Immunefi’s 2024 report finds $1.5b lost across 232 incidents, with CeFi key compromises driving a handful of mega-hacks while early 2025 losses already race past last year.
Summary
- Web3 lost $1,495,487,055 across 232 incidents in 2024, with hacks responsible for 98.1% of losses and fraud, scams and rugs just 1.9%.
- Two CeFi private key breaches — DMM Bitcoin’s $305m hack and WazirX’s $235m exploit — accounted for about 36% of losses as CeFi losses surged 77.5% to $726.2m, while DeFi losses fell 44.8% to $769.3m.
- Q2 2024 was the worst quarter at $572.7m, Ethereum and BNB Chain stayed top targets, and Q1 2025 losses have already hit $1.64b, led by the $1.4b Bybit hack, with Immunefi warning that most hacked projects never recover.
The blockchain security industry is sounding the alarm after another year of devastating losses. According to Immunefi’s annual “Crypto Losses in 2024” report, the Web3 ecosystem suffered $1,495,487,055 in total losses across 232 specific incidents — underscoring a persistent, systemic vulnerability that continues to erode confidence in decentralized finance.
Hacks dominated the breakdown, accounting for 98.1% of all losses, with fraud, scams, and rug pulls making up just 1.9%. While the headline figure represents a roughly 17% decline compared to 2023 — when losses surpassed $1.8 billion — analysts warn the improvement is misleading, given that a small number of catastrophic incidents continue to skew the totals.
Two attacks alone accounted for approximately 36% of all 2024 losses: the $305 million hack of Japanese exchange DMM Bitcoin in May, and the $235 million breach of Indian exchange WazirX in July. Both incidents involved compromised private keys targeting centralized finance (CeFi) infrastructure — a trend that marked a significant shift from previous years, when decentralized protocols bore the brunt of attacker activity.
CeFi losses surged 77.5% year-over-year to $726.2 million across just 11 incidents in 2024, while DeFi losses fell 44.8% to $769.3 million across 221 incidents. The numbers reveal a troubling paradox: centralized platforms, despite being fewer in number, are increasingly proving to be the highest-value targets.
Q2 2024 was the most damaging quarter, recording $572.7 million in losses across 72 incidents — a 115.7% increase compared to Q2 2023. May alone accounted for $358.5 million of those losses, driven primarily by the DMM Bitcoin attack.
Ethereum and BNB Chain remained the most targeted networks throughout the year, a pattern consistent with previous annual reports from Immunefi.
Meanwhile, Immunefi’s more recent data signals that 2025 could surpass 2024 significantly. Year-to-date losses through Q1 2025 already reached $1.64 billion — largely due to the $1.4 billion Bybit hack — exceeding the entirety of 2024’s losses within just three months.
Immunefi CEO Mitchell Amador has warned that the structural vulnerabilities extend beyond stolen funds. According to Amador, nearly 80% of crypto projects that suffer major hacks never fully recover, with operational paralysis and reputational collapse compounding the initial financial damage.
Immunefi currently protects over $190 billion in user funds and has facilitated more than $25 billion in prevented hacks through its bug bounty programs, which have paid out record-setting bounties including $10 million for a Wormhole vulnerability.
The data makes one thing clear: as crypto markets grow, so does the appetite — and sophistication — of those looking to exploit them.
