Crypto hacks cost affected companies an average of $25 million per incident, according to Immunefi’s 2026 State of Onchain Security report published today. The report, which analyzed 425 publicly known hacks between 2021 and 2025, found that total losses reached $11.9 billion, with the damage increasingly concentrated among a small number of catastrophic breaches.
Inside the $25M Average: Five Mega-Hacks Drove 62% of All Losses
The $25 million per-incident average spans financial losses across DeFi protocols, centralized exchanges, and wallet infrastructure. Immunefi’s dataset covers a five-year window from 2021 through 2025, capturing 425 incidents totaling $11.9 billion in stolen funds.
The losses are not evenly distributed. Just five incidents accounted for 62% of total losses across the full period, underscoring how a handful of mega-breaches inflate the industry-wide average.
The pace of attacks has accelerated. In 2024 and 2025 alone, 191 hacks drained $4.67 billion, representing nearly 40% of the five-year total in just two years.
Centralized exchanges bore the heaviest losses. Twenty exchange hacks accounted for $2.55 billion, or 55% of the 2024-2025 total. That concentration mirrors a pattern visible in recent exchange-related incidents, including Binance’s recent decision to delist eight tokens, which highlighted ongoing platform risk management challenges.
Hacked Tokens Lose 61% and Rarely Recover
Beyond the immediate financial theft, the report quantified a second layer of damage: token price destruction. Hacked tokens experienced a median 61% price decline within six months of a breach.
Recovery is the exception, not the rule. The report found that 83.9% of hacked tokens remained below their hack-day price after six months, suggesting that security breaches inflict lasting reputational and treasury damage.
Immunefi CEO Mitchell Amador framed the findings in stark terms:
“The market has become less forgiving because expectations have changed. Breaches signal deeper issues in engineering and governance, causing sustained token price suppression, reduced treasury capacity, leadership disruption, lost development time, and erosion of user trust.”
That treasury destruction creates a vicious cycle. When a token drops 61%, the project’s development runway shrinks accordingly, making it harder to fund the security improvements needed to prevent future attacks. In a market where the broader crypto environment already faces macro headwinds, hacked projects face compounding pressure.
90% of Projects Still Carry Critical Vulnerabilities
Perhaps the most alarming finding: over 90% of crypto projects still contain critical, exploitable vulnerabilities, according to Amador.
That figure suggests the $25 million average is not a historical artifact but an ongoing systemic risk. The concentration of losses in centralized exchanges, which accounted for more than half of recent damage from just 20 incidents, continues to fuel regulatory calls for mandatory security audits and reserve proof requirements.
The report arrives during a period of heightened market anxiety. The Crypto Fear & Greed Index sits at 23, firmly in “Extreme Fear” territory. Security concerns have become a dominant theme in early 2026, with community sentiment reflecting fatigue over recurring breaches.
On-chain activity has drawn increased scrutiny as well. Recent incidents such as on-chain forensic analysis revealing pre-listing token purchases illustrate how blockchain transparency is being applied to both security investigations and market conduct oversight.
The industry’s security deficit is structural, not incidental. 2025 was the worst year on record for crypto hacks by some estimates, and the Immunefi data confirms that the problem is accelerating rather than stabilizing. With 191 hacks in the last two years alone and the vast majority of projects still carrying known vulnerabilities, the $25 million average cost per incident functions less as a headline statistic and more as a baseline expectation for what comes next.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.