Crypto hack losses fell sharply in the third quarter of 2025, signaling progress in curbing large-scale exploits. Still, September offered a stark reminder of ongoing risks, logging a record number of million-dollar hacks. While attackers stole less overall, their tactics continued to evolve, with wallets and centralized platforms increasingly targeted over smart contracts.
Losses from hacks and exploits decreased significantly in Q3, despite September setting a new high for million-dollar incidents. According to blockchain security firm CertiK, hackers stole $509 million during the quarter — a 37% decline from $803 million in Q2. Compared with Q1’s nearly $1.7 billion, losses have plunged by more than 70%.
A decrease in large-scale code exploits primarily drove the downturn. CertiK reported that losses from smart contract vulnerabilities sank from $272 million in Q2 to just $78 million in Q3. Phishing-related losses also decreased, although the number of phishing incidents remained stable.
Analysts suggest this shift shows hackers are moving away from direct contract exploits toward wallet compromises and operational breaches.
Despite the broader decline, September proved an outlier. The month saw 16 hacks worth over $1 million each — the highest ever for a single month — surpassing the previous record of 14 in March 2024. This surge pushed the 2025 year-to-date average to nearly six million-dollar hacks per month.
While still below the eight-plus monthly average seen in 2023 and 2024, September’s spike raised fresh concerns about attackers’ tactics.
Notable incidents included the compromise of widely used NPM packages with over a billion downloads, which introduced malware targeting major cryptocurrency wallets. Another major hit came from the SwissBorg exchange, where hackers stole 193,000 SOL, valued at approximately $41 million.
Q3 also saw a shift in attack patterns adopted by malicious actors preying on decentralized assets. No “mega-hacks” of $100 million or more were reported, with criminals instead focusing on mid-sized crypto exploits.
Centralized exchanges were hardest hit, losing $182 million, followed by DeFi platforms with $86 million stolen. One of the largest cases was the $40 million GMX v1 exploit, though the hacker later returned funds after accepting a $5 million bounty.
A CertiK spokesperson stated that exchanges and DeFi projects remain prime targets, noting that state-sponsored groups, in particular, view them as attractive.
Blockchain security firm Hacken echoed that view, citing phishing and social engineering campaigns against centralized exchanges to access multisig and hot wallets. Hacken also warned of new threats on the Hyperliquid chain, including the HyperVault exploit and HyperDrive rug pull.
Hacken CEO Yevheniia Broshevan stressed that North Korean hacking units remain the single biggest threat to the crypto ecosystem. She estimated that about half of all Q3 losses could be traced back to North Korean groups, which now deploy multi-layered approaches beyond traditional phishing.
Broshevan warned that both centralized crypto exchanges and emerging ecosystems like Hyperliquid must strengthen operational security.
This is a wake-up call. Centralized platforms and users exploring emerging chains like Hyperliquid must double down on operational security and due diligence, or they will remain the easiest entry points for attackers.
While September’s record-setting crypto hacks raised alarms, the broader decline in total losses — especially the steep drop in code-related exploits — gave some cause for optimism. CertiK suggested industry efforts to harden codebases may be paying off, even as attackers adapt. The ongoing challenge, analysts say, will be keeping pace with the evolving strategies of well-resourced hacking groups.
