The crypto industry can detect a $300 million exploit within minutes, yet cannot agree on whether it should be counted in this year's losses or last year's. Four of the most-cited security firms in digital assets published wildly different annual loss figures for 2025, with totals ranging from $2.78 billion to $4.04 billion. This $1.26 billion disagreement is not a data quality problem; it is a definitional crisis that exposes a fundamental governance gap in Web3.

Why Do Security Firms Report Such Different Numbers?

The variance is not random. Each firm made deliberate, documented choices about what to include in their totals. Chainalysis reported $3.4 billion, CertiK reported $3.35 billion, PeckShield reported $4.04 billion, and SlowMist reported $2.78 billion. The gap between the highest and lowest figures is larger than the annual cybersecurity budget of most mid-sized financial institutions.

The disagreement stems from four specific methodological choices that the industry has never standardized:

• Scam Inclusion: PeckShield counts social engineering attacks, phishing campaigns, and rug pulls alongside protocol-level exploits, while Chainalysis and CertiK treat scams as a separate loss category entirely.
• Recovery Treatment: Chainalysis nets out recovered funds from its totals, so a $40 million exploit with $38 million recovered counts as a $2 million loss. PeckShield counts the full $40 million, and CertiK's approach depends on whether the recovery was voluntary.
• Wallet Compromise Classification: SlowMist excludes most individual wallet compromises from its figures, while Chainalysis includes a sampled portion. In 2025, approximately 158,000 individual wallet compromise incidents resulted in around $713 million in losses, yet firms handle this population differently.
• Severity Taxonomy: CertiK uses a proprietary severity taxonomy that separates financial loss from protocol-level impact, producing different totals than firms that focus purely on monetary damage.

None of these choices is unreasonable on its own. Together, they produce four legitimate answers to four slightly different questions, all published as the answer to one question.

What Makes This a Governance Problem, Not a Data Problem?

Web3 operates on public blockchains where every transaction is recorded, timestamped, and traceable. In theory, this creates the most auditable financial environment ever built. The raw material for a consistent industry loss figure sits on public infrastructure, accessible to anyone with an internet connection. Yet traditional finance, which operates under opposite conditions with private bank ledgers and fragmented transaction data, has produced standardized, cross-institution loss reporting for decades.

The Basel Committee on Banking Supervision defines what counts as an operational loss event. The European Banking Authority publishes a taxonomy. National regulators enforce reporting standards that make numbers converge, not because underlying events are simple, but because the industry decided convergence was worth building for. Web3 has the better infrastructure and the worse accounting.

"The framework for reading it is not," noted Dedge Security in analyzing why Web3's transparent ledger lacks a transparent framework for loss classification.

Dedge Security, "The Industry that Cannot Count Its Own Losses"

The variance across trackers maps directly to the absence of a shared definitional framework. Someone has to decide what counts as a loss, what counts as a recovery, and which incidents belong in the annual total. In Web3, no one has made these decisions at an industry level.

How Do Recovery Rates Complicate the Picture?

Recovery rates in Web3 vary enormously by attack type. Smart contract exploits against opportunistic attackers sometimes produce high recovery rates through white-hat negotiations. Private key compromise incidents against state-affiliated actors produce almost none. A loss figure that does not distinguish between recoverable and unrecoverable losses is not telling you the same thing as one that does, even if both figures look identical.

In 2025, the average confirmed recovery rate across all verified incidents was 3.62 percent. That number is only meaningful if everyone is counting losses the same way before recovery. They are not.

What Are the Real-World Consequences of This Disagreement?

When the loss figure is uncertain by more than a billion dollars, the metrics derived from it are also uncertain. Percentage changes year-over-year become meaningless. Claims about which chains are safest, which attack types are growing, and which sectors carry the most risk are all built on a foundation that shifts depending on which tracker you read first.

Meanwhile, 2026 has already seen significant losses. Crypto hack losses have exceeded $1.1 billion in the first half of the year, with unverified smart contracts accounting for $36.7 million in losses across several major exploits. KelpDAO reported one of the largest incidents, with losses estimated at approximately $292 million after attackers allegedly compromised infrastructure supporting its bridge system. Drift Protocol suffered losses exceeding $280 million in an attack that reportedly combined governance manipulation, oracle abuse, and social engineering techniques.

Additional protocols experienced significant losses during 2026:

• Truebit: Lost $26.2 million through an integer overflow vulnerability in an outdated Solidity version lacking modern overflow protections.
• Resolv Labs: Lost approximately $25 million due to a stablecoin minting flaw.
• Step Finance: Suffered a $27.3 million treasury theft linked to compromised private keys.
• Versus Bridge: Lost $11.58 million through a bridge validation vulnerability.

How Can Projects and Users Reduce Their Exposure to These Risks?

As attacks become more sophisticated, security experts continue to recommend stronger development and monitoring practices throughout the industry:

• Code Transparency: Verify smart contract source code publicly on blockchain explorers to enable community review and broader security research participation.
• Independent Audits: Conduct regular independent security audits and expand bug bounty programs to identify vulnerabilities before attackers do.
• Continuous Monitoring: Implement continuous transaction monitoring and review legacy contracts and outdated code for unpatched vulnerabilities.
• User Diligence: Research a protocol's security history, audit reports, and development practices before interacting with it.
• Token Approval Limits: Limit unnecessary token approvals and use trusted wallets to reduce exposure to common risks.

Unverified smart contracts, which do not publicly disclose their source code on blockchain explorers, miss several important security advantages including community review, broader security research participation, inclusion in bug bounty programs, and faster identification of vulnerabilities. While some teams believe private code improves security, experts increasingly argue that transparency provides stronger protection through continuous scrutiny.

The rise of artificial intelligence-powered vulnerability analysis may further increase pressure on projects to improve transparency, auditing, and monitoring practices. Modern decompilation software and large language models can analyze blockchain code more efficiently than ever before, allowing attackers to scan contracts at scale and identify weaknesses such as arithmetic errors, reentrancy flaws, and access control issues.

The $1.26 billion disagreement among security firms is ultimately a call to action. Web3 built its threat detection infrastructure before it built its risk accounting infrastructure. The tools for identifying when an attack has occurred are sophisticated and improving. The conceptual infrastructure for defining what an attack costs, to whom it costs, and under what category it should be classified has never been built. Until the industry settles on shared definitions, navigating crypto security will remain an exercise in reading instruments that have not been calibrated.

" }