The Industry that Cannot Count Its Own Losses

Dedge Security Research  |  June 2026

Why $1.26 billion in disagreement is not a data problem

Every year, four of the most-cited security firms in the Digital Assets industry publish annual loss figures. Every year, those figures disagree by a margin that would trigger a regulatory inquiry in any other financial sector.

In 2025, the published totals were:

• Chainalysis, $3.4 billion.

• CertiK, $3.35 billion.

• PeckShield, $4.04 billion.

• SlowMist, $2.78 billion.
  
  
  

The gap between the highest and lowest figures is $1.26 billion. It is larger than the annual cybersecurity budget of most mid-sized financial institutions. And it has been present, in some form, in every annual report these firms have published for the last four years.

The natural response is to ask which figure is correct. That is the wrong question. All four figures are defensible. Each firm made deliberate, documented choices about what to include.

• PeckShield counts scams alongside exploits.

• Chainalysis nets out recovered funds.

• SlowMist applies its own incident classification at the wallet level.

• CertiK uses a proprietary severity taxonomy that separates financial loss from protocol-level impact.

None of these choices is unreasonable. Together, they produce four legitimate answers to four slightly different questions, all of which are being published as the answer to one question.

For a full cross-source reconciliation of the four publishers' methodology differences, see: Arafat Afzalzada, "Crypto Hacking Statistics 2026: DeFi, Bridges, and Exchange Losses," Stingrai, April 25, 2026. https://www.stingrai.io/blog/crypto-hacking-statistics-2026

The right question is: why has no one settled what that question should be?

The Paradox of the Transparent Ledger

Web3 is built on public blockchains. Every transaction is recorded. Every exploit is timestamped and traceable. The data is not locked in proprietary systems or hidden behind access agreements. In theory, this is the most auditable financial environment ever created. The raw material for a consistent industry loss figure is sitting on public infrastructure, accessible to anyone with an internet connection.

Traditional finance operates under the opposite conditions. Bank ledgers are private. Transaction data is fragmented across institutions. Reconciliation requires coordination between dozens of parties, each with its own systems and incentives. 

And yet traditional finance has produced standardised, cross-institution loss reporting for decades. The Basel Committee on Banking Supervision defines what counts as an operational loss event. The European Banking Authority publishes a taxonomy. National regulators enforce reporting standards that make the numbers converge, not because the underlying events are simple, but because the industry decided convergence was worth building for.

Web3 has the better infrastructure and the worse accounting. The ledger is transparent. The framework for reading it is not.

This is the paradox at the centre of the $1.26 billion disagreement. It is not a data quality problem. The data is fine. It is a definitional problem, and definitional problems are always, underneath them, governance problems. Someone has to decide what counts. In Web3, no one has.

What Each Firm is Actually Counting

The variance across the four major trackers is not random. It maps directly to four specific definitional choices that the industry has never standardised.

The Scam Boundary

PeckShield includes social engineering attacks, phishing campaigns, and rug pulls in its annual totals alongside protocol-level exploits. Its $4.04 billion figure for 2025 is the highest of the four, largely due to this inclusion. Chainalysis and CertiK treat scams as a separate loss category and report them independently. SlowMist applies a case-by-case classification that sits somewhere between the two.

None of these positions is wrong. But they reflect fundamentally different answers to the question of what the industry is trying to protect against. If you include scams, you are measuring the total cost of being in the Web3 ecosystem. If you exclude them, you are measuring the infrastructure's technical failure rate. Both figures are useful. They are useful for different purposes and different audiences. Publishing them under the same headline without that distinction is what produces the confusion.

The Recovery Question

When $40 million is stolen from a protocol and $38 million is returned three days later via a white-hat negotiation, what was lost? Chainalysis says $2 million. PeckShield says $40 million. CertiK says it depends on whether the return was voluntary.

This is not a trivial distinction. Recovery rates in Web3 vary enormously by attack type. Smart contract exploits against opportunistic attackers sometimes produce high recovery rates. Private key compromise incidents against state-affiliated actors produce almost none. A loss figure that does not distinguish between recoverable and unrecoverable losses is not telling you the same thing as one that does, even if both figures look like they are measuring the same event.

In 2025, the average confirmed recovery rate across all verified incidents was 3.62 percent. That number is only meaningful if everyone is counting losses the same way before recovery. They are not.

The Wallet Problem

Should individual wallet compromises be included in industry loss totals? In 2025, there were approximately 158,000 incidents of individual wallet compromise. The total value lost in those incidents was around $713 million.

• Chainalysis includes a sampled portion of this in its broader figure.

• SlowMist excludes most of it.

• CertiK focuses primarily on protocol-level incidents.

• PeckShield aggregates differently depending on whether a wallet compromise is linked to a broader campaign.

IMAGE HTML: A table with some bla bla 

The practical effect is that the four annual figures do not measure the same population of events. Three of them could, in theory, be simultaneously correct without any of them contradicting the others, because they are not answering the same question.

Why is this not a Methodology Debate

The temptation, when confronted with this kind of variance, is to call for better research. Cleaner data. More rigorous methodology. Peer review. A working group. This response misses the actual problem.

The firms producing these figures are doing serious work. Their researchers are skilled. Their on-chain forensics are, in many cases, state-of-the-art. The disagreement is not produced by poor analysis. It is produced by the absence of a shared framework that would tell each firm what to analyse.

That absence is structural, and it has a specific cause. The Web3 security industry built its threat detection infrastructure before it built its risk accounting infrastructure. The tools for identifying when an attack has occurred are sophisticated and improving. The conceptual infrastructure for defining what an attack costs, to whom it costs, and under what category it should be classified has never been built.

This sequence is the reverse of how the traditional financial system approached operational risk. Basel II, published in 2004, defined operational loss categories before most banks had the data systems to populate them reliably. The framework came first. The data followed. Web3 has done the opposite, and the result is an industry that can detect a $300 million exploit within minutes of it happening and then spend the next 12 months arguing over whether it should be counted in this year's total or last year's.

There is a second consequence that receives less attention. When the loss figure is uncertain by more than a billion dollars, the metrics derived from it are also uncertain. Percentage changes year-over-year become meaningless. Claims about which chains are safest, which attack types are growing, which sectors carry the most risk: all of these are built on a foundation that shifts depending on which tracker you read first. The industry is navigating by instruments that have not been calibrated against each other.

What the Institutional Reader Sees

There is a specific reader who encounters the $1.26 billion variance and does not think about methodology. They think about institutional readiness.

That reader is the Chief Risk Officer at a bank that has been building out digital asset exposure for the last two years. They have spent their career in an environment where operational loss definitions are regulated, standardised, and auditable. They have sat through Basel III implementation projects. They know what a loss event taxonomy looks like because they have built one.

When they read four different annual figures from four credible sources, their reaction is not curiosity about which one is correct. It is a quiet, firm conclusion that the industry they are entering lacks a risk accounting infrastructure. And they are correct.

This matters beyond the optics of the annual report season. Institutional adoption of digital assets is accelerating. The regulated financial entities entering this space are not doing so because they have decided Web3 security is good enough. They are doing so despite it, on the calculation that the regulatory and commercial upside justifies the risk. The $1.26 billion variance is one of the data points they are using to calibrate exactly how much risk that is. When the figure is this uncertain, the calibration cannot be precise.

The firms that will win the institutional relationship are not necessarily the ones with the best detection tools. They are the ones who can speak the language of institutional risk. That means producing numbers that are legible to a risk committee, not just to a fellow security researcher. It means having a loss classification framework that a CRO can reference without having to read footnotes to understand what is included. It means closing the gap between what the blockchain records and what an institution can put in a regulatory filing.

What a Standard Would Actually Require

The good news is that the problem is solvable. The bad news is that solving it requires the industry to do something it has historically been reluctant to do: agree on definitions that constrain individual methodologies.

A functional loss taxonomy for Web3 would need to resolve four questions that are currently answered differently by every firm publishing data.

What is the Loss Event Boundary?

A loss event should be defined as any incident in which value is transferred from a protocol, exchange, or individual without authorisation. This definition includes smart contract exploits, key compromises, bridge failures, and governance attacks. It excludes scams and phishing unless those attacks produce an unauthorised on-chain transaction from a protocol or exchange address. Individual wallet compromises should be tracked separately and reported separately, not blended into the protocol-level total.

When does a Loss Occur?

Loss should be measured at the time of the unauthorised transaction, not at the time of discovery or public disclosure. The value should be denominated in the asset's price at the time of the transaction. Post-event recovery should be tracked separately and reported as a recovery rate, not subtracted from the gross loss figure. This preserves the integrity of the headline number while still capturing the outcome.

How Should Multi-Incident Campaigns be Counted?

When a single attacker or group executes multiple exploits across different protocols as part of a coordinated campaign, each protocol-level incident should be counted separately. The campaign should be identified and attributed separately. This is the approach taken in traditional financial crime reporting, and it produces more useful data than either collapsing a campaign into a single event or treating each sub-incident in isolation.

What is the Attribution Standard?

Attribution to specific threat actors, including state-affiliated groups, should be reported with explicit confidence levels.

• High confidence means multiple independent forensic sources agree.
  
  
  

• Moderate confidence means a single reputable source with documented methodology.
  
  
  

• Low confidence means circumstantial on-chain evidence only. Publishing attribution without confidence levels produces misinformation on an industrial scale.
  
  
  

None of these standards is technically difficult to implement. The challenge is getting competing firms to adopt them, which requires either regulatory pressure or a coordinated industry commitment that has yet to materialise.

The regulatory Forcing Function

The conversation about standardisation may not need to be voluntary for much longer.

DORA, in force across the EU since January 2025, requires regulated financial entities to report major ICT-related incidents to competent authorities within four hours of classification. It requires a register of critical third-party ICT providers. It requires documented incident response procedures. All of these obligations presuppose a loss classification framework that is consistent, auditable, and defensible to a regulator.

MiCA's reserve monitoring requirements for stablecoin issuers create similar pressure. The GENIUS Act, which cleared the Senate Banking Committee in April 2026, mandates monthly attestations and code-level audit obligations for stablecoin issuers operating in the United States. These attestations will require a definition of what constitutes a security incident and what constitutes a loss.

The regulators are not going to accept four different answers to that question. They will define it themselves if the industry does not. And a definition produced by a regulator who does not understand on-chain mechanics will be worse for everyone than one produced by people who do.

The firms that participate in building the standard will have more influence over what it looks like. The firms that wait will inherit whatever they are given.

The firms that participate in building the standard will have more influence over what it looks like. The firms that wait will inherit whatever they are given.

The Measurement Problem is the Security Problem

There is a version of this argument that ends with a call for a working group, a standards body, or a consortium. That version is probably right about the destination but wrong about what makes it urgent.

The $1.26 billion disagreement is not primarily a communications problem. It is not even primarily a research problem. It is a signal about the maturity of the industry's relationship with its own risk.

An industry that cannot agree on what it lost last year has not yet decided what it is trying to protect. That decision shapes everything downstream: what controls are built, what is monitored, what is reported to regulators, and what institutional buyers are told when they ask how much it costs to be in this market.

The firms publishing annual loss figures are doing useful work. The researchers behind those reports are tracking real incidents with real forensic rigour. The problem is not the work. The problem is that the work is being done without a framework that would make it comparable, cumulative, and institutionally legible.

That framework is the prerequisite for the industry's next stage. Not because regulators will eventually require it, though they will. Because without it, the industry's security conversation is happening inside a room where everyone is measuring the walls with different rulers and then arguing about which wall is longest.

The blockchain recorded every loss. The industry just never agreed on how to read the receipts.

Connect with us on:

Website | LinkedIn | X

Dedge Security S.L.  |  dedgesecurity.com  |  Madrid

This article is an independent research publication. It does not constitute legal, financial, or security advice.