DeFi lost about $2.8 billion to exploits in 2025 while traditional finance lost roughly $2.6 billion to cyber incidents, according to Chainalysis, TRM Labs, and IBM data cited in the analysis. The headline numbers look close. The rate per dollar moved is not. Against an estimated $46 trillion in total DeFi volume versus around $3.5 quadrillion for TradFi payment rails, FX, and Fed funds, losses work out to roughly 0.006% of volume in DeFi versus 0.00007% in TradFi — an 86-fold, or 8,500%, higher loss rate in DeFi.
That gap reframes the security record. DeFi's transparency advantage is real — a drained pool shows up in the same block it happens, while bank breaches can take 168 days to identify and another 51 to contain, per IBM's 2024 financial-industry breach study — but transparency also turns every incident into an immediate, brutal, legible event. Bank breaches move through legal, insurance, and disclosure systems that buffer the public reaction. DeFi breaches do not.
Why it matters
The original DeFi bargain promised to remove trust assumptions, not relocate them. Chainalysis data shows the security record that broke that pitch: $2.5 billion lost to DeFi hacks in 2021, $3.1 billion in 2022 (82.1% of the $3.8 billion stolen from crypto businesses that year), and $1.1 billion in 2023, with bridges accounting for 64% of the 2022 DeFi total. DeFi protocol-exploit losses have improved since the 2022 peak, but the broader crypto stack — wallets, signers, bridges, front-ends, governance channels — still looks brittle, and DeFi's user-sovereignty pitch depends on that stack holding.
The April 2026 rsETH incident on Aave illustrates the new failure mode. Aave's own contracts were not compromised; a forged LayerZero V2 packet from Kelp's bridge released 116,500 rsETH, and 89,567 of those ended up deposited on Aave, with modeled bad-debt scenarios ranging from $123.7M to $230.1M. Defensive actions included freezes on rsETH and wrsETH reserves, WETH freezes on several markets, and rate adjustments — a mature response system that is also an admission that mature DeFi requires circuit breakers, guardians, and coordinated emergency governance.
Market impact
The composition of theft is shifting. Chainalysis' 2024 review showed $2.2B stolen across 303 hacks, up about 21% year-over-year, with attacker focus moving toward private-key and centralized-service targets. The 2025 picture was dominated by the Bybit compromise at roughly $1.46B — about 51% of TRM's $2.87B total. The FBI's 2025 Internet Crime Report put cyber-enabled losses to Americans at nearly $21B, with more than $11B tied to crypto complaints. Capital is responding: institutions are adopting tokenization, digital cash, and settlement rails while leaving the permissionless political project behind — and the 8,500% loss-rate gap is exactly the credibility headwind that push is exploiting.
Frequently asked questions
-
How do DeFi hack losses compare to TradFi breaches per dollar moved?
Against an estimated $46T in DeFi volume and ~$3.5 quadrillion in TradFi payment rails, FX, and Fed funds, 2025 losses work out to roughly 0.006% of volume in DeFi versus 0.00007% in TradFi — an 86-fold, or 8,500%, higher loss rate in DeFi.
-
How much was stolen from DeFi in 2021 and 2022?
Chainalysis data puts DeFi hack losses at about $2.5B in 2021 and $3.1B in 2022, with DeFi accounting for 82.1% of the $3.8B stolen from crypto businesses that year. Cross-chain bridges made up 64% of the 2022 DeFi total.
-
What happened in the April 2026 Aave rsETH incident?
Aave's contracts were not compromised; a forged LayerZero V2 packet on Kelp's bridge released 116,500 rsETH, 89,567 of which were deposited on Aave. Modeled bad-debt scenarios ranged from $123.7M to $230.1M, and Aave froze rsETH, wrsETH, and WETH reserves across multiple markets in response.
-
Why are DeFi hacks more visible than TradFi cyber incidents?
Public ledgers make a drained pool visible in the same block it happens. TradFi breaches move through legal, insurance, and disclosure systems — IBM puts bank breach identification at 168 days and containment at 51 more days, with average costs around $6.08M per incident in 2024.
-
Why is institutional capital leaving the DeFi ethos while adopting DeFi-style rails?
Tokenization, digital cash, and on-chain settlement are being adopted by TradFi at scale, while the permissionless political project is being left behind. The 8,500% loss-rate gap is the credibility headwind that move is exploiting — transparency made the failures undeniable, and institutions are choosing the rail…
CryptoSlate