Crystal Intelligence has published its 2025 Crypto Hacks and Scams Report, delivering a comprehensive overview of digital asset crime trends over the last 14 years.
Drawing from proprietary data and investigations, the report analyzes more than 1,000 confirmed incidents involving hacks, fraud, and DeFi breaches — together accounting for over $22.7 billion in stolen funds.
The report, which spans from June 2011 through April 2025, provides one of the most detailed views of cryptocurrency-related crime available today. It is designed to support compliance teams at Virtual Asset Service Providers (VASPs), law enforcement agencies, and regulators seeking a clearer understanding of the evolving crypto risk landscape.
Fewer incidents, higher losses
A key takeaway from the latest 12-month period (April 1, 2024, to March 31, 2025) is the paradox of declining incident volume alongside rising financial losses.
During this time, 184 incidents were recorded — a 44% drop from the previous year — but the total value stolen increased by 33% to reach $3.6 billion.
This shift was driven in large part by a handful of high-value thefts, most notably the $1.5 billion Bybit exploit in February 2025. That single incident, the largest crypto theft ever recorded, underscores a growing trend toward targeted, sophisticated attacks that cause outsized damage in a short timeframe.
Breakdown by attack type
The report categorizes all 2024/25 incidents into three major types:
- Security breaches accounted for 56 cases, resulting in $2.5 billion in losses — nearly 70% of the annual total. While these incidents made up just 30% of all attacks, they were disproportionately costly.
- DeFi breaches saw a decline in both frequency and value. There were 75 incidents totaling $372.8 million — a significant drop from $577.5 million the year prior.
- Fraud incidents, including investment scams and address manipulation schemes, dropped sharply to 53 cases. However, total fraud losses still reached $716 million, making it the second most expensive attack type.
Case studies: Bybit, Milei, WazirX
Among the 1,002 incidents detailed in the report, Crystal provides several in-depth case studies illustrating how today’s most sophisticated actors operate — and where vulnerabilities persist.
- The Bybit Heist: In February 2025, attackers exploited a JavaScript poisoning vulnerability within Bybit’s Safe interface, hijacking the multisignature approval process and extracting over 400,000 ETH. The report details how Crystal’s response team worked in real time to trace the funds, revealing more than 1,000 connected addresses and a complex laundering process involving mixers, cross-chain swaps, and high-risk exchanges.
- Milei Memecoin Rug Pull: This politically charged fraud unfolded in Argentina, where a meme coin allegedly connected to President Javier Milei launched in February 2025 and quickly rose to a $4 billion valuation. Within days, insiders cashed out, causing $250 million in losses. The event revealed gaps in Solana’s token vetting and X’s verification policies, which enabled the scam to build legitimacy before the pull.
- WazirX Hot Wallet Attack: In July 2024, Indian exchange WazirX suffered a $230 million loss after a complex compromise of its multisig wallet infrastructure. Attackers laundered the ETH proceeds through Tornado Cash and THORChain, leaving a trail that Crystal’s team was able to track. Despite the scale, WazirX’s fast response — freezing withdrawals and publishing risk updates — limited further exposure.
Ethereum remains the primary target
Ethereum continued to be the most targeted asset in 2024/25, involved in 98 incidents totaling $2 billion in losses. It was central to the largest thefts, most frauds, and nearly all mixer-based laundering activity. While Bitcoin and Solana also appeared frequently, ETH’s deep integration across DeFi and infrastructure layers makes it a recurring focus for attackers.
Implications for compliance and regulation
The report concludes with a set of recommendations for financial crime investigators and compliance professionals.
Among them:
- Enhanced wallet behavior monitoring to flag laundering through mixers or cross-chain bridges
- Increased awareness of interface-level manipulation tactics like address poisoning and frontend script attacks
- Greater industry collaboration in real-time response to large-scale incidents
