Crypto exchange hacks drained approximately $2.2 billion from platforms in 2024, and a single February 21, 2025, breach against Bybit alone added approximately $1.5 billion on top. The headline figures hide a structural shift: centralized service hacks surpassed DeFi protocol losses for the first time since 2020, and private key compromises accounted for 43.8% of total stolen cryptocurrency value in 2024.
The Bybit February 2025 breach exposed a new threat model where attackers compromise the multisig signing interface rather than the keys themselves, and the data here covers loss totals, attack vectors, named-exchange incidents, North Korea attribution, and the centralized versus self-custody trade-off.
Key Takeaways
- Stolen-fund activity reached approximately $2.2 billion across crypto platforms in 2024, an increase compared to the prior year.
- The Bybit cold-wallet theft on February 21, 2025, totaled approximately $1.46 billion in ETH and ETH-equivalent tokens from a single Ethereum cold wallet.
- Private key compromises accounted for 43.8% of total stolen cryptocurrency value in 2024, the single largest attack vector.
- North Korea-affiliated threat actors stole approximately $1.34 billion across 47 incidents in 2024, representing 61% of the total amounts stolen that year.
- The FBI’s Internet Crime Complaint Center received more than 140,000 complaints referencing cryptocurrency in 2024, with losses totaling more than $9.3 billion, a 66% rise from 2023.
- On-chain analysis indicates approximately 12% of the circulating Bitcoin supply is held in known exchange cluster addresses as of mid-2024, down from a peak above 17% in 2020.
- DefiLlama tracked approximately $474 million in DeFi protocol losses across more than 130 incidents in 2024, down from approximately $660 million in 2023.
Editor’s Choice
- Bybit lost approximately $1.46 billion in ETH and ETH-equivalent tokens on February 21, 2025, the largest single crypto theft on record.
- DMM Bitcoin reported the unauthorized outflow of 4,502.9 Bitcoin, worth approximately $305 million at the time, on May 31, 2024.
- WazirX lost approximately $235 million from a multi-signature wallet on July 18, 2024, via a signing-interface discrepancy.
- Coinbase disclosed it expects to incur expenses between approximately $180 million and $400 million relating to remediation and voluntary reimbursements from its May 2025 insider-extortion incident.
- TRM Labs estimates hackers stole approximately $2.2 billion across 250 hacks in 2024.
- Kaspersky researchers identified more than 5.84 million phishing attempts targeting cryptocurrency users in 2024, with approximately 342,000 users affected by wallet drainer attacks.
Recent Developments
- February 26, 2025: The FBI attributed the February 21, 2025, theft of approximately $1.5 billion from Bybit to North Korean cyber actors operating under the TraderTraitor umbrella.
- May 2025: Coinbase disclosed that criminals targeted customer-support agents overseas using cash offers to convince a small group of insiders to copy data for less than 1% of Coinbase’s monthly transacting users.
- March 2026: The FBI IC3 documented more than $9.3 billion in cryptocurrency-referenced losses for 2024, a 66% increase from 2023.
- 2024-2025 enforcement window: The DOJ and Treasury charged Bitzlato founder Anatoly Legkodymov with operating an unlicensed money-transmitting business that transported more than $700 million in funds tied to Hydra Market, part of a wider crackdown on non-compliant venues.
Aggregate Crypto Theft Losses
- Chainalysis recorded approximately $2.2 billion in stolen-fund activity across crypto platforms in 2024.
- TRM Labs independently estimates approximately $2.2 billion stolen across 250 hacks in 2024, aligning with Chainalysis at the aggregate level.
- DeFi protocol losses fell to approximately $474 million across more than 130 incidents in 2024, down from approximately $660 million in 2023.
- Centralized service hacks surpassed DeFi protocol losses for the first time since 2020, reflecting attacker focus on higher-value targets at custodial venues.
- Centralized exchanges and custodial services accounted for a larger share of total stolen value in 2024 than in any year since 2020, per TRM Labs.
- The 2024 total is heavily concentrated in a small number of large incidents at custodial venues, with the DMM Bitcoin theft of approximately $305 million on May 31, 2024 standing as the year’s largest single event prior to Bybit.
By the numbers: Chainalysis recorded approximately $2.2 billion stolen in 2024 across crypto platforms, TRM Labs tracked 250 hacks for the same period, and DefiLlama logged DeFi-only losses at approximately $474 million across 130 incidents. The aggregate-versus-DeFi gap signals the centralized-service inversion the BIS describes as a single-point custody concentration.
| Year | Aggregate stolen value | DeFi share | CEX/custodial share | Largest single incident |
|---|---|---|---|---|
| 2022 | approximately $3.8 billion | majority | minority | Ronin Bridge approximately $625 million |
| 2023 | approximately $1.7 billion | approximately $660 million | minority | Mixin Network approximately $200 million |
| 2024 | approximately $2.2 billion | approximately $474 million | majority | DMM Bitcoin approximately $305 million |
| 2025 H1 | approximately $1.5 billion+ in Feb alone | declining | rising | Bybit approximately $1.46 billion |
Source: Chainalysis Crypto Crime Mid-Year Update, TRM Labs Crypto Crime Report, DefiLlama hack database, Bybit incident disclosure
DeFi protocol exploits dominated the headlines for four consecutive years, then 2024 reversed the pattern. The takeaway for readers is that “stay off DeFi, stick to a regulated exchange” is no longer a useful security heuristic on its own. Where the money concentrates, attackers follow.
The Bybit Hack: Largest Crypto Theft on Record
- Bybit detected unauthorized activity involving one of its Ethereum cold wallets during a planned transfer process to a warm wallet on February 21, 2025.
- The attacker manipulated the signing interface, masking the signing message so signers believed they were authorizing a routine transfer.
- Total unauthorized activity reached approximately $1.46 billion in ETH and ETH-equivalent tokens from one Ethereum cold wallet.
- Bybit confirmed that user assets are 1:1 backed, and all withdrawals resumed normal processing within 12 hours of the incident.
- The FBI attributed the theft to North Korean cyber actors operating under the TraderTraitor umbrella on February 26, 2025.
- TraderTraitor actors have rapidly converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains, complicating recovery.
| Bybit incident metric | Value |
|---|---|
| Date detected | February 21, 2025 |
| Approximate value stolen | $1.46 billion |
| Asset type | ETH and ETH-equivalent tokens |
| Wallet category | Ethereum cold wallet |
| Attack mechanism | Signing interface manipulation |
| FBI attribution | North Korea TraderTraitor (Lazarus Group) |
| User reimbursement | 1:1 backed; withdrawals resumed within 12 hours |
| Time to public attribution | 5 days |
Source: Bybit incident updates, FBI San Francisco field-office statement on TraderTraitor
What was the Bybit hack, and how much was lost?
The Bybit hack was a February 21, 2025, breach of one Ethereum cold wallet during a planned transfer to a warm wallet, resulting in approximately $1.46 billion in stolen ETH and ETH-equivalent tokens. The FBI attributed the theft to North Korean TraderTraitor actors. Bybit covered customer balances 1:1, and the incident now stands as the largest single cryptocurrency theft on record, surpassing every prior exchange or protocol breach.
Attack Vectors: How Exchanges Get Breached
- Private key compromise accounted for 43.8% of total stolen cryptocurrency value in 2024, the single largest vector.
- TRM Labs lists compromised private keys and seed phrases as the most common method observed in 2024, followed by smart contract vulnerabilities and social engineering targeting employees.
- The BIS notes human-factor compromises, including phishing attacks against employees and social engineering against signers, accounted for a growing share of incidents in the 2020-2024 period.
- Kaspersky researchers identified more than 5.84 million phishing attempts targeting cryptocurrency users in 2024.
- Approximately 342,000 users were affected by wallet drainer attacks in 2024, according to Kaspersky telemetry, with losses estimated at approximately $494 million by Scam Sniffer.
- Operational security failures, rather than cryptographic weaknesses in blockchain protocols themselves, account for the majority of customer-fund losses at regulated and unregulated venues alike.
Signing-interface manipulation has graduated from a research curiosity to a top-five vector. The same pattern surfaced at WazirX and at Bybit: signers see one transaction on screen, and the chain receives another. Multisig as a security primitive is doing what it was designed to do; the failure mode sits one layer above.
What are the most common security vulnerabilities in crypto exchanges?
The most common vulnerabilities are private-key and seed-phrase compromise, which accounted for 43.8% of total stolen cryptocurrency value in 2024, per Chainalysis. Smart-contract exploits, signing-interface manipulation at multisig wallets, phishing and wallet drainers, and insider threats round out the top five. The BIS notes that operational security failures, not cryptographic weaknesses, account for the majority of customer-fund losses.
Private Key Compromise Statistics
- Chainalysis classifies private key compromise as the single largest attack vector at 43.8% of total stolen value in 2024.
- TRM Labs ranks compromised private keys and seed phrases as the most common method of theft observed in 2024.
- The vector covers signer-side compromises at exchanges, custodian operational failures, and theft of individual self-custody seeds via malware or phishing.
- Many recent multisig incidents, including the WazirX approximately $235 million theft on July 18, 2024, and the Bybit Feb 2025 breach, were not pure key-compromise events. The keys were signed, but they signed under deception.
| Year | Private-key share of stolen value | Reported by |
|---|---|---|
| 2023 | approximately 30% | Chainalysis |
| 2024 | approximately 43.8% | Chainalysis |
| 2024 | “most common method” | TRM Labs |
| 2025 H1 | rising further | TRM Labs preliminary |
Source: Chainalysis Crypto Crime Mid-Year Update, TRM Labs Crypto Crime Report
What is a private key compromise attack?
A private key compromise attack is one where the attacker obtains the cryptographic key, seed phrase, or signing credentials that authorize movement of funds from a wallet, then uses those credentials to transfer assets to an address they control. Chainalysis classifies it as the single largest attack vector at 43.8% of the 2024 stolen value. In practice, this category includes both straightforward key theft and signer-side deception where keys sign a malicious transaction the signer believes is legitimate.
Smart Contract Exploits vs Exchange Hacks
- DeFi protocols lost approximately $474 million across more than 130 incidents in 2024, down from approximately $660 million in 2023.
- Cross-chain bridges accounted for approximately 14% of DeFi losses in 2024, down from above 30% in prior years.
- The decline in DeFi losses contrasts with a sharp rise in centralized service losses during the same period, with attackers shifting focus to higher-value targets concentrated at custodial venues.
- Smart-contract exploits remain meaningful but are no longer the dominant share of crypto theft; the larger story in 2024-2025 is the pivot back toward custodial breaches.
- Public blockchains and DeFi protocols continue to ship audits and bug bounties; the most expensive failures of 2024-2025 sit at the human-interface and operational-security layer, not at the protocol layer.
| Year | DeFi losses | DeFi incident count | Bridge share of DeFi losses |
|---|---|---|---|
| 2022 | approximately $3.1 billion | approximately 170 | approximately 50% |
| 2023 | approximately $660 million | approximately 150 | approximately 30% |
| 2024 | approximately $474 million | more than 130 | approximately 14% |
Source: DefiLlama hack database, Chainalysis Crypto Crime Mid-Year Update
North Korea-Linked Theft and Lazarus Group Activity
- North Korea-affiliated threat actors stole approximately $1.34 billion across 47 incidents in 2024, representing approximately 61% of the total amounts stolen that year.
- The Bybit incident alone added approximately $1.5 billion in stolen virtual assets in a single February 21, 2025, event, exceeding the entire 2024 DPRK total.
- The FBI refers to the North Korean cyber actors responsible for the Bybit theft as TraderTraitor, a designation linked to the Lazarus Group cluster.
- DPRK actors have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains.
- The FBI, the DoD Cyber Crime Center, and Japan’s NPA jointly attributed the DMM Bitcoin theft of approximately $305 million on May 31, 2024, to TraderTraitor, a threat actor linked to North Korea’s Reconnaissance General Bureau.
- The FBI requested that private sector entities, including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers, block transactions with or derived from addresses that TraderTraitor actors are using to launder the stolen assets.
The Bybit single-incident total dwarfs the entire 2024 DPRK haul. State-sponsored crypto crime is now the primary driver of named-exchange losses in our cybersecurity coverage.
How do North Korean hackers target crypto exchanges?
North Korean hackers, operating under the FBI’s TraderTraitor designation, target crypto exchanges through long-running social-engineering campaigns against employees and contractors, followed by manipulation of signing infrastructure or developer tooling. The Bybit incident involved the manipulation of the signing interface so that signers believed they were authorizing a routine transfer, not a direct key theft. The FBI attributed approximately $1.5 billion in stolen virtual assets to these actors from that single event.
Centralized vs Decentralized Exchange Security
- Chainalysis recorded centralized service hacks surpassing DeFi protocol losses for the first time since 2020 in 2024.
- DefiLlama tracked approximately $474 million in DeFi protocol losses across more than 130 incidents in 2024, a multi-year low.
- The BIS notes that centralized cryptocurrency exchanges remain a primary vector for theft because they aggregate large pools of customer funds at single points of operational control.
- DefiLlama attributes the 2024 inversion to attackers shifting focus to higher-value targets concentrated at custodial exchanges.
- DEX architectures expose smart-contract risk but distribute custodial risk across users; CEX architectures concentrate custody but reduce smart-contract exposure for the user. Neither model is uniformly safer.
| Venue type | 2024 loss total (approx.) | Risk concentration |
|---|---|---|
| Centralized exchange / custodial | majority of $2.2 billion | Funds aggregated at operator |
| DeFi protocol | approximately $474 million | Smart-contract code; bridge surface |
| Cross-chain bridge (subset of DeFi) | approximately $66 million | Cross-chain attack surface |
Source: Chainalysis Crypto Crime Mid-Year Update, DefiLlama hack database, BIS working paper
Are decentralized exchanges safer than centralized exchanges?
Decentralized exchanges are not uniformly safer. DeFi protocol losses fell to approximately $474 million in 2024, while centralized service losses rose to dominate the aggregate. The risk profiles differ rather than rank: DEX users carry smart-contract and signing risk on their own wallets, while CEX users delegate custody and inherit the operator’s operational-security posture. The BIS argues that operational security failures account for the majority of customer-fund losses at regulated and unregulated venues alike.
Major Exchange Incidents: Named Hacks
- Bybit (February 21, 2025): approximately $1.46 billion in ETH and ETH-equivalent tokens from one Ethereum cold wallet, FBI-attributed to TraderTraitor.
- DMM Bitcoin (May 31, 2024): 4,502.9 Bitcoin worth approximately $305 million at the time, FBI/DC3/JNPA TraderTraitor attribution.
- WazirX (July 18, 2024): approximately $235 million drained from one multi-signature wallet managed through the Liminal custody platform.
- Coinbase (May 2025): expected remediation expenses between approximately $180 million and $400 million from an insider-extortion attack, with the $20 million ransom demand refused.
- Many of these breaches share an interface or insider-side compromise, not pure key theft.
| Exchange | Date | Approximate value | Vector | Attribution |
|---|---|---|---|---|
| Bybit | February 21, 2025 | $1.46 billion | Signing-interface manipulation | DPRK / TraderTraitor |
| DMM Bitcoin | May 31, 2024 | $305 million | Hot wallet outflow | DPRK / TraderTraitor |
| WazirX | July 18, 2024 | $235 million | Multisig interface discrepancy | Lazarus-linked |
| Coinbase | May 2025 | $180-400 million remediation | Insider bribery + social engineering | Unattributed |
Source: Bybit and Coinbase incident disclosures; Elliptic on-chain analysis; FBI statements
How much was stolen from crypto exchanges?
The first quarter of the year alone exceeded the entire prior-year DeFi-loss total. The Bybit event of February 21, 2025, took approximately $1.5 billion. Coinbase disclosed expected remediation expenses between approximately $180 million and $400 million for its insider-extortion incident.
Insider Threats and Social Engineering
- Coinbase disclosed that criminals targeted customer-support agents overseas using cash offers to convince a small group of insiders to copy data in customer-support tools for less than 1% of Coinbase’s monthly transacting users.
- Coinbase refused to pay the $20 million ransom demanded by the attackers and established a $20 million reward fund for information leading to their arrest and conviction.
- Coinbase committed to reimbursing customers who were tricked into sending funds to the attackers as a result of social engineering.
- The BIS observes that human-factor compromises, including phishing attacks against employees and social engineering against signers, accounted for a growing share of incidents in the 2020-2024 period.
- The FBI separately flagged a notable increase in deepfake-enabled social engineering targeting both retail crypto users and the employees of cryptocurrency exchanges, with deepfake video calls used to impersonate executives.
SQ Magazine’s cybersecurity coverage repeatedly returns to one finding: budget gaps between attackers and defenders compound. Coinbase’s $180 million to $400 million remediation cost is more than half a percent of the firm’s recent annual revenue, paid out for what the company itself describes as a small-group insider bribery event. Even a US-licensed exchange with deep security investment is exposed at the human edge.
Phishing and Wallet Drainer Trends
- Kaspersky identified more than 5.84 million phishing attempts targeting cryptocurrency users in 2024.
- Approximately 342,000 users were affected by wallet drainer attacks in 2024, according to Kaspersky telemetry, with losses estimated at approximately $494 million across the year by Scam Sniffer.
- Wallet drainer kits, malware sold on underground forums that automates the theft of approved tokens from connected wallets, accounted for a growing share of crypto-targeted phishing.
- Drainer operators commonly rent kits to affiliates on a revenue-share basis, lowering the barrier to entry for crypto-targeted social engineering; the same affiliate-distribution pattern shows up in the broader phishing and wallet drainer incidents data.
- The FBI warned that criminals are using generative artificial intelligence, including deepfake audio and video, to enhance the believability of cryptocurrency investment scams and exchange-impersonation fraud.
| Phishing / drainer metric (2024) | Value |
|---|---|
| Crypto-targeted phishing attempts | more than 5.84 million |
| Wallet drainer victims | approximately 342,000 |
| Estimated drainer losses | approximately $494 million |
| Distribution model | Affiliate revenue share via underground forums |
Source: Kaspersky crypto phishing telemetry, Scam Sniffer loss tracking, FBI deepfake-fraud public advisory
Self-Custody vs Custodial Risk Trade-Offs
- On-chain analysis indicates approximately 12% of the circulating Bitcoin supply is held in known exchange cluster addresses as of mid-2024, down from a peak above 17% in 2020.
- Approximately 30% of circulating Bitcoin is estimated to be held in addresses associated with institutional custody, ETF holdings, and corporate treasuries combined.
- The BIS notes that centralized cryptocurrency exchanges remain a primary vector for theft because they aggregate large pools of customer funds at single points of operational control.
- Self-custody removes exchange-hack risk and replaces it with seed-loss, phishing, and drainer exposure; approximately 342,000 drainer victims in 2024 is the scaled cost of that exposure.
- The decline from above 17% to approximately 12% of BTC on identified exchange clusters reflects the same risk migration the BIS describes: away from retail custodial pools, toward institutional custody and self-custody.
| Bitcoin custody bucket | Approximate share of supply | Primary risk |
|---|---|---|
| Identified centralized exchange clusters | approximately 12% | Exchange hack, insolvency |
| Institutional custody / ETF / corporate treasury | approximately 30% | Custodian operational risk |
| Self-custody (retail) | majority of remainder | Seed loss, phishing, drainer |
| Lost / dormant addresses | meaningful share | Permanent loss |
Source: Glassnode on-chain supply distribution analysis, BIS working paper on crypto custody
Insurance, Recovery, and User Reimbursement
- Bybit secured emergency loans and bridge financing to cover the gap after the February 21, 2025, incident, with user assets backed 1:1 and withdrawals back online within 12 hours.
- Coinbase committed to reimbursing customers tricked into sending funds to the attackers as a result of social engineering from its May 2025 insider-extortion event, expecting $180 million to $400 million in remediation expenses.
- The BIS observes that insurance coverage for cold-storage losses remains limited, with most insurance products covering only hot-wallet operational risk up to capped amounts.
- DMM Bitcoin secured equivalent Bitcoin through a loan and group financing to fully cover affected user balances after the May 31, 2024, incident, worth approximately $305 million.
- Recovery rates for stolen funds remain low at the protocol level; TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains, per the FBI.
Key finding: The BIS reports that insurance coverage for cold-storage losses remains limited, with most products capping hot-wallet operational risk only. After the Bybit cold-wallet event, the exchange relied on emergency corporate loans rather than insurance, illustrating the structural gap between custodial scale and underwriting capacity in the crypto sector.
| Recovery / reimbursement mechanism | Coverage |
|---|---|
| Exchange insurance funds (hot wallet) | Common at major venues; capped amounts |
| Insurance for cold-storage losses | Limited per BIS analysis |
| Emergency corporate loans / bridge financing | Used at Bybit and DMM Bitcoin |
| Voluntary customer reimbursement | Used at Coinbase May 2025 |
| Asset clawback / law enforcement seizure | Low realized recovery rate |
Source: BIS working paper on crypto custody; Bybit, Coinbase, DMM Bitcoin company disclosures; FBI TraderTraitor statement
Are crypto exchanges insured against hacks?
Major exchanges typically maintain hot-wallet insurance funds with capped coverage. The BIS notes that insurance coverage for cold-storage losses remains limited, and most cold-wallet breaches are absorbed by the operator. After the Bybit cold-wallet event, the firm relied on emergency loans and bridge financing rather than insurance to cover the gap, while user assets remained 1:1 backed. Reimbursement model and quality vary widely by venue.
Regulatory Response to Exchange Hacks
- The DOJ resolution with Binance involved a guilty plea to violations of the Bank Secrecy Act and other federal laws, with more than $4.3 billion in penalties and a five-year monitorship.
- FinCEN designated Bitzlato as a primary money laundering concern in connection with Russian illicit finance, with the DOJ charging founder Anatoly Legkodymov in connection with more than $700 million in funds tied to Hydra Market.
- The FBI IC3 received more than 140,000 complaints referencing cryptocurrency in 2024, with losses totaling more than $9.3 billion, a 66% rise from 2023.
- The FTC reported that consumers lost more than $5.7 billion to investment scams in 2024, with cryptocurrency the most common payment method.
- Approximately 18% of all FTC-reported consumer-fraud loss dollars in 2024 involved cryptocurrency as the payment mechanism.
- The mix of enforcement actions and IC3/FTC totals signals that regulators are responding to exchange-adjacent crime far faster than they did during the 2020-2022 cycle, even as the largest single losses continue to occur at custodial venues.
| Regulatory action / data point | Year | Headline value |
|---|---|---|
| DOJ resolution with Binance | 2023 | $4.3 billion penalties; five-year monitorship |
| FinCEN designation of Bitzlato | 2023 | $700 million Hydra Market ties |
| FBI IC3 2024 crypto-fraud losses | 2024 | $9.3 billion (66% YoY rise) |
| FTC consumer investment-scam losses | 2024 | $5.7 billion; crypto top payment method |
Source: DOJ press release on Binance plea agreement; FinCEN press release on Bitzlato; FBI IC3 Annual Report; FTC Consumer Sentinel data
Stablecoin issuers and other crypto infrastructure providers face escalating compliance asks even before incidents occur. SQ Magazine’s analysis of stablecoin reserve transparency tracks the parallel regulatory pressure on payment-rail crypto venues.
Conclusion
Approximately $2.2 billion in aggregate stolen-fund activity hit crypto platforms in 2024, and a single February 21, 2025 incident at Bybit added approximately $1.46 billion more in one event. Centralized service hacks surpassed DeFi protocol losses for the first time since 2020; private key compromises and signing-interface manipulation drove the largest dollar share; and DPRK-linked actors took approximately $1.34 billion across 47 incidents in 2024 before adding the Bybit total.
The forward-looking shift is at the interface and insider layer. Signing-interface manipulation is now a recurring vector at multisig custodial venues, deepfake-enabled social engineering is rising against both retail users and exchange staff, and insurance remains thinly available for the cold-storage losses that dominate the headline figures. Readers weighing self-custody against custodial risk get clearer trade-offs from the on-chain data than from any single incident: approximately 12% of Bitcoin supply still sits on identified exchange clusters, down from above 17% in 2020, and the migration is unlikely to reverse.
