TL;DR
- As decentralized finance (DeFi) hacks grow in volume and complexity, the crypto industry is moving toward proactive defense.
- Chainalysis Hexagate is playing a key role in this shift, using pattern recognition and machine learning to flag high-risk and suspicious DeFi activity in real time.
- Nearly 6.2 million new smart contracts were created in Q1 2025, surpassing the total amount created in 2024.
- In Q1 2025, Chainalysis Hexagate’s machine learning model flagged more than $402.1 million in risky assets tied to malicious DeFi activity.
In the early years of blockchain, responses to hacks and exploits were primarily reactive, often occurring only after significant damage had been done. However, with advancements in technology and analytics, the industry is now shifting toward a proactive approach, emphasizing prevention through real-time monitoring and intelligent threat detection. Chainalysis Hexagate brings this shift to life, using pattern recognition and machine learning (ML) to detect decentralized finance (DeFi) hack activity before it occurs.
Keep reading to learn more about evolving trends in DeFi hacks and several risky events thus far in 2025 that Chainalysis Hexagate identified before exploits occurred.
Ethereum smart contract events: How many appear malicious?
Every year, more than five million smart contracts are created on the Ethereum blockchain, approximately 20% (one million) of which are actively used on an annual basis. In Q1 2025 alone, nearly 6.2 million new smart contracts were created, surpassing the total amount created in 2024. This number reflects the network’s expanding use across DeFi, gaming, and beyond.
Between January and March 2025, there were 261,000 unique events emitted on Ethereum, with approximately 20% actively used on an annual basis (52,200). On Ethereum, emitting an event refers to a smart contract logging a specific action on the blockchain. Events are commonly used to record important steps in a transaction, such as a token being transferred or a swap taking place. Overall, the lack of active events emitted suggests a massive surface area of potentially obscure or risky activity, as legitimate smart contracts are typically deployed more regularly.
As we see in the below chart, the most frequently emitted event on Ethereum thus far in 2025 has been Transfer, which occurs when ERC-20 tokens are transferred between addresses. This event is the basic building block for any token-based activity, including payments, rewards, and user interactions.
Other frequently observed events come from DeFi contracts and include:
- Swap: Triggered when a user exchanges one token for another on a decentralized exchange (DEX).
- Approval: Occurs when a user gives permission to a contract to spend their tokens.
- Sync: Used by liquidity pools to update price or reserve ratios.
- Deposit: Indicates that a user has added funds to a contract, often in the context of staking or providing liquidity.
According to Chainalysis Hexagate data, risky events on Ethereum represent only 0.2% of total events emitted in 2025. Risky events include Initialized, RoleGranted, and RemovedOwner, which Chainalysis Hexagate has identified as high-risk signatures.
The “Initialized” event is typically emitted when a smart contract becomes operational and signals that the contract has been assigned its initial configuration. The “RoleGranted” event indicates that a specific address has been assigned a defined role within a smart contract’s access control structure. And the “RemoveOwner” event is triggered when an address with ownership or administrative rights is removed from a contract’s list of authorized controllers.
Although rare, these events typically lead to major losses and therefore require close monitoring to ensure that legitimate users are not put at risk. Chainalysis Hexagate utilizes real-time monitoring of these events and machine learning models to proactively identify and mitigate potential threats.
Chainalysis Hexagate can detect threats before they occur
In the first quarter of 2025, Chainalysis Hexagate’s machine learning model flagged more than $402.1 million in risky assets tied to malicious activity, with amounts surging 60.71% between February and March. This type of activity includes assets stolen from DeFi, centralized exchanges (CEXs), and token smart contracts.
Given the rise in phishing attacks, it’s crucial to dig deeper into the above topline figures to understand just how much of the malicious activity can be traced back to phishing schemes specifically. Between January and March 2025, approximately 18,000 phishing tokens were created. Each month, phishing tokens impact more than 50 million wallets; in March 2025 alone, 400,000 services were affected.
A growing threat surface in 2025: DPRK-linked attacks and volume of on-chain exploits
Crypto’s expanding footprint in 2025 has been met with a surge in sophisticated exploit attempts across the ecosystem. Evidence of this growing threat includes the scale of DPRK-linked thefts and the significance of the top 10 attacks identified by Chainalysis Hexagate.
As we reported in our 2025 Crypto Crime Report, North Korea-linked hackers stole more from crypto platforms than ever before in 2024. Unfortunately, stolen funds linked to the DPRK are continuing to grow — 2025 numbers are already trending higher than those of 2024 and have surpassed $1 billion.
Additionally, the volume and complexity of on-chain exploits are increasing monthly — Chainalysis Hexagate’s detection volume doubled from January to March 2025. In the chart below, we see the top 10 hacks in Q1 2025, all of which were detected by Chainalysis Hexagate as potentially risky before the exploits occurred. Although many of these events were not disrupted in real-time, they provide an important reminder for Hexagate users to increase their defenses against malicious attacks.
Staying ahead of evolving crypto-related threats
Malicious on-chain activity is becoming more frequent and more complex. From phishing schemes to social engineering exploits, threat actors in 2025 are adapting quickly — and so must the defenses. As these tactics evolve, the need for proactive, real-time protection has never been more urgent. Chainalysis Hexagate helps fill that gap, using machine learning and on-chain intelligence to stop exploits before they escalate.
Book a demo of Chainalysis Hexagate’s security solution here.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
The post Preventing DeFi Hack Events with Chainalysis Hexagate Using Pattern Recognition and Machine Learning appeared first on Chainalysis.
