Crypto security has had a genuinely rough stretch this year. Trackers following DeFi exploits put total losses well into the More than $100 million was lost across 20+ top crypto hacks, and the pattern behind them has shifted in an interesting way. Fewer attackers are digging through smart contract code looking for bugs. More of them are going after the people and infrastructure sitting around that code instead: compromised keys, manipulated price feeds, forged bridge messages, and old contracts nobody thought to check on anymore.

Source: defillama.com data
Here's a closer look at five of the largest incidents from this stretch, broken down by what actually happened, how much was lost, what the team behind each project said afterward, and whether anything was ever recovered in top crypto hacks

What happened: On April 18, attackers found a way into the infrastructure behind KelpDAO's cross-chain bridge. The bridge runs on a messaging system that lets tokens move between blockchains, and this system relies on a small set of verifier nodes to confirm that a transfer is genuine. KelpDAO's setup used just one verifier instead of several checking each other, so once attackers got into that single verifier's backend servers, they could push through fake confirmations that looked completely legitimate onchain.
How much was lost: Roughly 116,500 rsETH, worth about $292 million. That makes it the single largest loss on this entire list and one of the biggest DeFi hacks of the year overall.
What the team said: KelpDAO's emergency multisig froze the protocol's core contracts within about 46 minutes of the drain, fast enough to block two follow-up withdrawal attempts. In the weeks afterward, KelpDAO and the company behind the bridge infrastructure publicly disagreed over who was responsible for the risky single-verifier setup. The infrastructure provider eventually admitted it had allowed a configuration that wasn't appropriate for an asset holding this much value.
Was it recovered: No. As of the most recent reporting, the stolen funds have simply sat untouched rather than being moved, laundered, or returned. KelpDAO has since switched its bridge over to a different cross-chain messaging provider.

Source for verification: KelpDAO official X post
What happened: On July 15, someone got hold of a signer key tied to Ostium's price-feed system. Ostium runs perpetual futures on real-world assets like stocks and forex, and it needs live price data pushed onchain constantly to know whether trades are winning or losing. Using that compromised key, the attacker submitted fake, future-dated price reports that made losing trades look profitable, then simply cashed out the fabricated gains. The whole thing reportedly took about five minutes.
How much was lost: Estimates range between $18 million and nearly $24 million, depending on which security firm's tracing you go by.
What the team said: Ostium noticed the unusual activity almost right away and paused all trading within about an hour of the attack starting. Its founder confirmed the exact timing publicly and said the team was working alongside outside security firms and, separately, with law enforcement to dig into what happened.
Was it recovered? No, that's not been publicly confirmed. No reimbursement plan or fund recovery has been announced as of the latest updates.

Source for verification: Ostium exploit
What happened: On May 17, an attacker found a missing validation check on the Verus-Ethereum bridge and used it to drain a mix of wrapped Bitcoin, ETH, and USDC straight out of the bridge's reserves.
How much was lost: About $11.58 million total.
What the team said: Verus moved fast, shutting down its block-producing nodes to stop any further transfers and pushing out an emergency patch to close the gap. Then it did something a bit unusual: instead of only threatening legal action, the team publicly offered the attacker a deal. Return 75% of the stolen funds within 24 hours, and the remaining 25% would be treated as an accepted bounty rather than pursued as theft.
Was it recovered? Mostly, yes. The attacker took the deal and returned 4,052.4 ETH, worth roughly $8.5 million, a few days later, keeping about $2.8 million as the agreed bounty. This is easily the cleanest recovery story on this list. Verus did note publicly that accepting the deal didn't rule out further legal action down the line.


Source for verification: Verus recovery
What happened: On May 15, someone who had joined THORChain's network as a node operator just two days earlier exploited a weakness in the process nodes use to jointly sign off on transactions. That let them reconstruct enough key material to move funds out of one of THORChain's six vaults without proper authorization.
Source: Yt THORChain
How much was lost: About $10.7 million from that single vault.
What the team said: THORChain's automated monitoring caught the imbalance within minutes and triggered a network-wide halt on trading and signing, even while the underlying blockchain kept running normally. The network then stayed paused for roughly five weeks while the team investigated and coordinated a response with node operators.
Was it recovered? Not directly, but the protocol chose not to pass the cost onto RUNE holders either. Rather than creating new tokens to cover the gap, which would have diluted everyone's holdings, THORChain absorbed the loss using its own protocol-owned reserves. It's also worth knowing this wasn't a one-off for THORChain; the network has dealt with repeated security incidents over the years, including an earlier personal wallet compromise tied to its founder.

Source for verification: THORChain exploit
What happened: The real story here starts about 269 days before the actual theft. Ownership of an old DxSale liquidity-locking contract on BNB Chain quietly changed hands to a new wallet, with no announcement made to any of the projects or users whose funds were still sitting locked inside it. On May 29, the new owner used a newer BNB Chain transaction feature to drain the contract in one coordinated sequence, hitting roughly 1,400 separate locked positions, some dating back to 2021.
How much was lost: Around $7.3 million.
What the team said: DxSale's public statement pinned the blame mainly on that newer BNB Chain feature, without really addressing the earlier, undisclosed ownership change that actually gave the attacker control in the first place. The team did clarify that its newer locker contracts, which have been through third-party audits, were untouched and remain safe to use.
Was it recovered? No public compensation plan for the affected liquidity providers has been confirmed as of the latest coverage.

Source for verification: DxSale exploit
Line these five up together, and a pattern jumps out fast. The biggest loss on this list didn't come from a flaw in any smart contract; it came from infrastructure sitting just outside it, a bridge's verification system that only had one point of failure. Ostium's attack worked the same basic way, going after a price-feed signer key rather than the trading contracts themselves. Even the smaller losses fit the theme. THORChain's came down to a compromised signing process, and DxSale's traced back to an old, forgotten contract that changed hands quietly without anyone noticing.
The aftermath looked pretty different from project to project, too. Verus talked its way into recovering most of what was stolen within days. THORChain ate the loss itself instead of passing it on to token holders. KelpDAO and Ostium, the two biggest top crypto hacks here, are both still working through investigations with nothing recovered yet. DxSale's response drew some criticism for what it left out of its own explanation. Not one of these five required an attacker to actually break smart contract logic, and that says a lot about where crypto's weakest points really are right now.
This article is for educational and informational purposes only and should not be considered financial or investment advice. Figures cited reflect estimates reported by blockchain security firms and news outlets at the time of writing and may be revised as investigations continue. Always verify details through official project channels and do your own research before making any financial decisions.