Crypto industry set for worst quarter for hacks in history with $1.6 billion in losses: Immunefi

The crypto industry is set to conclude the worst quarter for hacks in its history, registering $1.64 billion in losses across 40 incidents so far, according to the latest report from web3 bug bounty and security services platform Immunefi.

The losses represent a 4.7x increase compared to the first quarter of 2024, when hackers stole around $348.3 million, though the number of attacks decreased by 36% from 63. The majority of losses came from Bybit's record $1.46 billion hack in February, with exploits outside of that confined to around $176 million — down nearly 50% year-over-year.

The Bybit hack is believed to have been carried out by the notorious North Korean Lazarus Group, which is also suspected of being behind the $69.1 million exploit of another centralized crypto exchange, Phemex.

"The Q1 2025 breaches mark a historic moment in crypto security, with CeFi accounting for 94% of total losses, all caused by North Korean hackers," Immunefi founder and CEO Mitchell Amador said. "The sheer scale of the Bybit and Phemex attacks, totaling $1.5 billion, shows how state-backed actors are arguably the most pressing threat to our industry. Their success in breaching renowned, battle-tested platforms is a reminder of the need for security measures that protect the entire stack and help projects prevent catastrophic attacks before they happen."

With over $180 billion of total value locked in web3 protocols, according to DeFiLlama data, decentralized finance also remains a key target for hackers, accounting for 38 of the 40 incidents identified by Immunefi in the first quarter, including hacks on Infini , MIM Spell and zkLend . However, they accounted for just $106.8 million, or 6%, of the losses — down 69% year-over-year.

In total, $6.5 million of the stolen funds were recovered from two of the exploits: 1inch ($5 million) and Moby Trade ($1.5 million), making up 0.4% of the total losses this quarter — significantly down compared to the 21.2% recovered in the same period last year.

No cases of fraud were reported this quarter, representing a significant decrease compared to Q1 2024, when losses caused by frauds, scams and rug pulls totaled $14.7 million.

BNB Chain surpasses Ethereum to become most targeted in Q1

BNB Chain surpassed Ethereum to become the most targeted network in the quarter, accounting for 19 and 15 of the individual attacks, respectively. Base followed with three incidents, Optimism and Arbitrum both suffered two attacks and Abstract, Wemix and Mode each witnessed a single attack.

Immunefi claims to have paid out more than $112 million in ethical hacker and researcher bounties to date. The payouts span three years and result from over 3,000 bug bounty reports, the largest of which was a $10 million award for a vulnerability discovered in Wormhole’s cross-chain protocol.

Immunefi claims to operate the largest blockchain security community with more than 45,000 researchers, saving over $25 billion in user funds across protocols like Polygon, Optimism, Chainlink, The Graph, Synthetix and Sky from being stolen.