Why crypto hacks don’t end and continue even when the money is gone
A crypto hack never ends when the wallet is drained. The theft lands first, fast and visible, and then a slower collapse starts to work through the rest of the project.
The token keeps sliding, the treasury shrinks with it, hiring plans get cut back, product deadlines move, partners pull away, and the company that was supposed to recover spends months fighting for credibility instead of building.
That’s the picture Immunefi’s new “State of Onchain Security 2026” report paints. Its argument is simple enough for any market, crypto or otherwise: the initial loss is only one part of the damage.
The much bigger problem comes from what the exploit does to a project’s future. Immunefi says the average direct theft in its sample came to about $25 million, while hacked tokens saw a median six-month decline of 61%. In that window, 84% failed to recover to their hack-day price, and teams lost at least three months of progress to recovery work.
But those numbers come with caveats. Token prices fall for many reasons, and hacked projects are often fragile before an exploit hits. Some are illiquid, overvalued, or already losing momentum.
Immunefi acknowledged that it can’t always fully separate hack damage from broader market weakness or project-specific troubles. Even so, the pattern it lays out deserves attention because it shows that hacks don’t behave like isolated thefts anymore, and they now look like long-tail corporate crises.
That’s what gives weight to the report: it shows how often the post-hack period keeps inflicting damage well after the headline fades.
The median hack might have gotten smaller, but the worst ones got more dangerous
Immunefi counted 191 hacks across 2024 and 2025, totaling $4.67 billion and bringing its five-year total to 425 hacks and $11.9 billion in losses.
The yearly count barely moved, with 94 known hacks in 2024 and 97 in 2025, almost identical to 2023. That tells us that the market didn’t do a very good job of becoming safer. Hacks are now just part of everyday life in crypto, while the giant ones go on to define the year.
The main contradiction laid out in the report is in the averages.
The median theft in 2024-2025 was $2.2 million, down from $4.5 million in 2021-2023. On the surface, that might look like progress. However, the average theft still came to roughly $24.5 million, more than 11 times the median. In the earlier period, that gap was 6.8 times. The top five hacks accounted for 62% of all funds stolen, and the top 10 made up 73%.
This is a very dangerous kind of distribution. It makes the market look and feel safe and stable until one giant event rips through it. So, the typical exploit might be smaller than it used to be, but the danger sits in the tail. That’s where a handful of huge failures absorb most of the damage and crash the market in a day.
Just look at Bybit. The exchange’s $1.5 billion exploit became the defining hack of 2025 and, in Immunefi’s accounting, represented 44% of all funds stolen that year.
It’s easy to treat that kind of event as a spectacle. But it reveals a much deeper concentration problem. One failure at one major venue can distort the industry’s annual loss profile and expose how much risk still sits in just a couple of critical chokepoints.
The longer decline is where projects start to break
While the report’s data on theft is certainly interesting, the most eye-opening part is its price damage section.
In Immunefi’s sample of 82 hacked tokens, the initial shock was essentially the same. The median two-day decline was about 10%, roughly in line with the earlier cycle. But the biggest effect was felt later, as the median six-month decline worsened to 61%, up from 53% in the 2021-2023 study.
At the six-month mark, 56.5% of hacked tokens were down more than half, and 14.5% were down more than 90%. Only about 16% traded above their hack-day price six months later.
To understand the full effect of a hack, we need to stop treating token prices as an isolated market feature. For most crypto companies, the token acts as a treasury, financing base, and often a public scorecard. A prolonged drawdown cuts directly into a company’s runway, recruiting power, dealmaking leverage, and internal morale.
The report noted that hacked projects often lose security leadership within weeks and spend at least three months in recovery mode. Even if those timelines vary by project, the consequences are plain to see. A company with a damaged token and a damaged brand has fewer ways to buy time.
Plenty of markets can absorb a theft, or a bad quarter, or even a reputational hit. But crypto often compresses all three into the same event. The exploit drains funds, the token reprices the business in public, and counterparties react before the internal cleanup is finished. That’s a hard environment in which to recover, especially for teams that were never overcapitalized in the first place.
Dependency risk makes it even worse. Immunefi argues that a more interconnected DeFi stack has created longer chains of vulnerability across bridges, stablecoins, liquid staking, restaking, and lending markets.
That point should be handled carefully, especially when the report uses case studies that deserve outside verification. Still, the broader direction is hard to dismiss. Crypto systems are more layered than they were a few years ago, and that means a hack can travel much farther than the protocol where it started.
Centralized venues still sit near the center of the blast zone.
The report says only 20 of the 191 hacks in 2024-2025 involved centralized exchanges, yet those incidents accounted for $2.55 billion, or 54.6% of all stolen funds.
That pushes the issue beyond just smart-contract bugs and back toward custody, key management, and infrastructure concentration. For a market that often sells decentralization as a cure for fragility, some of the largest losses still emerge from places where trust is concentrated.
But it doesn’t mean every hacked project is doomed. The industry has now entered a phase where survival doesn’t depend on whether a team can endure a hack, but whether it can endure the six months that come next.
The theft starts the crisis, but the slower damage decides whether the project still has a future once the market moves on.
Post Comment