The Annual Report
Chainalysis released its 2025 cryptocurrency theft figures in January 2026: $3.4 billion in total losses across the year. Q1 2025 established an all-time single-quarter record at $1.64 billion. Three incidents accounted for 69% of the annual total.
The absolute number is significant. The concentration is more significant.
When three incidents generate $2.35 billion of a $3.4 billion annual loss figure, the distribution of losses is not reflecting a broad, diffuse threat across a large population of small vulnerabilities. It is reflecting a small number of protocols with attack surfaces large enough to sustain losses at nine-figure scale — targets whose architecture made losses of that magnitude possible.
The $3.4 billion is not the cost of a threat that is too sophisticated to defend against. It is the cost of infrastructure that was not designed to bound how much could be lost from a single point of failure.
What Concentration of Losses Tells Us
The 69% figure inverts the intuitive threat model that most protocol teams apply when assessing security risk. The common framing is probabilistic: what is the likelihood that this specific protocol is exploited? The Chainalysis data suggests a different framing is more accurate: what is the maximum extractable value from this protocol if it is exploited?
Three incidents generating 69% of annual losses means that a small number of protocols created attack surfaces worth, to an attacker, hundreds of millions of dollars each. The economics of sophisticated attack are a function of expected return. A protocol with $500 million in accessible value justifies a level of attack investment — time, capital, technical expertise — that a protocol with $5 million does not. The losses concentrate because the targets concentrate value.
This is not an argument that small protocols are safe and large ones are not. It is an argument that the relationship between accessible value and attack investment is direct — and that infrastructure design choices which reduce accessible value reduce the economic case for the most sophisticated and damaging attack categories.
The Q1 2025 all-time quarterly record at $1.64 billion is a specific data point in this analysis. A single quarter generating nearly half the annual total means that the three incidents responsible for 69% of losses were likely concentrated in the first half of the year — a period in which multiple high-value targets were exploited in rapid succession. That clustering is consistent with the behavior of sophisticated, well-resourced attack operations that target the highest-value available surfaces in sequence.
The Infrastructure Decisions That Create Nine-Figure Attack Surfaces
A protocol that sustains a $500 million exploit has, by definition, made infrastructure decisions that allowed $500 million to be accessible to an attacker. That accessibility is not accidental. It is the cumulative result of specific architectural choices:
Treasury accumulation. Protocols that collect fees, hold reserves, or manage pooled assets create concentrated value stores. The larger the treasury, the larger the expected return from a successful exploit of whatever mechanism controls access to it. Pass-through architectures that hold no protocol-controlled funds contribute zero to this category of attack surface regardless of the volume they process.
Upgradeable contracts with high-value control. A proxy contract that can be redirected to a new implementation, or a parameter that can be modified by an admin wallet, governing a protocol with hundreds of millions in TVL, represents an attack surface whose value scales with the TVL it controls. The upgrade mechanism does not need to be technically sophisticated to be catastrophically exploitable — it needs to be reachable.
Governance over large asset pools. Governance systems that can authorize withdrawals, redirections, or parameter changes affecting large concentrations of user assets are high-value governance attack targets. The $2.9 billion in 2025 DeFi losses recorded by SlowMist, the $953.2 million in access control losses in 2024, and the Chainalysis $3.4 billion annual figure all overlap significantly in this category.
Cross-chain concentration without isolation. Protocols operating across multiple chains with shared contract architecture and shared control mechanisms create correlated attack surfaces. A vulnerability in the shared codebase is exploitable simultaneously across all deployments — multiplying the loss potential of a single discovered flaw by the number of chains on which it is present.
Each of these is a design choice with a quantifiable security cost. The Chainalysis data prices that cost at the aggregate level. The concentration of losses in three incidents prices it at the individual protocol level.
Flat Fee. Zero Keys. Why the Fee Model Is a Security Property.
The fee structure of a protocol is not conventionally discussed as a security variable. The Chainalysis loss data is an argument for why it should be.
A protocol that charges a percentage of deposited value — a common model for liquidity lockers and token vesting services — creates a direct financial relationship between its fee revenue and the total value it processes. That relationship has two effects. First, it creates an economic incentive for the protocol itself to accumulate value, since fee revenue scales with TVL. Second, it creates a predictable, publicly visible measure of the value concentration the protocol controls — and therefore of the attack surface it represents.
A flat-fee protocol that charges a fixed amount per transaction, regardless of the value being processed, has a different economic profile. Its fee revenue does not scale with TVL. Its treasury accumulation is bounded by transaction volume, not asset value. The economic case for attacking it does not scale with the value it locks.
The zero-key property compounds this. A protocol that charges a flat fee and holds no admin keys has no mechanism through which an attacker who compromises the fee collection address can reach the locked assets. The fee revenue and the locked value are structurally separated — the former is collectible through normal transaction mechanics, the latter is inaccessible to any party until the lock conditions are met.
These are not separate security properties. They are components of a single design posture: minimize the value accessible to any single point of compromise, and the expected loss from any single exploit is bounded accordingly.
The Systemic Risk Argument
The concentration of 2025 crypto theft in three incidents is not only an observation about those three protocols. It is an observation about systemic risk in DeFi infrastructure.
When a small number of high-value targets account for the majority of ecosystem-wide losses, the security posture of those targets is a systemic concern, not only a protocol-specific one. The $2.35 billion extracted from three incidents did not disappear. It recirculated — some portion through mixing services, some through cross-chain bridges, some into the liquidity pools and exchanges that form the operating infrastructure of the ecosystem. The losses from large exploits impose costs that are not fully captured in the victim protocol’s loss figure.
The systemic implication is that the infrastructure decisions that create nine-figure attack surfaces are not neutral choices from the perspective of the ecosystem. They are externalities — concentrations of accessible value that, when exploited, produce losses that ripple beyond the immediate victims.
Infrastructure that does not accumulate accessible value, does not hold admin keys over pooled assets, and does not create high-value governance targets does not contribute to the pool of systemic risk that the Chainalysis figure measures. That is a property of the design, not of the protocol’s size or the sophistication of its security team.
Reading the 2026 Trajectory
The Chainalysis 2025 data is a retrospective. The forward-looking question is whether the structural conditions that produced $3.4 billion in annual theft are changing.
The evidence from the opening weeks of 2026 — $27.5 million in losses in the first two weeks, root causes of legacy code and governance gaps — does not suggest the structural conditions have changed. The protocols entering 2026 with large treasury positions, admin keys over high-value assets, and governance mechanisms controlling significant liquidity are the same category of target that produced the 2025 record. The threat environment is the same. The targets are the same. The loss trajectory is consistent.
The protocols not on that list are the ones that were designed, from deployment, to not be on it. Minimal accessible value. No admin keys. No governance over pooled assets. Immutable contracts with no upgrade surface. The architectural properties that remove a protocol from the target category are not implemented in response to the Chainalysis report. They are implemented at deployment, before any loss data exists, because the security model demands them.
The $3.4 billion figure is the cost of not implementing them.
Conclusion
Three incidents. $2.35 billion. 69% of annual crypto theft concentrated in a small number of targets whose architecture made losses at that scale possible.
The Chainalysis 2025 data is not evidence that the threat is too sophisticated to defend against. It is evidence that the attack class most responsible for nine-figure losses targets specific, identifiable architectural properties — and that protocols which eliminate those properties are not represented in the loss data at equivalent scale.
Flat fee. Zero keys. Pass-through architecture. Immutable contracts. These are not marketing differentiators. They are the design decisions whose security value the Chainalysis annual report prices in aggregate.
The report will be published again in January 2027. The protocols that appear in it, and the protocols that do not, will be largely determined by architectural decisions being made now.
0xKeep operates on an immutable, zero-admin-key architecture. No wallet — including those controlled by the 0xKeep team — can pause, modify, or interact with deployed contracts. Time is the only admin.
Deploy on Base, Arbitrum, or Optimism at 0x-keep.xyz Follow protocol updates: @0xKeep_official