Whenever crypto projects get hacked, the entire industry is buzzing about the incident. However, most of the time, discussions about it die down as weeks go by.
Sometimes, the size of the theft or the project’s inability to recover the stolen loot leads to its ultimate downfall. Still, there are those who weather the storm and continue their business.
This article spotlights five top DeFi protocols that came back to the limelight after losing millions of dollars. We’d discussed what caused the hack, their recovery process, and how they are faring today.
Rise in DeFi Hacks
The DeFi sector is undoubtedly the only sector in the crypto industry to have seen the most crypto hacks. The sector is easy prey for hackers because DeFi protocols run on smart contracts, which can be exploited if vulnerabilities exist. By exploiting these loopholes, hackers can execute flash loan attacks, price oracle manipulations, cross-bridge attacks, and more.
Most of the time, blockchain security firms and other reputable sources point fingers at bad actors like the Lazarus Group. This infamous hacking group linked to North Korea has been blamed for stealing billions of dollars’ worth in crypto. Aside from Lazarus, there are various illicit players who have hacked DeFi projects and stolen crypto assets.
Some DeFi hacks may have a happy ending, with the bad actor caught and the stolen funds returned. In rare cases, the hacker may voluntarily return the stolen money. On the other hand, the hackers may go uncaught and even use the stolen loot to trade on-chain.
Whichever the case, projects affected by DeFi hacks usually struggle to find their footing in the crypto market. Some even outrightly halt operations. On the bright side, some actually survive and keep pushing new products into the crypto market.
5 DeFi Projects That Recovered
Here is a list of five DeFi projects that recovered from losing large sums:
Wormhole Bridge
Year Hacked: 2022
Amount Stolen: $320 million+
Wormhole, a cross-chain protocol that connects the Solana blockchain to other networks like Ethereum, fell victim to a security breach on February 2, 2022. Before transactions are executed, Wormhole’s Guardians usually verify and sign them. However, the hacker capitalized on a vulnerability that allowed them to bypass this security verification process. As a result, they executed an unauthorized mint of 120,000 wrapped ETH (wETH) on Solana.
To recover the stolen funds, Wormhole offered a $10 million bug bounty reward if the hacker returned the assets. A day after failure to surrender the loot, Wormhole’s parent firm, Jump Trading, declared that it would reimburse Wormhole the entire stolen amount.
Fast-forward to the present, and the Wormhole hacker continues to hold some of the stolen funds in their custody.
Hacker’s ETH address: 0x629e7Da20197a5429d30da36E77d06CdF796b71A
Hacker’s SOL address: CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka
Per Wormhole’s business, it continues to operate just fine. According to on-chain data from DefiLlama, its total value locked (TVL) sits above $2 billion. In fact, the protocol’s bridge once saw $5.42 billion in TVL in December 2024. As of August 2025, the DeFi protocol reported processing over $54 billion in volume via its bridge (Portal) for over a million users.
Already, various crypto projects have tapped Wormhole’s infrastructure to bolster their services. Even tokenization platforms like Securitize have partnered with Wormhole to launch trading of tokenized equities, moves that show its healthy financial condition.
Post-Hack Details
Current TVL: $2 billion+
Active Users: 1 million+
Cetus Protocol
Year Hacked: 2025
Amount Stolen: $220 million+
Cetus, a Sui-based decentralized exchange (DEX) and liquidity protocol, suffered a security breach that targeted its smart contracts. The bad actor exploited the protocol’s Concentrated Liquidity Market Maker (CLMM) pools. For context, CLMM enables liquidity providers on a decentralized exchange to specify price ranges for their capital, thereby reducing slippage.
Starting with a flash loan, the hacker executed a series of transactions that removed over $220 million from the Cetus ecosystem. The entire exploit occurred in less than 15 minutes. Luckily, Sui validators stepped in to freeze $162 million, and 90.9% of validators agreed to return the frozen amount to Cetus.
The Cetus team offered the hacker $6 million in exchange for the return of the entire $220 million+ in loot. However, this recovery effort failed. On-chain data confirms that the remaining $58 million+ in stolen crypto is still in the hacker’s custody. The hacker held a slew of assets, such as ETH, HYPE, LBTC, and BNB at the time of writing.
Hacker’s ETH address: 0x89012a55cD6b88e407C9d4ae9B3425F55924919b
Nonetheless, Cetus reimbursed users affected by the exploit.
Having recovered a large chunk of the stolen funds, Cetus continues to operate on-chain. According to DefiLlama, its TVL exceeds $33 million. Admittedly, this figure is significantly lower than the previous range of $150 million to $200 million. Still, it points to the project’s survival despite the cataclysmic security breach. In March 2026, Cetus announced that it had attained a total trading volume of $100 billion from its inception. It has also launched several products, including the Cetus Margin.
The CETUS token currently trades at $0.03445, alongside a $32 million market capitalization.
Post-Hack Details
Current TVL: $33.5 million+
Active Users: 70,600+
Euler Finance
Year Hacked: 2023
Amount Stolen: $197 million+
Euler Finance, a DeFi lending protocol built on Ethereum, suffered a flash loan attack, losing over $197 million. The hack occurred despite Euler confirming that it had security audits on the affected contracts a year earlier.
The hacker quickly converted the stolen assets into ETH and DAI. Initially, efforts to retrieve the funds were futile. Interestingly, nearly three weeks later, the hacker, known as Jacob from Argentina, returned the entire stolen loot. He also apologized through an on-chain note sent to the Euler team. According to the word on the street, Jacob hacked Euler to prove to himself that he was capable of exploiting a DeFi protocol.
Hacker’s ETH address: 0xB2698C2D99aD2c302a95A8DB26B08D17a77cedd4
Hacker’s DAI address: 0xb66cd966670d962C227B3EABA30a872DbFb995db
Euler Finance’s hack story ended on a good note. Ever since the incident, the DeFi lender has recorded massive on-chain growth. Its TVL currently sits at $408 million+. It has also delved into sectors such as real-world assets (RWAs) by partnering with firms including Securitize and Ondo Finance. Euler has even stepped in to assist other DeFi protocols that were recently hacked.
The project’s native token, EUL, has also gained recognition in the crypto industry, securing a listing on reputable exchanges. At the time of writing, EUL traded at $1.43.
Post-Hack Details
Current TVL: $408 million+
Active Users: 144,500+
KyberSwap
Year Hacked: 2023
Amount Stolen: $48 million
KyberSwap, a DEX aggregator originally built on Ethereum, got hacked on November 22, 2023, losing roughly $48 million. Targeting KyberSwap’s smart contract, the hacker exploited one of the protocol’s key services — KyberSwap Elastic. This is an automated market maker (AMM) service that enables liquidity providers to focus their capital in a specific price range. The bad actor was able to drain funds from several liquidity pools across several supported blockchain networks. The attack affected over 2,300 liquidity providers.
The hacker moved the funds to wallet addresses in their custody. Notably, the account to which the stolen loot was moved had already been flagged as the attacker behind a 2021 DeFi hack involving Indexed Finance. This brought the total stolen assets to $65 million at the time.
Investigations by various countries pointed to the Canadian mathematics graduate, Andean Medjedovic, as the bad actor behind both exploits. In February 2025, he was indicted in a federal court in New York. Still, the charges did not lead to a court case as there was no substantial evidence.
As of this writing, KyberSwap has yet to recover the stolen funds. In fact, the hacker laundered the stolen funds through crypto mixers such as Tornado Cash in April 2026.
Hacker’s ETH address: 0x50275E0B7261559cE1644014d4b78D4AA63BE836
Although KyberSwap did not recover the stolen funds, it continued its operations. According to on-chain data from Arkham, Kyber Network boasts digital assets worth over $42 million. While KyberSwap’s TVL dropped to $1.22 million, its overall DEX aggregator business is thriving. Its cumulative fees and revenue are currently at $43.35 million and $32.5 million, respectively. Its market cap is also at $27.2 million.
The DEX aggregator has also partnered with various crypto projects to grow its ecosystem.
Post-Hack Details
Current TVL: $1.22 million
Active Users: 15,200+
Harvest Finance
Year Hacked: 2020
Amount Stolen: $24 million
Harvest Finance, an automated yield-farming aggregator, fell victim to a security attack targeting its USDC and USDT vaults. The project’s team explained in a post-mortem report that assets within these vaults are subject to market effects, such as arbitrage and impermanent loss. Capitalizing on these market effects, the attacker tricked the system into giving them more funds than they were meant to receive. Within minutes, about $24 million was stolen.
Surprisingly, the hacker returned over $2.8 million in stablecoins to Harvest just hours after the exploit, without stating a reason for the move. The project’s team proceeded to distribute the returned funds to affected users. As expected, the hack sent Harvest’s TVL dropping from $1 billion to $290 million within three days. To date, the Harvest Finance hacker has failed to return the rest of the stolen funds.
Hacker’s ETH address: 0xF224ab004461540778a914ea397c589b677E27bb
Despite being unable to recover most of the stolen funds, Harvest Finance has not stopped its on-chain operations. Presently, it holds over $2.5 million worth of crypto in its portfolio. Already, the project has expanded its tentacles across various blockchains, including Base, Arbitrum, and Polygon. Its native token, FARM, traded at $12 at the time of writing, with a market cap and 24-hour traded volume of $8.34 million and $1.54 million, respectively.
Post-Hack Details
Current TVL: $12.55 million
Active Users: 3,900+
Conclusion
The DeFi sector continues to suffer in the hands of black hat hackers. These attacks have become so frequent that many in the crypto industry now see them as the new normal.
Looking closely at most of the five DeFi projects discussed, we notice a pattern – other crypto projects replenish the lost funds, or the hacker returns some or all of the stolen loot. Whichever is the case, the exploited platform received adequate funds to recover and continue its operations.
The best part? The survival of these projects is a testament to the fact that experiencing a hack is not the end of a project. So long they recover the stolen funds or gain access to external cash, they can continue their operations and retain investors’ trust.
So, next time you hear about a DeFi hack, be on the lookout to see whether the project recovers from its exploit and bounces back into action.
Jonathan Agozie | December 9, 2025
Faith | November 19, 2025
