Immunefi: Average Crypto Hack Now Costs $25 Million Per Incident

The average financial damage from a single crypto protocol exploit has reached approximately $24.5 million, according to cybersecurity platform Immunefi. This figure does not account for the subsequent decline in native token prices that typically follows an attack, The Block reports.

The Scale: $4.67 Billion Lost in Two Years

Attack frequency across the crypto industry shows no signs of abating. In 2024, researchers documented 94 incidents; in 2025, the number climbed to 97. Across the two-year span, cybercriminals executed 191 successful exploits totaling $4.67 billion in damages. Over a five-year horizon, the tally reaches 425 attacks and $11.9 billion in cumulative losses.

The risk profile, however, is shifting. Median hack losses dropped from $4.5 million to $2.2 million — a sign that defenses against routine exploits are improving. Yet the arithmetic mean remains elevated due to rare but catastrophic breaches that skew the statistics dramatically.

Loss concentration is extreme: the five largest attacks of 2024–2025 accounted for 62% of all stolen funds, while the top ten represented 73%. The Bybit exchange hack alone, at $1.5 billion, comprised 44% of all 2025 industry losses and 32% of the two-year total.

Centralized Exchanges: The Weakest Link

Centralized exchanges were involved in just 20 of the 191 recorded incidents, yet they accounted for more than half of total damages — $2.55 billion. Immunefi analysts stress that custodial risks remain the primary driver behind the industry's most devastating security failures.

Why This Matters

The fallout from exploits extends well beyond the immediate theft. Tokens of compromised protocols lose roughly 10% of their value within the first two days. Six months later, median losses reach 61% — up from 53% in the prior reporting period. Only 16% of affected assets manage to recover and surpass their pre-hack price levels.

For projects that hold native tokens in their treasuries, a 61% drawdown translates directly into slashed operational budgets. This constrains developer hiring and limits funding for protocol upgrades, creating a vicious cycle of decline.

Deep interconnections between protocols amplify fragility across the ecosystem. Immunefi cited the 2025 collapse of the deUSD stablecoin as a case study: losses cascaded through withdrawal freezes, forced liquidations, and TVL crashes across multiple platforms simultaneously.

Internal Chaos After a Breach

The internal operations of affected teams suffer severe disruption. Security departments typically undergo restructuring within weeks of an incident. Product development grinds to a halt as engineering resources are redirected toward damage control. Immunefi estimates that restoring normal operations requires a minimum of three months of concentrated effort.

Immunefi CEO Mitchell Amador previously described a major hack as a "death sentence" for 80% of protocols. He identified the root cause of collapse not as the direct loss of funds, but rather the ensuing management chaos and erosion of user and investor trust.