25 Mar 2026 8 min read

What an Onchain Hack Actually Costs: 2024-2025 Update

What an Onchain Hack Actually Costs: 2024-2025 Update

An Immunefi research report on what a crypto exploit actually does to a protocol, beyond the stolen funds, based on five years of onchain incident data.

Summary

Back in 2023, Immunefi published the industry's first comprehensive look at what onchain hacks actually cost a project, covering the 2021 through 2023 period. That work introduced Amador's Hack Impact Estimate, a framework for measuring exploit damage well beyond the headline theft figure. Two years later, with another full cycle of data in hand, several key parts of that picture have changed.

Updated hack impact estimate for 2024-2025: A protocol hacked today should expect to lose roughly $25,000,000 USD in direct theft, see its token shed 61% of its value over the next six months, and face sustained price depression that 84% of hacked tokens never recover from within that window. The organizational toll is unchanged: at least 3 months of lost productivity, roadmap delays, and team disruption.

The headline numbers describe an industry that is maturing but still deeply vulnerable. Hack frequency has stayed high. The median theft per incident has fallen. But the largest exploits have grown larger, and the market penalty for getting hacked has become harsher rather than gentler.

What changed since 2021-2023

The earlier Immunefi study examined 234 publicly documented hacks over three years, with a combined $7.2 billion in losses. The new 2024-2025 dataset adds 191 hacks and $4.67 billion in additional losses. Pooled together, the result is 425 hacks and $11.9 billion in damages across a five-year window of onchain security incidents.

Several high-level shifts stand out.

Hack frequency has plateaued at an elevated baseline. 2024 produced 94 known hacks and 2025 produced 97. For context: 2021 had 71, 2022 had 66, and 2023 had 97. Year over year, the industry isn't seeing fewer exploits. The incident count has settled into a steady high.

The median hack is smaller, but tail risk is worse. The median theft during 2024-2025 was $2,200,000, roughly half the $4,500,000 median from 2021-2023. That sounds like progress, but it's misleading. Average theft in 2024-2025 was $24,500,000, a multiple of 11.1x the median. In the earlier period the ratio was 6.8x. The widening gap reflects a power law distribution that has become even more extreme. A small handful of catastrophic exploits now drive a disproportionate share of total damage.

Concentration at the top is staggering. The five largest hacks of 2024-2025 accounted for 62% of all funds stolen. The ten largest accounted for 73%. At the very peak, the Bybit exploit alone, at $1.5 billion, represented 44% of all funds stolen in 2025 and 32% of the entire two-year total.

Funds stolen

Across 2024-2025, the 191 publicly known hacks moved a combined $4,670,000,000 USD in stolen value. By year: $1.27 billion in 2024 across 94 incidents, and $3.4 billion in 2025 across 97 incidents.

The year-over-year increase in 2025 is substantially driven by a handful of massive exploits. Excluding the Bybit hack, 2025's total falls to roughly $1.9 billion, still a significant figure that highlights how broad the problem is even outside the single largest incident.

The average hack in 2024-2025 resulted in $24,450,550 USD stolen. The median hack resulted in $2,200,000 USD stolen.

Versus 2021-2023, average theft has fallen from $30.8 million to $24.5 million, and median theft from $4.5 million to $2.2 million. Both shifts indicate that the typical exploit is extracting less value than before. That's cold comfort when a single Bybit-scale event can wipe out in an afternoon what two dozen smaller hacks would take months to produce.

The power law distribution identified in the original analysis has only intensified. Plenty of hacks are small. But the catastrophic ones are now larger than anything 2021-2023 produced.

Where the losses concentrated

Centralized exchanges accounted for just 20 of the 191 hacks in 2024-2025, yet those 20 incidents drove $2.55 billion, or 54.6% of total stolen funds. DeFi protocols and other targets made up the remaining 171 hacks, accounting for 45.4% of dollar volume. The Bybit, DMM Bitcoin, WazirX, and BtcTurk exploits make clear that centralized custodial risk remains one of the most consequential attack surfaces in crypto.

Market impact

The original 2021-2023 study tracked 176 hacks with token price data and found a median six-month decline of 53%. For this update, Immunefi tracked 82 hacked tokens across 2024-2025 and measured their price performance at five intervals following the exploit.

Median token price decline after a hack

Time after hack 2021-2023 median decline 2024-2025 median decline
2 days ~10% ~10%
1 month (rising) (rising)
3 months (rising) (rising)
6 months 53% 61%

Note: 2 days, 1 month, 3 months, and 6 months represent the five tracked intervals; the table summarizes the headline endpoints. Full per-interval comparison reported in the source data.

The early shock is comparable to the prior period. By day two, the median hacked token is down roughly 10%, mirroring the 2021-2023 pattern. From there, though, the new dataset diverges in a worse direction. The six-month median decline has widened from 53% to 61%. That's a non-trivial shift, and it points to a market that's become less forgiving of security failures, not more.

At the harsher end of the distribution, the picture is equally bleak:

  • Three months out: 47.3% of tokens had lost more than half their value, and 8.1% had lost over 90%.
  • Six months out: 56.5% were down more than 50%, and 14.5% were down more than 90%.

Possibly the most consequential figure in the dataset: 83.9% of hacked tokens were still in sustained price suppression six months after the exploit, up from 77.8% in 2021-2023. Roughly 16% of hacked tokens managed to trade above their hack-day price at the six-month mark.

The earlier analysis predicted that exploit damage would likely keep deepening past the six-month boundary. The 2024-2025 numbers bear that out. The decline curve doesn't level off at six months. It accelerates. Whatever credibility a token held going into the hack, the market exacts a durable penalty that keeps compounding.

The same caveat from the original report still holds: hack-specific damage can't be cleanly separated from broader market conditions. A token that fell 61% over six months may also have been pulled down by sector-wide drawdowns, governance issues, or other independent factors. But the consistency of the pattern across 82 different tokens, spanning both bull and bear regimes, points strongly to exploit-driven damage as the primary driver.

Why this matters in operational terms. Most token projects use their liquid tokens as treasury reserves and growth capital. A 61% median drop in token value translates almost one-for-one into reduced runway, reduced hiring capacity, less development funding, and weaker negotiating position in partnerships. A hack's market impact isn't an abstract price-chart concern. It becomes an operational crisis layered on top of the direct theft.

Dependency and organizational impact

The original analysis described dependency impact (second-order effects on interconnected protocols) and talent and organizational impact (lost time, personnel turnover, and roadmap disruption). Both remain hard to quantify with precision, but the 2024-2025 period offers fresh evidence of how severe they can be.

Looking at dependencies, deepening DeFi composability has expanded the blast radius of single-protocol exploits. Cross-chain bridges remain a concentrated source of systemic risk. Liquid staking tokens, restaking derivatives, and composable lending markets have layered in new dependency chains that simply didn't exist during 2021-2023. When a protocol at the bottom of one of these stacks gets compromised, the resulting cascade can extend well past the initial loss event.

The November 2025 implosion of Elixir's deUSD stablecoin illustrates the dynamic in painfully concrete terms. After Stream Finance disclosed a $93 million loss tied to an external fund manager, the fallout didn't stay contained. Elixir had placed roughly 65% of deUSD's collateral with Stream. Once Stream's own stablecoin xUSD dropped 77%, the backing behind deUSD effectively evaporated. The result was a textbook collateral cascade: Stream halted withdrawals, deUSD redemptions seized, panic selling slammed into Curve pools, and over $30 million worth of holders dumped onchain trying to get out. deUSD ultimately shed more than 97% of its value, and Elixir wound down the stablecoin entirely, coordinating with Euler, Morpho, Compound, and other protocols to manage the unwind. A single loss at one protocol propagated through collateral dependencies, destroyed a stablecoin, and disrupted multiple lending markets along the way.

On the organizational side, the pattern documented in 2023 has remained stable. Hacked teams routinely lose their security lead within weeks of an incident. Recovery occupies at least three months of focused attention. Roadmap velocity stalls. Recruiting gets harder, because the hack signals weakness to candidates evaluating the project.

The estimate stands: a hacked project should expect to lose at least 3 months of forward progress to remedial security work, leadership turnover, and organizational recovery.

Updated estimate: the total cost of a hack in 2024-2025

Pulled together, the updated picture looks like this:

  • The average hack steals $24,500,000 USD at the moment of exploit. The median is $2,200,000, but the distribution is heavily skewed toward rare, massive events.
  • The median hacked token loses 61% of its value within six months, up from 53% in the 2021-2023 period. 84% of hacked tokens show sustained price depression six months post-hack, up from 78%.
  • Dependency risks have grown as DeFi composability has deepened, expanding the potential blast radius of any single exploit.
  • The organizational cost remains roughly 3 months of lost time and effort, consuming team attention, delaying the roadmap, and often costing the project its security leader.

Updated Amador's Hack Impact Estimate

A protocol hacked today should expect to:

  • Lose approximately $25,000,000 USD in direct theft.
  • See token price decline by 61% over six months.
  • Face an 84% probability that the token price never recovers within that window.
  • Burn at least 3 months of organizational effort on response and remediation.

What the data says about the state of onchain security

The five-year comparison delivers a mixed verdict. On the positive side, median theft per hack has come down, which may reflect the slow maturation of smart contract security practices, more widespread adoption of audits, and the expanding reach of bug bounty programs. On the negative side, market punishment for getting hacked has gotten more severe, the concentration of total damage at the very top of the distribution has intensified, and the raw incident count has refused to drop.

The security problem hasn't gone away. It has reshaped itself. Smaller exploits are somewhat less destructive than they were three years ago. But the largest exploits have ballooned, and the market is no longer inclined to extend the benefit of the doubt to a hacked project.

That carries a clear implication for security budgeting at the protocol level. The relevant question isn't whether a protocol can survive a typical hack. It's whether the protocol can survive landing in the tail of the distribution, because that's where the catastrophic damage actually concentrates.

Closing thoughts

The initial theft is where exploit damage begins, not where it ends. Sitting behind every headline number is a longer, quieter aftermath: token prices that keep sliding, treasuries that lose buying power, team members who leave, and roadmap items that never ship. The 2024-2025 data makes that more evident than the 2021-2023 data did.

The only durable defense is sustained security investment across every layer of the stack: rigorous code review, comprehensive auditing, well-funded bug bounty programs, and continued progress on automated detection and prevention tooling. A new onchain security stack is taking shape, and it does work, but only for the protocols that actually adopt it.

That's what Immunefi is building toward: effective security across the full onchain stack, with the goal of turning hacks from a near-inevitability into a rarity.

For questions about this study or Immunefi itself, reach out at press@immunefi.com

About Immunefi

Immunefi is the leading security platform for crypto, protecting more than $180 billion in user funds, and securing protocols across the full development lifecycle, from pre-deployment through production.

Research

You might also like

The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data

The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data

12 min read
Nearly Every Long-Running Bug Bounty Program on Immunefi Has Found a Critical Bug

Nearly Every Long-Running Bug Bounty Program on Immunefi Has Found a Critical Bug

8 min read
93% of Critical Crypto Vulns Are Disclosed on Immunefi.

93% of Critical Crypto Vulns Are Disclosed on Immunefi.

8 min read