State of the market; The end of DeFi?

With everything happening in DeFi now, is it safe to say this is the end of DeFi?

Well, how did it all begin?

The concept of decentralized finance was born in 2009 when bitcoin launched, became more practical when Ethereum came onboard in 2015, before it became a mainstream in 2020 during DeFi Summer.

Now it looks like the end is here.

Except that things become more stable and we study previous key events.

This year has been a tough one not just for DeFi and companies operating under the idea; it has also spread to daily users, who sought financial protection in the decentralized system.

The market hasn't been so helpful to some company either especially with companies shutting down every week.

I'd recap most of these key events, but not as a news headline, but as a case study of what could be expected. This leads us to the question;

Not so tough question btw, we just need a little refreshing of memory and seeing things from a rather new perspective before we can draw a conclusion.

The beginning of DeFi

The launch of bitcoin is significant, primarily because of its decentralized nature. No centralized control, censorship-resistant, and more, as well as a system which this idea of decentralization oppose.

By and by, the idea became more accepted as people would discover how powerful and useful decentralized finance is, and how systems can be built on it.

Early institutions started to get on board privately, liquidity started piling up, and of course, bad actors started noticing. Attention was gradually shifted to this new way of finance.

Early builders on Bitcoin tried their hands at token creation and Tether.io also launched stablecoin in 2014.

Expansion Phase

Ethereum's launch in 2015 marked a new phase as it enabled programmable smart contracts for dApps. This was indeed a game changer.

This new phase allowed users a variety of onchain actions including being able to collateralize ETH. Users were exploring new dApps and builders were building more.

Gradually, users started getting comfortable with using these apps, protocols trying to navigate the new waters, security not at its best but hey, the market was booming.

Time to hack

The first major DeFi hack came as a surprise in 2016, 3.6 Million ETH (~ $60M at the time) was drained from The DAO, where attackers exploited a re-entrancy bug in their smart contract.

Well, the Ethereum network hard‑forked to restore those funds which allowed investors to be reimbursed.

What came over the subsequent years defined the environment for the hacks we are witnessing now.

In July 2017, Parity multisig library was exploited and the hacker stole $30M in Eth, then a White Hacker group used the same vulnerable code to secure $166M total, before the hacker could access them, and returned 100% of the funds back to the owners.

Then something crazy happened in November 2017.

A GitHub user (devops199) accidentally triggered a vulnerability in the Parity multisig library contract that allowed them to become the owner of that library. In a panic, they called the selfdestruct function, which deleted the code of the library contract.

This resulted in loss of access to all Parity multi-signature wallets created after July 20, 2017. They were unable to transfer their funds, which were essentially frozen.

This was one of the biggest losses due to an accident, a $300M loss.

Amidst all of these, China banned ICOs in September 2017, and their regulators closed down about 170 exchanges (note that China had accounted for ~90% of global Bitcoin trading).

Things were not looking great for DeFi/Crypto growth, but hey, the market was booming gradually.

Flash-loans and more hacks

A lot more hacks started to surface in 2020.

• Lendf.me was drained for $24M. The attacker partially redistributed funds back to victims later.

• Harvest Finance through flash‑loan exploit lost $34M from their stablecoin pools.

• Pickle Finance's design flaw allowed an attacker to steal $20M in DAI via a jar swap exploit.

• There were other attacks on several DeFi projects, including bZx.

The total DeFi exploit losses for 2020 is estimated to be at least $100M.

US regulators also moved towards stricter AML/FinCEN rules, proposing a rule that require exchanges to collect user info for self-hosted wallets, which was later withdrawn.

China then reinstated bans on crypto trading, which prohibited miners and financial firms from crypto activities in 2021.

The breakout year

From ~$100M lost to DeFi hacks in 2020 to $2B lost in 2021, the jump was crazy.

This period is generally known as the DeFi Summer, and products tied to yield farming exploded. Products like Uniswap Labs, Compound, Aave Labs saw massive adoption and their TVL also surged. This period proved onchain finance could rival CeFi in scale.

The major exploits were cross-chain (Poly Network, lost $613M which the hacker returned almost all the funds) and flashloans (Cream Finance for $130M, PancakeBunny for $45M).

• Paid Network lost $127M when token pricing was manipulated.

• Badger DAO lost $120M due to API key compromise that allowed injection of malicious code.

• Compound Finance lost $147M due to a misused self-liquidation.

Halborn security firm reported ~$2.0 billion stolen in DeFi hacks in 2021.

China continued its crackdown, banned banks and payment companies from crypto services, and also maintained ban on exchanges which led to full shutdown in mid-2021.

The SEC and CFTC increased enforcement against crypto, with SEC hinting to start treating DeFi tokens as securities.

The norm

Hacks became "expected", firms were tightening their security, investigators on their toes, experts helping wherever they can, but bad actors were getting more sophisticated.

In Q1 2022 alone, $1.3B was lost in DeFi hacks (with the major hacks being Ronin Bridge for $625M, Wormwhole Bridge for $320M, and Euler Finance for $197M).

A total of ~2$B was lost in 2022.

US sanctioned Tornado Cash over alleged North Korean Laundering, global regulators became stricter after FTX and Terra's collapse, while China continues its bans.

2023 saw a reduction in DeFi hacks, with roughly $1B lost. Bonq DAO ($120M), Euler Finance ($197M), Atomic Wallet ($100M), Multichain Bridge ($126M), Mixin Network ($200M), Poloniex ($126M) saw the most hacks.

EU's MiCA framework entered into force in June 2023, and a few countries (US, UK, EU) started examining how DeFi fits into security and commodities laws.

The stats doubled in 2024, $1.8B - $2.2B loss. Interestingly, private key compromises accounted for 43% of the stolen funds. On the other hand, the stablecoin adoption went parabolic, with payments and fintechs integrating fast.

In Q1 2025, Bybit suffered the largest crypto heist in history for $1.5B from compromised cold wallet.

The year is 2025, banks and fintechs begin integrating stablecoins seriously. US moved toward a clearer regulatory structure through the Clarity Act, ID & KYC requirements became more intense, and stablecoin regulation became necessary as stablecoins dominate ~85% of the DeFi supply.

The losses were still around $2B.

2026, where everything seems uncertain

Most people were expecting the market to soar.

Stablecoin as a payment rail, most companies adopting AI confidently in their workflow and also reducing cost, AI agents becoming a huge scape, RWA discussions, regulators and regulations are becoming normal and needed for structure.

However, the attacks intensified.

An investor lost $284M to a social engineering scam after he revealed his seed phrase to a fake trezor support.

This is one of the highest amount lost so far by an individual in DeFi hacks.

This was just the beginning;

January

• Truebit's smart contract was exploited, resulting in a $26M loss.

• Step Finance's treasure private key was compromised, $30M lost.

• SwapNet exploited through arbitrary call for $13.4M lost.

February

• YieldBlox's oracle was manipulated, $10M hack, but $7M was quickly frozen.

March

• An influencer Sillytuna lost $24M to an address-poisoning scam.

• Resolv's off-chain key was compromised, resulting in a $23M loss.

April (worse hack of 2026 so far)

• Drift Protocol lost $285M through social engineering, multisig, and fake collateral.

• KelpDAO faced a bridge exploit, with a $292M loss, Arbitrum froze ~$70M.

Active efforts are being made to retrieve funds from these hacks especially the last two.

There have been at least 30 major hacks in 2026. Here is something interesting I've noticed over the years.

We are seeing a lot of actions, a lot of company increasing their security, as well as the broader crypto community coming together to help out.

Even though the US OFAC continues to sanction North Korean hackers, direct enforcement on DeFi protocols is still limited.

Blackhat, Whitehat, Multi-Colored Hat

Lazarus Group

This highly organized group is allegedly state-backed and has been tied to major hacks like Bybit's $1.5B hack and Ronin's $625M hack.

Study shows that they do long-term social engineering, compromise the supply chain, extract private key, and they have sophisticated laundering pipelines.

In the latest news, they've allegedly released a native macOS malware kit called Mach-O Man, and their targets are fintech, crypto, and high-value executives.

It works by having a last minute change in plan from someone you thought you knew (who might have been compromised as well), requiring you to visit a Zoom/Teams/Google Meet link that looks legit, only that the "legit" website asks you to copy and paste a simple command on your Mac's Terminal to fix the issue. 2 minutes, you are hacked.

We've got other major hackers too, and they are more patient and structured than you think.

North Korean (DPRK) actors

Drift Protocol's hack is allegedly linked to North Korean (DPRK) actors, who through individuals posed as a trading firm, approached Drift's team at a major crypto conference.

What followed was months of discussions over Telegram, working sessions, meetups at global events, and they even deposited $1M to paint the idea of genuine interest.

This led to them participating in product discussions and detailed strategy, building trust with multiple contributors over time, ultimately to gain proximity and access to Drift's system enough to infiltrate.

Through social engineering, they got Drift's Security Council members to unknowingly sign transactions that pre-approved attack one week earlier. That's how detailed hackers are.

Other blackhats

Hackers spend time to plan their attacks down to the laundering details.

They are also getting innovative day by day, exploring other options even more than wallet address poisoning and social engineering.

Bybit just exposed a malware campaign targeting macOS users searching for Claude code. They use SEO poisoning to redirect users to fake installations pages that will steal crypto wallet details and gain remote access.

Also see recent scams like this that involves scammers hiding behind deepfakes using major crypto company's executive profile.

ZachXBT

Zach has been one of the known and helpful scam investigator. He has largely impacted the Crypto/DeFi space through his on-chain analyses and quick response to scam incidents.

His work has directly contributed to recovering at least $300M for crypto scam victims.

He researched and gathered evidence agains scams, revealing pump and dump schemes, and largely assists with major theft and social engineering hacks involving loss of crypto, as well as helping to recover funds from extortion. He also uncovered funds linked to Lazarus Group.

Investigators like Zach are really helpful to reduce impact as well as help locate stolen funds with deep onchain forensics.

Whitehats

Generally, while whitehats are the opposite of blackhats, they find vulnerabilities, report them to the team, or maybe quickly exploit them to save the funds first, then return the funds.

A good example was when "Mr. Whitehat" hacked Poly Network for $613M, then started to return the funds within days, returned everything in 2 weeks, claimed he did it for fun and to expose the vulnerability.

He was offered $500k bounty, as a Chief Security Advisor role, but declined.

Another example is the case where pwning.eth, an ethical hacker discovered a critical vulnerability on Aurora that could have converted to a loss of ~$200M through minting of unbacked Eth.

The hacker was paid a $6 million bounty by Immunefi, good outcome.

Now one issue with most DeFi company is that their negligence towards security. Simply put, if a company is not interested in paying bounties, they should be willing to hire a top-tier security team that is always pro-active and up to date.

Recently, there has been stories of protocols that pays unbefitting bounty prices (a few thousand dollars) after whitehats share critical bugs.

Which is why, in my opinion, many are exploring what I call the...

Multi-Colored Hat

Hackers spend a lot of time and effort to uncover bugs and vulnerabilities that would directly impact lost of millions of dollars of users' funds, and it is fair that they get compensated accordingly.

With the rise of unfair compensation structures, hackers are now considering exploring the vulnerabilities, pull out funds and negotiate with the protocol, this way they get more leverage.

They usually don't prevent hacks; they often just decide how much to keep.

Example is the GMX hack, $42M was stolen, the funds bridged to ETH & DAI. Then GMX offered the hacker 10%. Result? The hacker sent the funds back and kept approximately $5 million in ETH as their reward.

Another example is the Euler Finance where $197M was stolen, team offered $20M bounty, the hacker returned ~90% of the funds and kept the $20M.

Not just protocols are the focus, we also have the Wrapped Bitcoin (wBTC) Phishing Case with $72M lost to wallet poisoning in 2024. The owner later proposed a return of 90% ($64.8M) of the funds to the victim after being advised that "$7 million is enough to live very comfortably, but $70 million will keep you up at night". He agreed.

These hackers hack like blackhats, then act whitehats, that's why I named them the multi-colored Hat.

Bounties

Protocols should consider having a top-tier security team, and offer a good bounty structure to encourage more of white-hat actors.

Always create an environment (a good compensation structure) where hackers take side with you.

Artificial intelligence is also making the work of hackers, whether ethical or non-ethical, easy. Security team should be always monitoring and ready to iterate fast because you can assume bad actions are on the side waiting for an opportunity.

AI to the rescue

Sophisticated tools are becoming more available by the day.

We've got tools that helps you build systems from scratch, AI agents, and I think the growth is going to be exponential.

As much as we'll see a lot of progress being made from using AI tool, maybe for onchain forensics, for building systems, for DeFi security, bad actors are also going to exploit certain features dangerously.

We need to be prepared and be able to counter it as we grow.

We also need to understand that securing systems is a continuous effort, and not a one-time effort.

Unhack yourself

I want you to understand that no one is above being hacked. Something it sounds unbelievable how someone can be hacked easily until you experience it.

Just try experimenting this, send a few thousand dollars in USDT from a CEX like Coinbase or Binance to a newly created wallet address, created on MetaMask or Trust wallet.

Give it a few hours, then check your transactions and you'll likely find a new fake transaction that carries the first and last four characters of your wallet address and copies the pattern of your previous transaction.

After multiple deposit, you get used to the first and last four characters of your wallet address. Then the next time you want to deposit, you just copy the address from the fake transaction.

Now you know your wallet is 0xde...34fb, but what you may not immediately know is that yours is 0xde5d...df34fb, and the one you've copied is 0xde11...4d34fb, but because the full wallet address has been shortened to the first and last 4 value, you don't notice that your funds are on the way to the hacker.

That's wallet address poisoning, as simple as that.

Now you may know, but let's paint another scenario.

A lawyer, who wants to enjoy and travel around the world after retirement, wanted to experience freedom, and choose to convert his USD to stablecoins, USDC for instance.

On the beach, wanted to send USDC to his Metamask, just checked the first and last four characters, paste the address, approves, money is gone.

It happens to the best of us.

The end of DeFi; the beginning of a new system?

I do think that DeFi will keep evolving, and for the past few years, I have seen signs that points to environments being set for tradition institutions, banks, fintechs, and traditional finance generally to collaborate with decentralized finance.

So, you'll get to see DeFi in play for a very long time - stablecoin as a payment rail adopted by institutions, new systems being created, and cycles defining what the framework will look like.

If you are an institution or fintech moving stables across, you should consider having a solution like Coinbax that provides built-in fraud review window for high-value payments.