Despite this drop, September still set a new record for million-dollar incidents. CertiK data showed a steep decline in code exploit losses, while hackers shifted toward mid-sized attacks targeting centralized exchanges and DeFi platforms. New ecosystems like Hyperliquid also faced exploits, and North Korean cyber units were still the biggest threat.
Hackers Steal Less in Q3
Losses from crypto hacks and exploits fell sharply in the third quarter of 2025, despite September being a record month for million-dollar incidents. According to data from blockchain security firm CertiK that was shared in a recent interview, total losses dropped from $803 million in Q2 to $509 million in Q3. This was a decline of nearly 37%. Compared to Q1, when hackers stole almost $1.7 billion, losses fell by more than 70%.
Incidents and the amount lost (Source: CertiK)
CertiK reported that code vulnerability-related losses plummeted from $272 million in Q2 to just $78 million in Q3, while phishing-related theft also declined despite a similar number of incidents. Analysts pointed out that no single hack in the quarter reached the $100 million mark, which means that attackers instead focused on mid-sized exploits.
September stood out as the most active month for high-value theft, and recorded 16 hacks that each surpassed $1 million. This set a new monthly record, topping the previous high of 14 in March of 2024. Even with this surge, the year-to-date average sits at about six million-dollar hacks per month, down from over eight per month in both 2023 and 2024.
Centralized exchanges were the biggest targets in Q3, and accounted for $182 million in stolen funds. Hackers also increasingly relied on phishing and social engineering tactics to compromise multisignature and hot wallets, according to security firm Hacken.
DeFi projects were also hit, and lost $86 million in the quarter, including a $40 million exploit of the GMX v1 decentralized exchange. That case ended with the hacker returning the funds after receiving a $5 million bounty.
New ecosystems also came under fire, with Hyperliquid suffering incidents like the HyperVault exploit and HyperDrive rug pull late in the quarter. Hacken warned users to exercise extreme caution when engaging with newer and emerging chains.
Hacken CEO Yevheniia Broshevan said North Korean cyber units are still the biggest threat, as they are responsible for around half of all the funds that were stolen in Q3. She added that their methods are becoming more sophisticated, and are evolving from basic phishing to layered operational compromises.
While the quarter saw a rise in million-dollar hacks, the overall decline in losses and a drop in code-based exploits suggest that the fight to harden protocols and codebases may actually be working.
