*This report is jointly produced by Beosin and Footprint Analytics
1. Overview of Web3 Blockchain Security Situation in the First Half of 2025
According to Beosin Alert monitoring and early warning, the total loss in the Web3 sector due to hacker attacks, phishing scams, and project Rug Pulls in the first half of 2025 is approximately $2.138 billion. Among these, there were 90 major attack incidents, resulting in a total loss of about $2.093 billion; the total loss from Rug Pulls was approximately $3.2 million; and the total loss from phishing scams was about $41.38 million.
In terms of the types of attacked projects, exchanges have become the project type with the highest loss amount. Six attacks on exchange platforms caused losses exceeding $1.591 billion, accounting for 74.4% of all attack losses.
From the perspective of loss amounts across different chains, Ethereum remains the chain with the highest loss amount and the most attack incidents. 81 attack incidents on Ethereum resulted in losses of $1.739 billion, accounting for 81.3% of the total losses. Sui, due to the Cetus Protocol incident, suffered losses of approximately $224 million, ranking second.
In terms of attack methods, the most frequent attacks in the first half of the year involved contract vulnerabilities, with 63 incidents occurring, resulting in losses of $408 million. Bybit was hacked due to a wallet infrastructure flaw, resulting in a theft of $1.44 billion, which accounted for 67.4% of the total attack loss amount, making it the attack type with the highest loss proportion.
In terms of the flow of funds, only a small portion (approximately $238 million) of the stolen funds was frozen or recovered in the first half of the year, while about 71.2% of the stolen funds are still circulating in on-chain wallets and have not flowed into exchanges or mixers.
2. Overview of Attack Incidents in the First Half of 2025
90 Major Attack Incidents Resulting in Losses of $2.093 Billion
In the first half of 2025, Beosin Alert monitored a total of 90 major attack incidents in the Web3 sector, with a total loss amount reaching $2.093 billion. Among these, there were 2 security incidents with losses exceeding $100 million, 7 incidents with losses in the range of $10 million to $100 million, and 18 incidents with losses in the range of $1 million to $10 million.
Attack incidents with losses exceeding $10 million (sorted by amount):
●Bybit - $1.44 billion
Attack method: Safe wallet frontend tampering Chain platform: Ethereum
On February 21, cryptocurrency exchange Bybit was attacked, and approximately $1.44 billion in funds from its Safe multi-signature wallet was stolen. The hacker implanted malicious code by hacking into Safe's server, replacing normal transaction requests, causing signers to unknowingly sign the tampered transactions.
●Cetus Protocol - $224 million
Attack method: Contract vulnerability Chain platform: Sui
On May 22, the DEX Cetus Protocol on the Sui ecosystem was attacked, with the vulnerability stemming from an implementation error in the left shift operation in the open-source library code. Subsequently, with the cooperation of the Sui Foundation and other ecological projects, $162 million of the stolen funds on Sui has been successfully frozen.
●Nobitex - $90 million
Attack method: Not yet specified Chain platform: Multi-chain
On June 18, Iran's largest cryptocurrency exchange Nobitex announced that it had been hacked, with losses exceeding $90 million, involving various cryptocurrencies such as BTC, ETH, Doge, XRP, SOL, TRX, and TON. A pro-Israel organization named "Gonjeshke Darande" has claimed responsibility for the attack, characterizing it as a strike against Iran's cryptocurrency infrastructure.
●Phemex - $70 million
Attack method: Private key leak Chain platform: Multi-chain
On January 23, approximately $70 million in crypto assets was stolen from the hot wallet of Singapore-based cryptocurrency exchange Phemex, involving various crypto assets such as ETH, SOL, BTC, BNB, and USDT.
●UPCX - $70 million
Attack method: Access control vulnerability Chain platform: Ethereum
On April 1, UPCX lost approximately $70 million in tokens due to unauthorized access. The hacker upgraded UPCX's ProxyAdmin contract and then executed a function that allowed the administrator to withdraw funds, resulting in funds being transferred from three different management accounts.
●Infini - $49.5 million
Attack method: Permission management vulnerability Chain platform: Ethereum
On February 24, Infini was hacked for $49.5 million, with the cause being that an internal developer secretly retained contract management permissions by deceiving the team, allowing them to steal funds by upgrading the contract.
●Abracadabra Finance - $13 million
Attack method: Contract vulnerability Chain platform: Ethereum
On March 25, the decentralized lending protocol Abracadabra Finance was hacked for approximately 6,262 ETH, resulting in a loss of about $13 million.
●Cork Protocol - $12 million
Attack method: Contract vulnerability Chain platform: Ethereum
On May 28, the asset anchoring protocol Cork Protocol on the Ethereum chain was attacked, with the attacker profiting $12 million through a logical flaw in the project contract (unverified key parameters).
●BitoPro - $11.5 million
Attack method: Private key leak Chain platform: Multi-chain
On June 2, cryptocurrency exchange BitoPro announced that it had been attacked, stating that during a recent wallet system upgrade and crypto asset transfer, its hot wallet was attacked, resulting in an abnormal outflow of approximately $11.5 million from multiple on-chain hot wallets.
3. Types of Attacked Projects
CEX is the Project Type with the Highest Loss Amount
The project type with the highest losses in the first half of the year was centralized exchanges, with six attacks on centralized exchanges causing losses exceeding $1.591 billion, the largest loss being Bybit with approximately $1.44 billion. Other exchanges with significant losses include Nobitex (approximately $90 million) and Phemex (approximately $70 million), while Noones, BitoPro, and Coinbase also suffered attacks.
The second most attacked type was DeFi. Among them, Cetus Protocol was hacked for approximately $224 million, accounting for 69.1% of the stolen funds in DeFi. Other DeFi projects with significant losses include Abracadabra Finance ($13 million), Cork Protocol (approximately $12 million), Resupply (approximately $9.6 million), zkLend (approximately $9.5 million), Ionic (approximately $8.8 million), and Alex Protocol (approximately $8.37 million).
Additionally, two security incidents occurred in the cryptocurrency payment sector, resulting in losses of approximately $120 million, ranking third among all project types. Other attacked project types include: browsers, token contracts, cross-chain bridges, and Memecoin launchpads.
4. Loss Amounts Across Different Chains
Ethereum is the Chain with the Highest Loss Amount and Most Attack Incidents
As in previous years, Ethereum remains the public chain with the highest loss amount. 81 attack incidents on Ethereum resulted in losses of $1.739 billion, accounting for 81.3% of the total losses.
The second-ranked public chain in terms of attack incidents is BNB Chain, with 33 attack incidents causing losses of approximately $42.53 million. Although BNB Chain has a high number of on-chain attacks, the loss amount is relatively small, but compared to the same period last year, both the number of attacks and the loss amount have significantly increased, with the loss amount increasing by 357%.
Arbitrum and Base ranked third and fourth, with losses of $21.2 million and $13.05 million, respectively. Compared to the same period last year, the number of attacks on the Arbitrum chain has increased, but the loss amount has significantly decreased by 71.8%; the number of attacks and loss amount on the Base chain have both increased significantly, with the loss amount increasing by 294%.
5. Analysis of Attack Methods
70% of Attacks Come from Contract Vulnerabilities
In the first half of the year, there were a total of 63 attacks targeting contract vulnerabilities, resulting in losses of $408 million, making it the second-largest type of attack after the Bybit incident due to wallet infrastructure flaws. The losses from private key leak incidents have significantly decreased compared to the same period last year, but the total loss amount still exceeded $102 million.
In terms of specific contract vulnerabilities, the top three vulnerabilities causing losses were: business logic vulnerabilities ($356 million), algorithmic flaws ($2.137 million), and validation vulnerabilities ($1.270 million). The most frequently occurring contract vulnerabilities were business logic vulnerabilities (45 occurrences), access control vulnerabilities (7 occurrences), and algorithmic flaws (5 occurrences).
6. Analysis of the Flow of Stolen Funds
Only 11.1% of Stolen Assets Were Frozen and Recovered
According to analysis from Beosin's KYT anti-money laundering platform, in the first half of 2025, approximately $238 million of the stolen funds were frozen or recovered, accounting for about 11.1%.
Approximately $97.89 million of the stolen funds were transferred to various exchanges, accounting for about 4.6%. A total of $278 million (13.0%) was transferred to mixers: approximately $19.46 million went to Tornado Cash; $259 million went to other mixers. Compared to last year, the amount of stolen funds laundered through mixers has significantly increased in the first half of 2025.
7. Summary of Web3 Blockchain Security Situation in the First Half of 2025
Compared to the first half of 2024, the total losses due to hacker attacks, phishing scams, and project Rug Pulls have significantly increased this year, reaching $2.138 billion. The number of attacks and loss amounts in exchanges and mainstream public chain ecosystems are generally on the rise, and the security situation in the Web3 sector remains very severe.
The most damaging attack incident in the first half of the year was the Bybit theft incident, which accounted for approximately 67.4% of the total loss amount. In terms of project types, attack incidents were spread across various fields in Web3: exchanges, DeFi, personal wallets, infrastructure, token contracts, payment platforms, browsers, Memecoin launch platforms, etc. All Web3 project teams and individual users need to remain vigilant, store private keys offline, use multi-signatures, be cautious with third-party services, and conduct regular privilege updates and security training for privileged employees.
In the first half of the year, only a small portion of assets were frozen or recovered, indicating that global regulatory and anti-money laundering efforts still need to be strengthened. The proportion of stolen funds transferred to exchanges by hackers has significantly decreased, which is related to exchanges strengthening anti-money laundering measures, timely identifying hacker activities, and actively cooperating with law enforcement agencies and project teams to freeze funds and conduct investigations. Currently, the cooperation between exchanges, law enforcement agencies, project teams, and security teams has shown noticeable results, leading hackers to increasingly attempt to use various mixers for money laundering.
Among the 90 attack incidents in the first half of the year, 63 still came from exploiting contract vulnerabilities, suggesting that project teams should seek professional security companies for audits before launching. Beosin, as one of the earliest blockchain security companies engaged in formal verification globally, focuses on "security + compliance" full-ecology business, with branches established in more than 10 countries and regions worldwide. Its services cover "one-stop" blockchain compliance products and security services, including code security audits before project launch, security risk monitoring and blocking during project operation, recovery of stolen assets, anti-money laundering (AML) for virtual assets, and compliance assessments in accordance with local regulatory requirements.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
