De.Fi REKT Report: Q1 2025 — Over $2 Billion Lost in DeFi and CeFi Exploits

Q1 2025 marked one of the worst quarters in blockchain exploit history, with total recorded losses topping $2,052,584,700 across 37 incidents. This figure is five times higher than the $414,875,820 lost in Q1 2024, and it surpassed even the darkest quarters of 2022 and 2023. Recovery efforts saw $44.5 million reclaimed—modest in contrast to the magnitude of losses.

The surge in exploits this quarter was primarily driven by a small number of massive access control breaches and exit scams targeting both centralized and decentralized platforms. Among the biggest incidents were the high profile Bybit exploit ($1.4 billion) and two Solana-based rug pulls—LIBRA ($286 million) and MELANIA ($200 million). The Ethereum network continued to be the most targeted chain, while the dominance of centralized platforms in single-event losses signals an ongoing systemic weakness in custodial asset management.

Monthly Breakdown: Exploit Trends in Q1 2025

January 2025 began with $262.9 million in losses, led by attacks on Ethereum-based DeFi protocols and a mix of reentrancy and phishing-style exploits. Recovery efforts were limited, with just under $1.5 million reclaimed.

February 2025 was the bloodbath – $1.76 billion was lost making up 85% of Q1’s total losses, due almost entirely to the Bybit incident, where $1.4 billion vanished in an access control breach. Other sizable losses included LIBRA ($286M) and MELANIA ($200M), two large-scale exit scams on Solana. $43 million was recovered this month, largely due to white-hat coordination with minor exploiters.

March 2025 saw a significant drop-off in total damage, with $27.6 million lost across a handful of incidents—mostly smart contract bugs and oracle misuses. This relatively calm month offered a brief reprieve but did little to reverse the record-setting quarter.

Funds Lost by Chain — Q1 2025 Breakdown

The Ethereum network once again led all blockchains by a wide margin in terms of losses, with a staggering $1.53 billion drained across 17 recorded incidents. This figure was largely inflated by the $1.4 billion Bybit exploit, which alone accounted for over two-thirds of Ethereum’s quarterly losses. Other notable Ethereum-based exploits, such as those involving Infini and zkLend, further solidified Ethereum’s position as the most targeted chain. This outcome is not surprising given Ethereum’s centrality in DeFi, with the highest concentration of smart contracts, tokens, and developer activity across the Web3 ecosystem.

In a similar vein, Solana, another significant ecosystem, saw the second-largest losses, totaling $486.5 million across just three incidents, a figure primarily driven by the LIBRA ($286M) and MELANIA ($200M) exit scams. 

Binance Smart Chain (BSC) recorded $59.2 million in losses across 11 cases, consistent with past quarters where BSC has seen frequent but mid-sized exploits targeting low-cap tokens, farming contracts, and gaming/metaverse platforms. These often involved vulnerable liquidity pools or poorly written contract logic.

Meanwhile, chains like Arbitrum, TRON, Base, Bitcoin, and Mode contributed smaller but still notable losses. While their individual exploit values were lower, their inclusion in this quarter’s data highlights the increasing surface area of attack vectors due to cross-chain activity. Protocols operating across multiple blockchains—especially those utilizing bridges, wrappers, and multi-chain liquidity routing—are becoming attractive targets for attackers looking to exploit inconsistencies in security standards between networks.

Analysis by Type of Exploit

Access control vulnerabilities were by far the most damaging category in Q1 2025, responsible for an overwhelming $1.46 billion in losses across just 8 incidents—representing over 70% of all funds lost this quarter. The single most severe case was the Bybit exploit, which alone accounted for $1.4 billion due to a breakdown in centralized key management and wallet controls. Other notable access control failures included Infini and Zoth, where attackers circumvented or manipulated multi-signature wallet logic, highlighting ongoing structural weaknesses in permission management, especially in protocols relying on centralized infrastructure or poorly implemented multisig governance.

Exit scams, while fewer in number, caused $486 million in damage through just two cases—LIBRA and MELANIA, both operating on Solana. These cases featured team-led asset drains that were positioned as “organic shutdowns” but were ultimately uncovered to be coordinated exits. 

The remaining $100 million+ in losses came from a range of lower-scale exploits affecting 26 projects. These included logic bugs in smart contracts, oracle misconfigurations, and reentrancy flaws, as well as phishing attacks, which still accounted for $6.2 million, mostly occurring on Ethereum. Despite being a “simpler” form of attack, phishing remains effective, especially against individual users and smaller DAOs with inadequate wallet hygiene.

Targets by Protocol Category

The CeFi category took the majority of the losses in Q1 2025, thanks to two gigantic events: the Bybit breach, which resulted in $1.4 billion lost, and the Phemex exploit, which added another $37 million. Together, these centralized failures accounted for over 70% of money lost for the quarter. Both accidents highlight the risks of centralised custody designs, particularly when security is dependent on internal access controls and closed-source systems that lack the transparency and composability of decentralised protocols.

Meanwhile, token-based projects were the most heavily aimed at 11 cases that cost nearly $487 million in losses. Most of them involved liquidity pool exploits, unauthorized minting, or backdoor access into token supply contracts, indicating persistent weaknesses in how token economics are designed and secured. While less personally ruinous than the CeFi heists, such attacks were numbers-based and impacted a wide segment of small- to mid-cap projects, the majority of which operated without in-depth audits or formal security mechanisms.

Gaming and Metaverse platforms, as well as NFT-focused protocols, also continued to suffer from chronic albeit lower-value losses aggregated to a loss of approximately $21 million and $430,000, respectively. Such protocols most often reside in environments with staking logic and multi-token complexities typical of in-game rewards or NFT gate-based asset staking, leaving them vulnerable to reentrancy attacks, logic bugs, or improper upgrades to the contract.

Other attackers, including yield aggregators, borrowing/lending protocols, and stablecoin-related systems, lost to a lesser extent but were likewise valuable attack vectors. Yield aggregators lost $863,000 from three attacks—most frequently from malfunctioning integrations with third-party protocols—while borrowing/lending platforms lost approximately $9.8 million, primarily from collateral mismanagement or liquidation bugs.

Top 10 Exploits in Q1 2025

Bybit Exchange Breach – $1.5bn

In February 2025, Bybit, a Dubai-based cryptocurrency exchange, suffered a monumental security breach resulting in the loss of approximately $1.5 billion in Ethereum. The attackers exploited vulnerabilities during a routine transfer between the exchange’s cold and warm wallets, manipulating the transaction approval process to divert funds to an unknown address. Despite the significant loss, Bybit assured customers of its solvency and commitment to reimbursing affected users.

LIBRA Token Exit Scam – $286m

The LIBRA token scandal unfolded in February 2025 when Argentinian President Javier Milei endorsed the meme coin, leading to a surge in its value. Shortly after, approximately $286 million was withdrawn from the token’s liquidity pool by wallets linked to its creators. Investigations revealed that the withdrawals were orchestrated by individuals closely associated with the token’s development, raising concerns about political figures’ involvement in cryptocurrency promotions.

MELANIA Coin Exit Scam – $200m

The MELANIA coin, associated with former U.S. First Lady Melania Trump, faced scrutiny after allegations of being part of multiple crypto scams emerged. Investigations suggested that the team behind MELANIA was involved in deceptive practices, leading to significant financial losses for investors and tarnishing the project’s credibility.

Infini Platform Exploit – $57ma

In February 2025, Infini, a decentralized finance platform, fell victim to a $50 million exploit. A former developer leveraged inadequate access controls to drain funds from the platform. This incident underscored the critical importance of stringent internal security measures and robust access management protocols within DeFi projects.

Phemex Exchange Hack – $37m

January 2025 saw Phemex, a Singapore-based centralized exchange, suffer a security breach resulting in the theft of approximately $73 million across sixteen blockchains. Attackers gained unauthorized access to the exchange’s hot wallets, highlighting vulnerabilities in hot wallet management and the need for enhanced security protocols.

FortuneWheel Smart Contract Exploit – $21m

On January 10, 2025, the FortuneWheel project on Binance Smart Chain was exploited due to a critical flaw in its swap functionality. The attacker manipulated the contract’s logic to siphon off nearly $21m. This incident emphasized the necessity for thorough smart contract audits to identify and rectify vulnerabilities before deployment.

Abracadabra.Money Breach – $13m

In March 2025, Abracadabra.Money, a DeFi lending platform, experienced a security breach leading to the loss of approximately $13 million. The exploit targeted the platform’s “cauldrons,” isolated lending markets, revealing vulnerabilities in the platform’s codebase and raising concerns about the security of complex DeFi protocols.

Ionic Money Platform Attack – $12.3m

February 2025 witnessed an $12.3 million hack on the Ionic Money platform, formerly known as Midas. Attackers employed social engineering tactics to exploit verification process weaknesses, draining the project’s vaults. This breach highlighted the persistent threat of social engineering in the crypto space and the need for comprehensive security awareness training.

zkLend Protocol Exploit – $9.5m

On February 12, 2025, zkLend, a lending platform on Starknet, was attacked, resulting in nearly $10 million in asset losses. The exploit was linked to vulnerabilities previously identified in similar platforms, underscoring the importance of addressing known security issues across DeFi projects.

Zoth Protocol Breach- $8.3m

In March 2025, the Zoth protocol, a restaking layer for real-world assets, suffered an exploit leading to a loss of approximately $8.3m. The attacker exploited a logic flaw in the Loan-To-Value validation within the mintWithStable() function, allowing them to mint tokens without depositing sufficient collateral. This incident highlighted the need for rigorous validation mechanisms in DeFi protocols.