*This report is jointly produced by Beosin and Footprint Analytics
1. Overview of Web3 blockchain security situation in the first half of 2025
According to Beosin Alert monitoring and early warning, the total loss of Web3 due to hacker attacks, phishing scams and project party Rug Pull in the first half of 2025 was about 2.138 billion US dollars. Among them, there were 90 major attacks, with a total loss of about 2.093 billion US dollars; the total loss of Rug Pull was about 3.2 million US dollars; the total loss of phishing scams was about 41.38 million US dollars.
In terms of the types of projects attacked, exchanges have become the type of projects with the highest amount of losses. Six attacks on exchange platforms have caused a total loss of more than 1.591 billion US dollars, accounting for 74.4% of all attack losses.
In terms of the amount of losses on each chain, Ethereum is still the chain with the highest amount of losses and the most attacks. 81 attacks on Ethereum caused a loss of $1.739 billion, accounting for 81.3% of the total losses. Sui lost about $224 million due to the Cetus Protocol incident, ranking second.
In terms of attack methods, the most frequent attacks in the first half of the year were those that exploited contract vulnerabilities, which occurred 63 times in total and caused losses of $408 million. Bybit was stolen $1.44 billion due to defects in its wallet infrastructure, accounting for 67.4% of the total attack losses, making it the attack type with the highest proportion of losses.
In terms of capital flow, only a small portion (about US$238 million) of the stolen funds were frozen or recovered in the first half of the year, and about 71.2% of the stolen funds are still circulating in on-chain wallets and have not flowed into exchanges or mixers.
2. Overview of attacks in the first half of 2025
90 major attacks cost a total of $2.093 billion
In the first half of 2025, Beosin Alert monitored 90 major attacks in the Web3 field, with a total loss of US$2.093 billion. Among them, there were 2 security incidents with losses exceeding US$100 million, 7 incidents with losses between US$10 million and US$100 million, and 18 incidents with losses between US$1 million and US$10 million.
Attacks with losses exceeding 10 million USD (sorted by amount):
● Bybit - $1.44 billion
Attack method: Safe wallet front end was tampered with Chain platform: Ethereum
On February 21, the cryptocurrency exchange Bybit was attacked and about $1.44 billion of funds were stolen from its Safe multi-signature wallet. The hacker implanted malicious code by hacking into Safes server, replacing normal transaction requests, causing the signer to sign the tampered transaction without knowing it.
● Cetus Protocol – $224 million
Attack method: Contract vulnerability Chain platform: Sui
On May 22, the DEX Cetus Protocol on the Sui ecosystem was attacked . The vulnerability was caused by an implementation error of the left shift operation in the open source library code. Subsequently, with the cooperation of the Sui Foundation and other ecological projects, the stolen funds of $162 million on Sui have been successfully frozen.
● Nobitex – $90 million
Attack method: not yet clear Chain platform: multi-chain
On June 18, Irans largest crypto exchange Nobitex announced that it had suffered a hacker attack , with losses exceeding $90 million, involving multiple cryptocurrencies such as BTC, ETH, Doge, XRP, SOL, TRX and TON. A pro-Israel organization called Gonjeshke Darande has claimed responsibility for the attack and characterized it as a strike against Irans crypto infrastructure.
● Phemex – $70 million
Attack method: private key leakage Chain platform: multi-chain
On January 23, about $70 million worth of crypto assets were stolen from the hot wallet of Phemex, a Singapore-based cryptocurrency exchange, involving a variety of crypto assets such as ETH, SOL, BTC, BNB, USDT, etc.
● UPCX – $70 million
Attack method: Access control vulnerability Chain platform: Ethereum
On April 1, UPCX lost approximately $70 million worth of tokens due to unauthorized access. The hacker upgraded UPCX’s ProxyAdmin contract and subsequently executed a function that allowed administrators to withdraw funds, resulting in funds being transferred from three different administrative accounts.
● Infini - $49.5 million
Attack method: Permission management vulnerability Chain platform: Ethereum
On February 24, Infini was stolen $49.5 million because an internal developer secretly retained contract management authority by deceiving the team and stole funds by upgrading the contract.
● Abracadabra Finance – $13 million
Attack method: Contract vulnerability Chain platform: Ethereum
On March 25, the decentralized lending protocol Abracadabra Finance suffered a theft of approximately 6,262 ETH due to a contract vulnerability, resulting in a loss of approximately US$13 million.
● Cork Protocol – $12 million
Attack method: Contract vulnerability Chain platform: Ethereum
On May 28, the Cork Protocol, an anchored asset protocol on the Ethereum chain, was attacked . The attacker made a profit of $12 million through a logical vulnerability in the project contract (key parameters were not verified).
● BitoPro – $11.5 million
Attack method: private key leakage Chain platform: multi-chain
On June 2, the cryptocurrency exchange BitoPro issued an announcement confirming that it had been attacked , stating that during the recent wallet system upgrade and cryptocurrency transfer, its hot wallet was attacked by hackers, and approximately US$11.5 million of funds had abnormally outflowed from multiple on-chain hot wallets.
3. Types of Attacked Projects
CEX is the project type with the highest loss amount
The project type with the highest losses in the first half of the year was centralized exchanges. Six attacks on centralized exchanges caused a total loss of more than $1.591 billion. The exchange with the largest loss was Bybit, which lost about $1.44 billion. Other exchanges with large losses included Nobitex (lost about $90 million) and Phemex (lost about $70 million). Noones, BitoPro and Coinbase were also attacked.
The second most attacked type is DeFi. Among them, Cetus Protocol was stolen about 224 million US dollars, accounting for 69.1% of the stolen funds in DeFi. Other DeFi projects with large losses include Abracadabra Finance (13 million US dollars), Cork Protocol (about 12 million US dollars), Resupply (about 9.6 million US dollars), zkLend (about 9.5 million US dollars), Ionic (about 8.8 million US dollars), and Alex Protocol (about 8.37 million US dollars).
In addition, two security incidents occurred in the field of encrypted payments, with a loss of approximately $120 million, ranking third among all project types. Other attacked project types include: browsers, token contracts, cross-chain bridges, Memecoin launch pads, etc.
4. Amount of losses in each chain
Ethereum is the chain with the highest amount of losses and the most attacks
As in previous years, Ethereum is still the public chain with the highest amount of losses. 81 attacks on Ethereum caused losses of $1.739 billion, accounting for 81.3% of the total losses.
The second most attacked public chain is BNB Chain, with 33 attacks causing a total loss of about $42.53 million. BNB Chain has a large number of on-chain attacks, but the amount of losses is relatively small. However, compared with the same period last year, the number of attacks and the amount of losses have increased significantly, with the amount of losses increasing by 357%.
Arbitrum and Base ranked third and fourth, with losses of $21.2 million and $13.05 million respectively. Compared with the same period last year, the number of attacks on the Arbitrum chain increased, but the amount of losses dropped significantly by 71.8%; the number of attacks and the amount of losses on the Base chain increased significantly, with the amount of losses increasing by 294%.
5. Analysis of attack methods
70% of attacks come from contract vulnerabilities
In the first half of the year, there were 63 attacks targeting contract vulnerabilities, causing losses of $408 million, which was the largest type of attack method with the exception of the theft of Bybit due to a flaw in the wallet infrastructure. The losses caused by private key leaks in the first half of this year were significantly reduced compared to the same period last year, but the total loss amount still exceeded $102 million.
According to the breakdown of contract vulnerabilities, the top three vulnerabilities causing losses are: business logic vulnerabilities (US$356 million), algorithm defects (US$21.37 million), and verification vulnerabilities (US$12.7 million). The top three contract vulnerabilities in terms of frequency are business logic vulnerabilities (45 times), access control vulnerabilities (7 times), and algorithm defects (5 times).
6. Analysis of the flow of stolen funds
Only 11.1% of stolen assets were frozen and recovered
According to the analysis of the Beosin KYT anti-money laundering platform, of the stolen funds in the first half of 2025, approximately US$238 million of the stolen funds were frozen or recovered, accounting for approximately 11.1%.
About $97.89 million of stolen funds were transferred to various exchanges, accounting for about 4.6%. A total of $278 million (13.0%) was transferred to mixers: about $19.46 million was transferred to Tornado Cash; $259 million was transferred to other mixers. Compared with last year, the amount of stolen funds cleaned through mixing in the first half of 2025 increased significantly.
7. Summary of Web3 blockchain security situation in the first half of 2025
Compared with the first half of 2024, the total losses caused by hacker attacks, phishing scams, and project party Rug Pulls in the first half of this year have increased significantly, reaching US$2.138 billion. The number of attacks and the amount of losses on exchanges and mainstream public chain ecosystems are increasing overall, and the situation in the Web3 security field is still very serious.
The most damaging attack in the first half of the year was the Bybit theft, which accounted for about 67.4% of the losses. From the perspective of project types, attacks occurred in all areas of Web3: exchanges, DeFi, personal wallets, infrastructure, token contracts, payment platforms, browsers, Memecoin launch platforms, etc. All Web3 project owners/individual users need to be vigilant, store private keys offline, use multi-signatures, use third-party services with caution, and conduct regular permission updates and security training for privileged employees.
Only a small portion of assets were frozen or recovered in the first half of the year, indicating that global supervision and anti-money laundering efforts still need to be strengthened. The proportion of stolen funds transferred by hackers to exchanges in the first half of the year dropped significantly, which is related to the exchanges strengthening of anti-money laundering, timely identification of hacker behavior, and active cooperation with law enforcement agencies and project parties to freeze funds and conduct evidence collection. At present, the cooperation between exchanges and law enforcement agencies, project parties, and security teams has achieved relatively obvious results, so hackers are more likely to try to choose a variety of mixers to clean funds.
Of the 90 attacks in the first half of the year, 63 were still from contract vulnerability exploitation. It is recommended that project owners seek audits from professional security companies before going online. As one of the earliest blockchain security companies in the world engaged in formal verification, Beosin focuses on the security + compliance full-ecological business and has established branches in more than 10 countries and regions around the world. Its business covers code security audits before project launch, security risk monitoring and blocking during project operation, stolen recovery, virtual asset anti-money laundering (AML), and compliance assessments that meet local regulatory requirements, and other one-stop blockchain compliance products + security services.
