Over the past five years, billions in user funds have been lost to protocol hacks. Some projects bounced back. Others never fully recovered.
In this article, we outline the five most common post-hack outcomes, analyze 10 major exploits, and break down how each project responded. We also share the key steps every Web3 protocol should take to be prepared before a hack ever happens.
The 5 Post-Exploit Outcomes in Web3
1. The Hacker Is Silent and the Funds Are Lost
- No response or communication. Funds are typically laundered via mixers or cross-chain bridges.
2. The Hacker Takes a Bounty and Returns the Rest
- Negotiation occurs; the attacker receives 5–10% as bounty. No legal action is pursued in return for cooperation.
3. The Hacker Returns Everything Without a Bounty
- Motivated by ethics or pressure. All funds are returned voluntarily.
4. The Protocol or Its Backers Covers the Losses
- Project absorbs the loss using treasury or third-party support. Often seen with VC-backed or centralized platforms.
5. Protocol Relaunch or Fundraising
- Community funding, IOUs, or token-based recovery. May include protocol overhaul and governance reforms.
10 Major Web3 Hacks and How Protocols Responded
1. Bybit (2025, $1.4B) — Lazarus compromised a Safe{Wallet} dev machine and injected malicious JS to silently redirect a routine cold wallet transfer; Bybit restored reserves in 72hrs via emergency loans while the FBI issued industry-wide alerts. One year on: ~$54M frozen, ~$390M gone dark through mixers and P2P, and ~$960M still traceable on-chain but sitting in Lazarus-controlled wallets — no arrests, effectively no recovery.
2. Ronin Bridge (2022, $625M) — Sky Mavis paused the bridge, raised $150M to reimburse users, and cooperated with the FBI, who attributed the attack to Lazarus Group; the FBI and Chainalysis recovered ~$30M — roughly 5% of total losses — and in 2024 Ronin was exploited a second time for $12M, which white hats returned in full.
3. Poly Network (2021, $610M) — The hacker returned all funds in stages, claiming it was "for fun," and declined both the offered bounty and a security role; no identity was ever confirmed and no charges were filed.
4. Wormhole (2022, $320M) — Jump Trading replenished the stolen 120,000 wETH from its own capital overnight; the attacker was never identified and stayed silent, though the funds started moving again in January 2023 after lying dormant for nearly a year.
5. Cetus (2025, $223M) — An integer overflow bug in Sui's largest DEX drained 200+ pools in under 15 minutes; ~$162M was frozen by validators and recovered via governance vote, while the attacker bridged the remaining ~$60M to Ethereum and routed it through Tornado Cash. Cetus relaunched after 17 days with pools restored to 85–99%, backed by a $30M Sui Foundation loan — legal action and a $5M bounty are still active.
6. Euler Finance (2023, $197M) — The attacker returned all recoverable funds (~$240M, more than stolen due to ETH appreciation during the 3-week negotiation) and apologized on-chain; Lazarus Group also attempted to intercept funds mid-recovery before being outmaneuvered.
7. Nomad Bridge (2022, $190M) — A copycat "crowdsourced" exploit drained nearly all funds in hours; ~$37M was returned by white hats and Nomad offered a 10% bounty; in May 2024, Russian-Israeli national Alexander Gurevich was arrested at Ben Gurion Airport while fleeing on a new passport, and now faces US extradition on 8 federal charges including wire fraud and money laundering.
8. Wintermute (2022, $160M) — A Profanity vanity address private key was brute-forced, draining 90 assets across DeFi operations; Wintermute remained solvent, offered a white-hat bounty, and traced funds into Curve pools — but no assets were recovered and the attacker never responded.
9. Beanstalk (2022, $182M) — Flash loan governance attack gave the attacker 79% voting power to pass a malicious proposal; they pocketed ~$76M in profit, laundered it through Tornado Cash (and donated $250K to Ukraine), while Beanstalk relaunched after a Barn Raise that raised only $10M of its $77M target.
10. Bitmart (2021, $196M) — Hot wallet private keys were compromised across Ethereum and BSC chains; Bitmart confirmed the breach within hours, covered all user losses from its own funds, and gradually restored operations with no arrests made.
Prepare From the Start
The best defence starts long before anything goes wrong. Every protocol should have a well-defined, battle-tested incident response plan. This includes:
- Engaging two key partners: a blockchain-savvy incident response firm and legal counsel familiar with your governance structure.
- Creating a clear communication strategy for internal teams and external stakeholders.
- Defining roles and responsibilities ahead of time to avoid chaos and confusion during critical moments.
- Outlining pre-approved actions, such as emergency halts, multisig freezes, or fund quarantines.
Because every hack is different, a one-size-fits-all response won’t work. Instead, build a 'black swan' scenario plan with your key stakeholders and security partners, so when the unexpected happens, your team knows exactly what to do with speed and confidence.
Conclusion
In Web3, how you respond to a hack matters as much as how you prevent one. If your protocol gets hit, your actions in the next 72 hours could define your project's long-term fate. Be paranoid, be prepared, and above all — be transparent.
Don’t forget to follow @CDSecurity_io on Twitter for daily Web3 insights and security tips. Stay informed and stay secure!