicked the wrong link, reused passwords, or left keys where they should not have left them. Boring, preventable mistakes worth hundreds of millions each.
Common blockchain vulnerabilities you should know about#
Fifteen years in, nobody has cracked the core blockchain ledger. What keeps getting cracked is everything attached to it.
Smart contracts sit at the top of the vulnerability list. They are bits of code that execute automatically on chain, and once deployed, you cannot patch them like a regular app update. One bug in a smart contract and anyone in the world can exploit it. The DAO learned this in 2016 when a reentrancy bug cost $60 million. Nine years later, the problem has not gone away. Chainalysis counted 8.5% of all 2024 theft coming from smart contract vulnerabilities. Halborn dug into the top 100 DeFi hacks and found faulty input verification caused 34.6% of them.
| Vulnerability | What happens | Scale of damage |
|---|---|---|
| 51% attack | One entity takes majority control of network validation | Ethereum Classic hit multiple times in 2020 |
| Sybil attack | Fake nodes flood the network to disrupt consensus | Common on smaller blockchains with few validators |
| Phishing | Users tricked into signing malicious transactions or revealing keys | $410M lost in H1 2025 across 132 incidents |
| Flash loan exploit | Borrowed funds manipulate token prices within a single transaction | Euler Finance — $197M, largest ever |
| Bridge hack | Cross-chain bridge vulnerabilities allow minting unbacked tokens | Losses dropped from $338M (2023) to $114M (2024) |
| Rug pull | Developers hype a token then drain all liquidity | 1.9% of total losses in 2024 |
Halborn dropped a stat in their report that I keep coming back to. Of the protocols that got hacked in major DeFi incidents, only 19% had multi-signature wallets. 2.4% used cold storage. A mid-size bank would get shut down by regulators for operating like that. But in crypto, most projects shipped without either one and just hoped for the best.
Blockchain security best practices that actually prevent hacks#
So what separates the projects that survive from the ones that show up on the "biggest hacks" list? A few things, none of them glamorous.
Smart contract audits come first. You pay an independent security firm to tear your code apart before you deploy it. They look for the reentrancy bugs, the overflow errors, the access control gaps that turn into $200 million headlines. Yes, it costs money.
| Project type | Audit cost |
|---|---|
| Basic token or NFT | $5,000 - $15,000 |
| Staking or governance protocol | $15,000 - $40,000 |
| Full DeFi protocol (DEX, lending) | $40,000 - $100,000 |
| Enterprise multi-chain system | $100,000 - $200,000+ |
CertiK, Hacken, OpenZeppelin, Trail of Bits — those are some of the firms doing this work. Worth noting: audited contracts have still been exploited. But the rate at which unaudited ones blow up is on another level entirely.
Multi-sig wallets should be a given for anything holding serious money. Two or three keys required to sign means one compromised key does not wipe you out. Bybit had multi-sig and still got hit because the attackers went after the signing interface instead of the keys. So multi-sig is one layer, not the whole wall.
Cold storage is the single best defense for funds you are not moving right now. If a wallet has never been connected to the internet, it cannot be hacked over the internet. Simple as that. Every exchange that made it through 2024 and 2025 intact kept the majority of customer funds offline.
Real-time monitoring is where things get interesting. Venus Protocol had their monitoring system flag suspicious contract calls a full 18 hours before an attack landed. They paused everything. Saved every dollar. The attacker actually lost money on gas fees. Chainalysis Hexagate, Forta Network, OpenZeppelin Defender — these tools watch blockchain activities around the clock and catch patterns that humans would miss.
And then there is the boring stuff that still matters: hardware security modules for private keys, role-based access so one person cannot authorize a big transfer alone, rotating credentials regularly, having an incident response plan written down before anything goes wrong.
DeFi is getting more secure, but CeFi is getting worse#
I find the DeFi vs CeFi breakdown from 2024 genuinely surprising.
| 2024 losses | Incidents | Year-over-year | |
|---|---|---|---|
| DeFi | $769M | 221 | Down 44.8% |
| CeFi | $726M | 11 | Up 77.5% |
Read that again. CeFi had eleven incidents. Eleven. And they lost nearly as much as DeFi did across 221. One bad afternoon at a centralized exchange does more damage than months of DeFi exploits combined.
DeFi is actually getting its act together. Bridge losses went down. More projects audit before they launch. Immunefi's bug bounty programs are paying white-hat hackers to find problems first, and it is working.
CeFi, on the other hand, keeps getting worse. Exchanges hold enormous amounts of customer crypto behind a small number of employee accounts. One phishing email that one developer falls for, and suddenly you are reading about another nine-figure loss. Bybit had to replace $1.5 billion in customer reserves in three days after their February 2025 breach. They managed it, barely. Not everyone would.
The blockchain security market is exploding#
Fortune Business Insights valued the blockchain security market at about $5 billion in 2025 and projected it to hit $8.4 billion by 2026. Coherent Market Insights sees it reaching $128 billion by 2032, growing at a 57% compound annual rate.
Two things are driving that. First, there is simply more money on chain every year, which means more money worth protecting. Second, regulators stopped being optional. The EU's MiCA framework demands specific security standards from any crypto business operating in Europe. The US CFTC launched a Digital Assets Pilot Program that accepts tokenized collateral but only from firms with serious security controls in place. If you want institutional money, you need institutional-grade security. That used to be a marketing bullet point. Now it is a legal requirement.
The technology is moving too. Anthropic ran a red-team exercise and found $4.6 million in smart contract bugs using AI analysis — the kind of vulnerabilities that would have taken human auditors weeks to catch. Zero-knowledge proofs let blockchain transactions stay private without giving up the ability to verify them. Multi-party computation is showing up in enterprise blockchain key management as a replacement for traditional multi-sig setups.
What this means for you#
If you hold crypto, the basics go a long way: hardware wallet, seed phrase written on paper and stored somewhere safe, two-factor auth with an app (not SMS), and a healthy suspicion of any link claiming to be from your exchange. Most individuals who lose crypto lose it to phishing or bad key storage, not to protocol-level exploits.
If you are building on chain, the playbook is more involved but not mysterious: audit before you ship, multi-sig on your treasury, real-time monitoring on your contracts, and an incident response plan you wrote before 3 AM on a Saturday when things go wrong. The distributed ledger technology underneath is sound. Fifteen years of Bitcoin have proven that. But the smart contracts, bridges, wallets, and operational security built on top of it are only as good as the people running them. And right now, $3.4 billion a year says we are not running them well enough.
