Plenty has changed in the three years since Immunefi released its first State of On-Chain Security Report, and not necessarily for the good.
Should your protocol get hacked in 2026, the stats suggest the direct theft will be roughly $25 million. Your token will shed 61% of its value over six months. Approximately 84% of hacked tokens never recover. Plan for three months of lost productivity, roadmap delays and team disruption.
Immunefi found a markedly different hack distribution. While the number of hacks remain significant, the median theft has dropped. That’s good news unless you succomb to one of the larger hacks, which are mushrooming in size.
The original Immunefi study assessed 234 publicly-known hacks over three years. The aggregate stolen funds totalled $7.2 billion. In 2024 and 2025, another 191 hacks worth $4.67 billion. Together, 425 hacks were worth $11.9 billion
“The frequency of hacks has plateaued at a high level,” the report states. “In 2024, there were 94 known hacks, and in 2025, there were 97. For comparison, 2021 saw 71, 2022 saw 66, and 2023 saw 97. The industry is not seeing fewer exploits year over year. If anything, the number of incidents has settled into a steady, elevated baseline.
“The median hack has gotten smaller, but the tail risk has gotten worse. The median theft during 2024-2025 was $2,200,000, roughly half the $4,500,000 median from 2021-2023.”
Normally a smaller average hack would be welcome news, but not for some. The average theft in 2024-25 was $24.5 million, 11.1 times the median. It previously was 6.8 times. A few costly exploits account for more of the overall total: 2024-25’s top five hacks accounted for 62% of stolen funds; the top 10 73%. The Bybit hack on its own represented 44% of all funds stolen in 2025.
Centralized exchanges accounted for barely 10% of the 191 hacks from 2024-25 included in the Immunefi study, but were responsible for 54.6% of total funds swiped. DeFi protocols and other victims accounted for the remaining 89.5%. As DeFi composability increases, the potential impact of a single exploit also grows.