The Bybit and Phemex hacks caused the crypto industry's biggest-ever losses in the first quarter of 2025, highlighting the risks of state-backed threat actors.
In the quarter that’s about to end, the industry has already suffered $1.636 billion in losses due to hacks, according to data from the crypto industry's bug bounty platform, Immunefi.
However, 89% of the sum was lost during the Bybit exchange hack in February, while another crypto exchange, Phemex, accounted for 4% of total losses. Overall, losses were 4.7 times higher than in the first quarter of 2024. Without these two major hacks, total losses would have been approximately 69% lower.
Meanwhile, the number of attacks decreased by 36%, to 40.
"Q1 2025 breaches mark a historic moment in crypto security, with CeFi accounting for 94% of total losses, all caused by North Korean hackers. The sheer scale of the Bybit and Phemex attacks, totaling $1.5 billion, shows how state-backed actors are arguably the most pressing threat to our industry," commented Mitchell Amador, Founder and CEO of Immunefi.
According to him, the success of Lazarus, the North Korean state-sponsored hacking group, is a reminder that the crypto industry needs to step up its efforts to protect itself and its customers from "catastrophic attacks before they happen."
The bug bounty platform also emphasized that even a small breach of a large crypto exchange can result in hundreds of millions in losses, making these platforms prime targets for malicious actors.
"In contrast, vulnerabilities in smart contracts may only allow partial or conditional access to funds," they stressed.
Moreover, the supersized losses in Q1 were also the reason why only 0.4% of the stolen funds have been recovered, compared to 21% a year ago.
According to LazarusBounty.com data, Bybit has announced $140 million in bounties, while $2.3 million has already been awarded.
However, the company has so far frozen only almost 4% of the stolen funds and is still waiting for a response regarding another nearly 7%. The rest – around $1.25 billion – is still being tracked, as Lazarus is said to have completed converting the stolen funds.
Your email address will not be published. Required fields are markedmarked