Blockchain security firm CertiK’s H1 2025 Hack3d Report finds hackers stole nearly $2.5 billion in 2025’s first six months, up drastically from the same period one year ago.
The latest report revealed that in the first half of 2025, hackers stole more than $2.47 billion, already exceeding last year’s total losses of $2.42 billion. The average loss per incident was $7,188,307, and the median was $88,000. When excluding funds that were frozen or returned by whitehat hackers, net losses so far in 2025 stand at $2.29 billion, already surpassing the $1.98 billion in net losses recorded for all of 2024.
While the figures point to a deteriorating security landscape, $1.78 billion or 72% of this year’s losses are attributable to two major incidents, the Bybit breach and Cetus protocol incident. Without these singular events, the total losses for 2025 would sit at $690 million.
Wallet compromise was the top attack vector in H1, with $1,706,937,700 stolen across 31 incidents, followed by phishing with $410,747,038 from 132 incidents and code vulnerability with $283,052,978 stolen across 114.
Ethereum suffered the greatest losses with $1,589,182,498 stolen across 164 incidents, followed by Bitcoin with $373,690,387 stolen across 10 incidents.
“While the overall figures are alarming, it is important to point out that the majority of the funds lost in H1 were attributable to two concentrated, high-impact events,” said CertiK co-founder Ronghui Gu. “But regardless, the results serve as another reminder to the industry that there is still much work to be done. When it comes to security, a multi-layered approach encompassing robust code audits, formal verification, real-time monitoring, incident response plans, vulnerability assessments, and employee awareness training should be treated as the norm, not the exception.”
The report found that $801 million was lost in Q2 alone, a 52.1% decrease from Q1’s $1.67 billion. Phishing was the top attack vector for Q2, with $395,063,695 stolen across 52 incidents. The average loss per incident was $4,209,024, and the median loss per incident was $103,996.
By type
Phishing: $395,063,695 stolen, 52 incidents
Code vulnerability: $235,783,844 stolen, 47 incidents
Access control: $36,186,876 stolen, 14 incidents
Price manipulation: $17,427,207 stolen, 13 incidents
Wallet compromise: $112,043,147 stolen, 9 incidents
Exit scam: $358,235 stolen, 4 incidents
By chain
BTC: $373,637,857 stolen, 9 incidents
Multiple chains: $111,459,872 stolen, 6 incidents
Ethereum: $65,370,264 stolen, 70 incidents
Stacks: $16,173,227 stolen, 1 incident
BSC: $6,926,835 stolen, 38 incidents
Solana: $5,889,911 stolen, 1 incident
zkSync: $5,552,819 stolen, 1 incident
Arbitrum: $3,619,271 stolen, 4 incidents
Base: $1,987,249 stolen, 12 incidents
Linea: $282,806 stolen, 1 incident
Polygon: $12,510 stolen, 1 incident
Q2 Top 10 incidents (not including phishing attacks)
Cetus: $225,680,719.90 stolen
Nobitex: $89,142,954.89
ALEX Lab: $16,173,227.13 stolen
Cork Protocol: $11,961,229.86 stolen
Bitopro: $11,171,840.00 stolen
Resupply: $9,641,413.15 stolen
KiloEx: $7,424,606.00 stolen
Loopscale: $5,889,910.87 stolen
zkSync: $5,552,818.96 stolen
MagickBase: $3,662,019.62 stolen
The total value of funds returned was $180,950,613, leading to adjusted total losses of $620,365,056 for the quarter.
The average loss per incident was $4,209,024, and the median loss per incident was $103,996.
H1 2025
By type
Wallet compromise: $1,706,937,700 stolen, 34 incidents
Phishing: $410,747,038 stolen, 132 incidents
Code vulnerability: $283,169,496 stolen, 114 incidents
Access control: $42,431,651 stolen, 25 incidents
Price manipulation: $18,691,418 stolen, 22 incidents
Exit scam: $1,671,428 stolen, 11 incidents
By chain
Ethereum: $1,589,182,498 stolen, 164 incidents
BTC: $373,690,387 stolen, 10 incidents
Multiple chains: $196,726,030 stolen, 14 incidents
Stacks: $16,173,227 stolen, 1 incident
BSC: $13,278,498 stolen, 91 incidents
Solana: $8,337,157 stolen, 7 incidents
Arbitrum: $8,272,377 stolen, 13 incidents
zkSync: $6,268,819 stolen, 2 incidents
Base: $3,946,800 stolen, 27 incidents
Tron: $3,188,021 stolen, 1 incident
Polygon: $1,146,903 stolen, 3 incidents
Linea: $282,806 stolen, 1 incident
H1 Top 10 incidents (not including phishing attacks)
Bybit: $1,447,063,421.00 stolen
Cetus: $225,680,719.90 stolen
Nobitex: $89,142,954.89
Phemex: $71,714,297.40
0xInfini: $49,514,632.79
ALEX Lab: $16,173,227.13 stolen
MIM Spell: $12,906,772.04
Cork Protocol: $11,961,229.86
Bitopro: $11,171,840.00
Resupply: $9,641,413.15 stolen
The total value of funds returned was $187,341,310, leading to adjusted total losses of $2,285,436,308 for H1 2025.
The average loss per incident was $7,129,980, and the median loss per incident was $89,026.