Crypto Hacks Damage Study 2021–2023: It's Not Just About Thefts—30% of Projects See Token Prices Drop 50% Within Six Months Afterward
TechFlow Selected TechFlow Selected
Crypto Hacks Damage Study 2021–2023: It's Not Just About Thefts—30% of Projects See Token Prices Drop 50% Within Six Months Afterward
Besides investing in on-chain security and progressively enhancing the security of our entire industry, there is no other solution to address these issues.
Navigating Web3 tides with focused insightsAuthor: Mitchell Amador
Translation: TechFlow
Summary
-
To date, no one has accurately estimated the expected losses from on-chain hacks—an unfortunate gap. However, we can derive an estimate through statistical analysis of past years’ attacks! I analyzed hacks from 2021 to 2023 to produce a representative estimation of the real cost of on-chain breaches. Let’s call it Amador’s Hacking Impact Estimate.
-
Amador’s Hacking Impact Estimate: If your protocol is hacked, expect to lose approximately $16 million, your token price will drop by 52% in market cap, suppressed prices will likely persist for at least six months (and possibly longer), and recovery will consume three months of time and effort.
-
If your product is a platform (whether an L1/L2 blockchain or financial primitive protocol), expect your protocol and its dependencies to be destroyed—just as we’ve seen with precedents like Terra-Luna.
-
We’ve compiled these findings here. Check it out! We’ll add more statistics and data points there as they become available.
How High Are the Real Losses from On-Chain Hacks?
So far, nobody truly knows. But predictive estimates can be derived by analyzing historical hacks. In this article, we review historical data from recent years to estimate the typical future impact of hacks across impact categories—not just stolen funds. From this, we’ll create a heuristic method to estimate the typical cost of a hack on your favorite protocol, which I call Amador’s Hacking Impact Estimate.
Shockingly, despite hundreds of hacks hitting the crypto industry over the past three years, we still lack good estimates of hacking impact today. This must be attributed to the difficulty of measuring the true impact of hacks.
In reality, net theft value (the widely used standard metric) severely underestimates the damage caused. It ignores all other ways a hack causes harm, many of which result in financial losses exceeding the hack itself—even though these are harder to quantify. The most underappreciated contributors to total hack damage among non-security practitioners include:
-
Market Impact: Market impact refers to the damage inflicted on publicly traded tokens (or hypothetical equity) prices due to a hack, which can last a long time. This effect is far less known than immediate theft value, and most security practitioners still underestimate its significance.
-
Dependency Impact: Dependency impact refers to secondary effects originating from the initial hack that damage other assets. There are three major types: platform dependency, financial dependency, and reputational impact. A blockchain being hacked so badly that all assets/contracts built on it are damaged is an example of platform dependency. The collapse of Luna’s price destroying the value of the Terra stablecoin is a strong example of financial dependency (though not a typical DeFi hack). Lack of platform security (e.g., BNB Chain) leading to reduced user growth and adoption is an example of reputational impact.
-
Talent and Organizational Impact: Damage here is hard to quantify and often manifests as loss of time, money, and talent due to post-hack response and recovery. Given that a single hack and its aftermath could consume months of work for a small startup team, organizational impact is always costly—and sometimes fatal. Virtually every organization except the most proactively secure must contend with this after a breach.
In short, the damage from a typical hack goes far beyond what stolen funds alone suggest!
The remainder of this article describes estimates for assessing each type of impact in a typical hack scenario, using historical medians or, where data is unavailable, my firsthand experience.
Impact of Stolen Funds
Data shows 107 hacks occurred in 2021, 134 in 2022, and 247 in 2023, totaling 488 publicly known hacks (2021–2023).
x-axis: Year, y-axis: Number of hacks
These hacks impacted $2,334,863,067 in 2021, $3,773,906,837 in 2022, and $1,699,632,321 in 2023, totaling $7,808,402,225 in affected funds from 2021 to 2023.
x-axis: Year, y-axis: Amount stolen (USD)
To clarify, “affected funds” refer to funds attacked, stolen, or otherwise lost—not including funds returned or recovered by white hats and investigators.
Simple math on the 2021–2023 dataset yields the following insights:
-
The average hack resulted in $16,000,824 stolen.
-
The median hack resulted in $1,000,000 stolen.
-
Hacks follow a power-law distribution: many are small, but when large ones occur, their losses are over 100 times greater than the median.
Market Impact
Estimating market impact has historically been challenging. Immunefi produced the first such report, reviewing 2022 hacks and their impact on a sample of 63 incidents. The sample showed an average 13% drop in underlying token price two days post-hack, rising to 19.5% after five days.
To enrich our analysis, we decided to update this dataset with as much data as possible from 2021, 2022, and 2023. We use median price changes as our reference. Given potential extreme outliers, the expanded dataset makes the median a more predictable estimate.
The new dataset covers 176 hacks. The results are quite striking:
Median token price declines from the day of the hack to two days and six months afterward:
The data indicates significant and sustained median price depreciation and long-term suppression:
-
10% decline two days post-hack,
-
19% decline five days post-hack,
-
27% decline one month post-hack,
-
43% decline three months post-hack,
-
53% decline six months post-hack.
Beyond the median, the worst cases are even more alarming. Three months post-hack, 32% of projects saw price drops exceeding 50%, and 11% dropped over 90%. Six months post-hack, 35% of compromised projects continued experiencing over 50% price suppression, and 16% fell more than 90%.
Distribution of price changes six months post-hack. Historical data shows strong, persistent downward pressure on token prices after hacks.
This illustrates the power-law nature of hacking impact, indicating that a single severe breach can be fatal. Moreover, it shows that impact worsens over time, exerting continuous market pressure for at least six months.
Market impact may continue worsening at the one-year mark, but since our dataset only covers three years of hacks, we must wait until 2024 data is fully aggregated to verify this hypothesis.
Note: We cannot be 100% certain this impact is solely caused by the hack. Many factors may exert downward pressure on token prices, including some we may not have accounted for. The most obvious confounding factor is correlation between token prices and macro market conditions. Nevertheless, the severity and significance of this data strongly suggest the primary driver is the hack itself, so we take that position.
Combining all data, we expect a typical hack to cause a median market impact of about -19% in the first five days, worsening to -53% over the next six months (potentially indefinitely), with a 16% chance this damage exceeds 90% of the project’s market cap.
The distribution of price changes six months post-hack shows 77.8% of attacked projects experienced ongoing price suppression after six months.
Clearly, market impact can be devastating!
Once you realize most token projects use their liquid tokens as treasury and growth fuel, you understand why security practitioners place such high importance on market impact. Even if a hack doesn’t directly drain funds, excessive market impact can be equally fatal.
Dependency Impact (or Secondary Impact)
There is a major underappreciated hacking impact we call dependency impact, or occasionally secondary impact. It describes cascading damage triggered by an initial hack. Examples include:
-
Platform dependency impact refers to damage caused when the base platform goes down (e.g., a denial-of-service attack on a blockchain affecting currency or perpetual markets running on it), potentially disrupting all applications built on that platform. While common (given countless platforms in crypto), limited interconnectivity between on-chain and off-chain economies has so far constrained the frequency of such impacts, and blockchain technology itself has proven notably resilient. As on-chain and off-chain economies become more interconnected, we should expect this impact to grow in frequency and severity.
-
Financial dependency impact refers to secondary damage to dependent assets caused by a hack. Assets at risk include stablecoins (e.g., MakerDAO, CDP liquidations), liquid staking tokens (e.g., LIDO, Rocketpool), derivatives protocols (e.g., Pendle), and virtually any token paired in liquidity pools. Financial dependency impact is one of the hardest categories to assess because it’s easily overlooked; almost any token-theft hack will directly or indirectly trigger dependencies across other tokens.
A classic example is the Terra-Luna collapse. A financial attack on the stablecoin protocol’s equity token led to depegging, creating an irreversible downward spiral. The collapse destroyed not only $40 billion in Luna equity but also $1 billion in outstanding UST Terra stablecoin, plus all DeFi value tied to Terra-Luna, such as Anchor Protocol’s $1.5 billion equity value and countless other Terra-based protocols. The damage to the Terra ecosystem was nearly total; today, its value is down 99%, effectively extinct.
My colleagues and I are actively researching to better understand how dependency impact truly unfolds. Since this research is ongoing, we won’t draw premature conclusions by incorporating typical dependency impact into our hacking impact rule. Once complete, we’ll share our findings and update this article. Preliminary indications suggest dependency impact is far more severe than commonly understood.
Talent and Organizational Impact
Talent and organizational impact typically takes two forms: talent attrition and unexpected operational or procedural changes.
Talent impact involves personnel loss after a hack, possibly due to perceived fault or incompetence, increased demand for new security talent, or low morale following the incident. Regardless, it’s not uncommon for hacked projects to lose prior security leadership.
The problem is further complicated by the fact that a hack makes recruiting new security leaders harder, as it signals organizational weakness.
The second form is unexpected operational or procedural investments (almost always security-related) necessitated by the hack. While these investments are positive, they divert critical attention and slow progress on core products.
Quantifying this impact is challenging, but I do have firsthand experience collaborating with multiple projects in war rooms, which I’ll use for estimation.
From my experience, previous security leaders are usually lost after a hack—this could be the CISO, a security engineer, or even an engineering lead performing security duties. Their departure may be mutual, as enduring a hack under one’s responsibility is deeply frustrating, or they may be dismissed. I believe they’re also often prematurely fired, leaving organizations needing 1.5 to 4 months to hire an effective replacement—a clear time loss for the compromised project.
Hacks often leave teams in a state of shock extending well beyond the event itself. Organizations typically spend at least two weeks on damage assessment and containment, followed by two to three months of remediation security work (which suddenly becomes everyone’s top priority), resulting in deprioritization of the core product roadmap.
The figures above represent relatively optimistic outcomes. Talent impact can be worse, affecting a project’s financial runway—as shown by Kyberswap: in November 2023, KyberSwap suffered a $49 million exploit. Understandably, they wanted to compensate users, but doing so required cutting 50% of staff to stay afloat, pausing plans for its liquidity protocol and KyberAI project. The 10% bounty offered to the hacker ultimately didn’t help.
Reducing these impacts into a simple formula isn’t feasible, so we summarize them as-is: if hacked, expect to spend three months on remediation security work, lose three months of core roadmap progress, lose current security leadership, and take three months to replace them. That’s like three months of effort vanishing into thin air. This is substantial damage for any startup—though usually not fatal.
So, What Is the True Cost of a Hack?
Now that we’ve compiled everything, we have the data needed for estimation. Let’s summarize by quantified damage and severity:
- An average hack impacts around $16 million when exploited.
- The median hack causes a 52% plunge in the underlying token’s market cap within six months. 79% of attacked projects continue to experience price suppression after six months, and the final duration of hack-induced market impact is unknown—it may be indefinite.
- The median hack does not cause financial or platform-level dependency impact, but when it does occur, it’s often absolutely catastrophic, risking total destruction of assets dependent on the base platform. In severe reports involving dependency impact, the typical potential damage can reach the full sum of extractable value on the platform!
- Though harder to estimate, the median hack should result in roughly three months of lost time and effort—including remediation security work, lost roadmap time, team attrition and replacement, loss of current security leadership, and immense anxiety over ensuring it never happens again.
We now have all the information needed to create a simple rule for estimating the true cost of an on-chain hack. If your protocol is hacked:
- Expect approximately $16,000,824 in stolen value.
- Expect your token’s market cap to fall by 52%, with this price suppression lasting at least six months and possibly never recovering (77.8% of attacked tokens show ongoing suppression after six months).
- Expect to lose three months of time and effort during recovery and rebuilding.
A real-world example matching these estimates is the Indexed Finance hack, which lost $16 million on October 14, 2021. At the time, the token’s market cap was $11 million, falling to $3.8 million six months later, showing persistent post-hack price suppression. The team never fully recovered, and by mid-2022, Indexed Finance was essentially gone. Thus, our hacking impact estimate appears to effectively predict actual hack consequences.
If your product is a platform (whether an L1/L2 blockchain or financial primitive protocol) and you’re hacked, the typical severity profile becomes absolutely fatal: your protocol and its dependents face near-total annihilation.
This is terrifying.
Final Thoughts
Being hacked is the start of damage, not the end. Losing millions to a hack means facing even larger losses from market and dependency impacts, plus months spent rebuilding an emotionally battered team and operations. It’s not fun.
Beyond investing in on-chain security and gradually raising the baseline security of our entire industry, there is no solution to these problems.
Among these measures, bug bounties are the most effective, proven to prevent hacks and their impacts at scale. I’ve done a quick retrospective on how bug bounties have prevented tens of billions in hacks—you can read more in my “Immunefi Retrospective”.
But going further, we need more and better code reviews from more skilled hackers, better security standards, and development of more advanced automated security technologies. Only through hardening across the entire tech stack can we effectively prevent hacks.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@MitchellAmador
