Overview of Web3 Security Incidents in H1 2025
The first half of 2025 witnessed significant financial losses in the Web3 ecosystem due to security breaches. According to comprehensive monitoring and alert systems, the total losses from hacker attacks, phishing scams, and Rug Pulls reached approximately $2.138 billion. Among these, 90 major attack incidents accounted for $2.093 billion in losses, while Rug Pulls and phishing scams resulted in losses of $3.2 million and $41.38 million, respectively.
Exchange platforms emerged as the most targeted category, suffering the highest financial damage. Six attacks on exchanges led to losses exceeding $1.591 billion, representing 74.4% of the total losses from attacks.
Ethereum remained the blockchain with the highest losses and the most frequent attacks. Eighty-one incidents on Ethereum resulted in $1.739 billion in losses, constituting 81.3% of the total. The Sui network experienced a significant breach with the Cetus Protocol incident, losing approximately $224 million and ranking second in terms of chain-specific losses.
Contract vulnerabilities were the most common attack vector, with 63 incidents causing $408 million in losses. Notably, the Bybit exchange suffered a $1.44 billion loss due to a wallet infrastructure flaw, accounting for 67.4% of the total attack losses and representing the most substantial single incident by financial impact.
Regarding fund movements, only a small portion of the stolen assets—approximately $238 million—was frozen or recovered. About 71.2% of the stolen funds remained in circulation within on-chain wallets, without being transferred to exchanges or mixing services.
Detailed Breakdown of Major Attacks
A total of 90 major attacks were recorded in the first half of 2025, culminating in $2.093 billion in losses. Among these, two incidents exceeded $100 million in losses, seven fell within the $10 million to $100 million range, and 18 were between $1 million and $10 million.
Significant attacks (ordered by loss magnitude):
- Bybit: $1.44 billion loss
Attack Method: Safe wallet front-end compromise
Blockchain: Ethereum
On February 21, the cryptocurrency exchange Bybit was attacked, with approximately $1.44 billion stolen from its Safe multisignature wallet. The hacker infiltrated Safe's servers, implanting malicious code that altered transaction requests, leading signers to unknowingly authorize tampered transactions. - Cetus Protocol: $224 million loss
Attack Method: Contract vulnerability
Blockchain: Sui
On May 22, the decentralized exchange Cetus Protocol on the Sui ecosystem was exploited due to an implementation error in a left-shift operation within an open-source library. Collaborative efforts with the Sui Foundation and other ecosystem projects successfully froze $162 million of the stolen funds on the Sui network. - Nobitex: $90 million loss
Attack Method: Unspecified
Blockchain: Multi-chain
On June 18, Iran's largest crypto exchange, Nobitex, announced a hacker attack resulting in over $90 million in losses across various cryptocurrencies, including BTC, ETH, Doge, XRP, SOL, TRX, and TON. A pro-Israeli group named "Gonjeshke Darande" claimed responsibility, characterizing the attack as a strike against Iran's crypto infrastructure. - Phemex: $70 million loss
Attack Method: Private key leak
Blockchain: Multi-chain
On January 23, Singapore-based cryptocurrency exchange Phemex lost approximately $70 million in crypto assets from its hot wallet, affecting ETH, SOL, BTC, BNB, USDT, and other assets. - UPCX: $70 million loss
Attack Method: Access control vulnerability
Blockchain: Ethereum
On April 1, UPCX lost tokens worth around $70 million due to unauthorized access. The hacker upgraded UPCX's ProxyAdmin contract and executed a function permitting administrators to withdraw funds, resulting in transfers from three different management accounts. - Infini: $49.5 million loss
Attack Method: Privilege management vulnerability
Blockchain: Ethereum
On February 24, Infini lost $49.5 million when an internal developer deceived the team by secretly retaining contract administrative privileges and upgrading the contract to steal funds. - Abracadabra Finance: $13 million loss
Attack Method: Contract vulnerability
Blockchain: Ethereum
On March 25, the decentralized lending protocol Abracadabra Finance was exploited due to a contract vulnerability, losing approximately 6,262 ETH, valued at around $13 million. - Cork Protocol: $12 million loss
Attack Method: Contract vulnerability
Blockchain: Ethereum
On May 28, the Ethereum-based pegged asset protocol Cork Protocol was attacked. The exploiter profited $12 million by leveraging a logic flaw in the project contract that failed to validate critical parameters. - BitoPro: $11.5 million loss
Attack Method: Private key leak
Blockchain: Multi-chain
On June 2, crypto exchange BitoPro confirmed an attack, stating that during a wallet system upgrade and asset transfer, its hot wallets were compromised, resulting in abnormal outflows of approximately $11.5 million across multiple chains.
Targeted Project Types
Centralized exchanges (CEXs) were the most severely impacted project type. Six attacks on CEXs led to over $1.591 billion in losses. Bybit incurred the largest loss at $1.44 billion, followed by Nobitex ($90 million) and Phemex ($70 million). Other exchanges, including Noones, BitoPro, and Coinbase, also experienced attacks.
Decentralized finance (DeFi) projects ranked second in terms of losses. Cetus Protocol's $224 million loss constituted 69.1% of the total DeFi losses. Other significantly affected DeFi projects included Abracadabra Finance ($13 million), Cork Protocol ($12 million), Resupply ($9.6 million), zkLend ($9.5 million), Ionic ($8.8 million), and Alex Protocol ($8.37 million).
Additionally, two security incidents occurred in the crypto payment sector, resulting in approximately $120 million in losses, ranking third among all project types. Other attacked categories included browsers, token contracts, cross-chain bridges, and Memecoin launchpads.
Loss Distribution Across Blockchains
Ethereum sustained the highest losses and the most attacks among all blockchains. Eighty-one incidents on Ethereum led to $1.739 billion in losses, accounting for 81.3% of the total.
BNB Chain experienced the second-highest number of attacks, with 33 incidents causing approximately $42.53 million in losses. While BNB Chain had numerous on-chain attacks, the individual loss amounts were relatively smaller. However, compared to the same period last year, both the number of attacks and the total losses increased significantly, with losses rising by 357%.
Arbitrum and Base ranked third and fourth, with losses of $21.2 million and $13.05 million, respectively. Compared to the previous year, Arbitrum saw an increase in attack frequency but a significant 71.8% decrease in loss magnitude. Base chain witnessed substantial increases in both attack numbers and loss amounts, with losses growing by 294%.
Analysis of Attack Methods
Contract vulnerabilities were the leading cause of attacks, with 63 incidents resulting in $408 million in losses. Excluding the Bybit incident stemming from wallet infrastructure defects, this was the attack method with the highest financial impact. Private key leaks caused over $102 million in losses, a significant decrease from the same period last year.
Breakdown of contract vulnerability types by loss amount:
- Business logic flaws: $356 million
- Algorithm defects: $21.37 million
- Validation vulnerabilities: $12.7 million
Breakdown by frequency of occurrence:
- Business logic flaws: 45 incidents
- Access control vulnerabilities: 7 incidents
- Algorithm defects: 5 incidents
Flow of Stolen Funds
Only 11.1% of the stolen assets from the first half of 2025, approximately $238 million, were frozen or recovered.
Around $97.89 million (4.6%) of the stolen funds were transferred to various exchanges. Approximately $278 million (13.0%) was directed to mixing services: $19.46 million to Tornado Cash and $259 million to other mixers. Compared to the previous year, the volume of stolen funds laundered through mixers increased substantially in the first half of 2025.
Conclusion and Key Takeaways
The total losses from hacker attacks, phishing scams, and Rug Pulls in the first half of 2025 surged to $2.138 billion, marking a significant increase compared to the same period in 2024. The frequency and severity of attacks on exchanges and major public chain ecosystems have overall risen, indicating a persistently严峻 (severe) landscape in Web3 security.
The Bybit incident was the most damaging attack, accounting for approximately 67.4% of the total losses. Attacks spanned various Web3 sectors, including exchanges, DeFi, personal wallets, infrastructure, token contracts, payment platforms, browsers, and Memecoin launchpads. This underscores the critical need for all Web3 projects and individual users to enhance security measures. These include offline private key storage, using multi-signature wallets, exercising caution with third-party services, and conducting regular permission updates and security training for privileged employees.
The limited recovery of stolen assets—only a small fraction was frozen or retrieved—highlights the ongoing need for stronger global regulatory and anti-money laundering efforts. The decreased proportion of stolen funds flowing into exchanges suggests improved anti-money laundering practices, timely identification of malicious activities, and better collaboration with law enforcement and projects to freeze funds and conduct investigations. The cooperation between exchanges, law enforcement, projects, and security teams has yielded noticeable results, prompting hackers to increasingly turn to various mixing services for laundering.
With 63 out of the 90 attacks originating from contract vulnerabilities, it is strongly recommended that projects seek professional security audits before launch. 👉 Explore advanced security audit services to mitigate risks. Comprehensive security services encompass pre-launch code audits, runtime risk monitoring and blocking, stolen fund recovery, virtual asset anti-money laundering (AML), and compliance assessments tailored to various regulatory requirements.
Frequently Asked Questions
What was the total financial loss in Web3 during the first half of 2025?
The total loss from security incidents, including hacker attacks, phishing scams, and Rug Pulls, was approximately $2.138 billion. The majority stemmed from 90 major attacks causing around $2.093 billion in damages.
Which type of project was most targeted by attackers?
Centralized exchanges (CEXs) suffered the highest financial losses, with six attacks resulting in over $1.591 billion lost. This represented nearly three-quarters of all attack-related losses during the period.
Which blockchain experienced the most significant losses?
Ethereum remained the blockchain with the highest losses, enduring 81 attacks that led to $1.739 billion in losses. This accounted for over 81% of the total financial damage across all recorded incidents.
What was the most common method used in these attacks?
Exploiting contract vulnerabilities was the most frequent attack method, occurring 63 times and causing $408 million in losses. Business logic flaws within contracts were particularly prevalent and damaging.
Were any of the stolen funds recovered?
Only a small portion, about 11.1% or $238 million, of the stolen assets were successfully frozen or recovered. The majority of the funds remained in circulation within on-chain wallets or were laundered through mixing services.
How can projects and users improve their security posture?
Key measures include conducting professional security audits before launch, using offline cold storage for private keys, implementing multi-signature wallets, carefully vetting third-party services, and providing regular security training for team members with elevated access privileges. 👉 Get strategies for enhancing blockchain security to protect digital assets effectively.