Immunefi's latest "State of Onchain Security 2026" report paints a grim picture of the persistent and evolving threat of crypto exploits. The study, analyzing 425 publicly-known hacks over five years totaling $11.9 billion in losses, reveals a critical shift: while the median hack size has decreased, the largest exploits are growing more severe and their long-term impact on projects is catastrophic.
The report covers 191 hacks from 2024 and 2025, which resulted in $4.67 billion stolen. The frequency of incidents has plateaued at a high level, with 94 hacks in 2024 and 97 in 2025, nearly identical to the 97 recorded in 2023. This indicates the industry has not become safer year-over-year.
A dangerous concentration of risk is the core finding. The median theft in 2024-2025 was $2.2 million, roughly half the $4.5 million median from 2021-2023. However, the average theft was $24.5 million—more than 11 times the median, a gap that has widened from 6.8 times in the prior period. This disparity is driven by a handful of massive exploits. The top five hacks accounted for 62% of all funds stolen in 2024-25, and the top ten accounted for 73%.
The Bybit hack of 2025 is a stark example of this concentration. The $1.5 billion exploit alone represented 44% of all funds stolen that year. Centralized exchanges, while involved in only about 10% (20 out of 191) of the hacks in the 2024-25 period, were responsible for 54.6% ($2.55 billion) of the total funds stolen.
The most devastating revelation concerns the long-term fallout for hacked projects. Beyond the immediate theft, which averages about $25 million, projects face a prolonged collapse. Immunefi's analysis of 82 hacked tokens shows a median six-month price decline of 61%, worse than the 53% decline seen in the 2021-2023 period. Approximately 84% of hacked tokens never recover to their pre-hack price within six months. At that mark, 56.5% are down more than half, and 14.5% are down more than 90%.
The damage extends far beyond token price. Teams lose at least three months of productivity to recovery efforts, face roadmap delays, security leadership turnover, and partner attrition. The token's decline directly impacts treasury value, hiring plans, and overall company runway, creating a compounded crisis that is difficult to survive.
Immunefi warns that increasing DeFi composability and interconnectedness are amplifying systemic risk, allowing a single exploit to cascade through bridges, stablecoins, and lending markets. The report concludes that the crypto industry has entered a phase where a project's survival depends not on enduring the hack itself, but on surviving the six-month crisis of confidence and operational disruption that follows.
