SlowMist | 2025 Mid-year Blockchain Security and AML Report
Due to space constraints, this article only outlines the key findings from the full analysis report. The complete report can be downloaded from the link below: https://www.slowmist.com/report/SlowMist-first-half-of-the-2025-report(EN).pdf
I. Introduction
In the first half of 2025, the blockchain industry continued its rapid development while facing increasingly complex security threats and compliance challenges. On one hand, hacker attacks remained frequent, with APT groups adopting increasingly modular and systematic techniques, while phishing and social engineering scams became rampant — resulting in significant financial losses and a growing crisis of user trust. On the other hand, global regulatory frameworks continued to evolve rapidly. Governments and international organizations issued new rules covering anti-money laundering (AML), sanctions enforcement, and investor protection.
Of particular note, stablecoins are emerging as a foundational bridge between traditional finance and on-chain finance. Major financial institutions and leading crypto platforms are accelerating their stablecoin strategies. Meanwhile, underground financial flows are evolving, and blockchain-based tracking technologies and intelligence collaboration mechanisms are also advancing. Regulatory agencies and major platforms are working more closely together, leading to a significant increase in asset freezing and recovery cases, posing a stronger deterrent to on-chain crime and illicit funds.
As a pioneer in blockchain security, SlowMist continues to focus on threat intelligence, attack monitoring, on-chain tracing, and compliance support. Against this backdrop, this report focuses on major security incidents, global regulatory developments, and emerging AML trends in the first half of 2025. We hope this report provides timely, systematic, and insightful reference for industry professionals, security researchers, and compliance officers — enhancing their ability to identify, respond to, and anticipate risks.
II. Blockchain Security Landscape
Security Incident Review
In the first half of 2025, the blockchain sector remained under serious security pressure. According to incomplete statistics from the SlowMist Hacked database, there were 121 reported security incidents, resulting in an estimated $2.373 billion in losses. Compared to H1 2024 (223 incidents, ~$1.43 billion in losses), the number of incidents declined, but total losses increased by ~65.94%.
Note: Loss figures are based on token prices at the time of the incidents. Due to market fluctuations, undisclosed incidents, and the exclusion of general user losses, the actual total may be higher.
- By Ecosystem
- Ethereum remains the hardest-hit ecosystem, with ~$38.59 million in losses.
- Solana followed with ~$5.8 million, then BSC with ~$5.49 million.
2. By Project Type
- DeFi was the most frequently targeted category, with 92 incidents (76.03% of the total) and ~$470 million in losses. Compared to H1 2024 (158 incidents, ~$659 million), losses dropped by 28.67%.
- Exchanges saw 11 incidents with ~$1.883 billion in losses. The Bybit hack alone accounted for ~$1.46 billion.
3. By Loss Size
- Two incidents exceeded $100 million in losses. The top 10 hacks together caused ~$2.018 billion in losses.
4. By Attack Vector
- Account compromise was the most common cause (42 cases), followed by smart contract vulnerabilities (35 cases).
Fraud Tactics
In addition to direct protocol attacks, scams targeting individual users are rapidly evolving. Key emerging fraud tactics from H1 2025 include:
In addition to direct attacks on projects or protocols, scams targeting ordinary users have evolved rapidly. This section highlights several typical or emerging fraud tactics that stood out in the first half of 2025.
- EIP-7702 Phishing Attacks
These attacks exploit changes introduced by EIP-7702 — specifically, the delegated mechanism that allows a user’s EOA address to be authorized by a contract and inherit contract functionalities like batch transfers, bulk approvals, and gasless transactions. Risks arise when users authorize malicious contracts or when legitimate contracts are exploited via phishing sites. Many anti-phishing tools currently fail to identify the risks associated with batch authorizations, creating further opportunities for phishing groups.
2. Deepfake Scams
As generative AI technology advances rapidly, scams leveraging deepfake techniques for “trust-based fraud” are surging. Attackers use AI-generated video and audio to impersonate well-known project founders, exchange executives, or influencers (KOLs), tricking victims into investments or transfers. Some attackers even use deepfake animations generated from victim photos to bypass KYC systems on exchanges and wallet platforms — gaining account control and stealing funds. These deepfakes are often so realistic that most users cannot distinguish them from genuine content.
3. Fake Safeguard Scams on Telegram
In early 2025, many users on Telegram fell victim to scams impersonating safeguard tools, leading to asset theft or device infections. These scams often involved clipboard malware, distributed under the guise of token airdrops or fake influencer posts. Even experienced users were caught off guard due to FOMO or the appearance of “official verification.”
4. Malicious Browser Extensions
A long-standing scam method in crypto, malicious browser extensions often disguise themselves as “Web3 security tools” or abuse the plugin auto-update mechanism to steal data and hijack permissions — sometimes even tricking users into executing sensitive operations. Their stealth and deceptive appearance make them highly dangerous.
5. LinkedIn Recruitment Phishing
Since 2025, there has been a rise in scams disguised as job offers containing malicious code, particularly on professional networking sites like LinkedIn. These attacks use a combination of polished presentation and precise targeting, posing a new threat to the developer community.
6. Social Engineering Attacks
Social engineering attacks remained prevalent in the crypto space during H1 2025, becoming more subtle and refined. A standout case involved Coinbase users: since early 2025, many reported receiving phone calls from fake “official support” agents, who then tricked them into transferring assets to a so-called “secure wallet.” On May 15, Coinbase confirmed a possible insider data leak and stated it was cooperating with the U.S. Department of Justice (DOJ). The investigation revealed that hackers had bribed overseas customer support staff to gain system access and steal KYC data — including names, addresses, and emails. Although no passwords, private keys, or balances were leaked, the attackers were able to orchestrate highly realistic scams and even demanded a $20 million ransom from Coinbase.
7. Backdoored AI Tools via Cheap APIs
Scammers lured developers via short video platforms by advertising the “cheapest AI tool APIs” — leading them to install malicious npm packages such as sw-cur, aiide-cur, and sw-cur1. Once executed, these packages tampered with local Cursor applications, implanted backdoors, and remotely hijacked code environments—stealing credentials and turning infected devices into botnets. Over 4,200 developers were affected, most of them macOS users.
8. Unrestricted Large Language Models (LLMs)
“Unrestricted LLMs” refer to models that have been deliberately modified or jailbroken to bypass standard safety and ethical controls. While mainstream providers invest heavily in preventing misuse — like generating hate speech, malware, or illegal content — malicious actors create or abuse these less-restricted models for cybercrime. In the crypto space, they significantly lower the technical barrier for fraud. Attackers can fine-tune open-source models using malicious datasets to build custom fraud tools that generate phishing emails, malicious code, and scam scripts — usable even by non-coders.
III. Anti-Money Laundering Landscape
This section includes global regulatory trends, asset freezing and recovery data, organizational activity, and mixer usage.
AML & Regulatory Developments
In H1 2025, global digital asset regulation showed clear signs of maturity and institutionalization. From crypto licensing regimes and stablecoin regulatory frameworks to AML enforcement and privacy coin/P2P restrictions, a more intricate crypto financial governance system is emerging.
Frozen & Recovered Funds
- In H1 2025, Tether froze USDT-ERC20 assets on 209 ETH addresses. (https://dune.com/phabc/usdt---banned-addresses)
- Circle froze USDC-ERC20 assets on 44 ETH addresses. (https://dune.com/phabc/usdc-banned-addresses)
- Nine incidents in H1 2025 resulted in successful asset freezes or recoveries. In total, ~$1.73 billion was stolen, of which ~$270 million (~11.38%) was frozen or returned. These outcomes reflect improved collaboration and on-chain tracing capabilities.
- Supported by the InMist Lab threat intelligence network, SlowMist helped clients and partners recover/freeze ~$14.56 million.
A notable case:
On April 15, decentralized perpetuals exchange KiloEx was hacked, losing ~$8.44 million. SlowMist immediately organized a security task force to trace the attack path and fund flows. Using its MistTrack AML analysis platform (https://misttrack.io/) and the InMist intelligence network, SlowMist profiled the attackers and facilitated multiple negotiation rounds. Within just 3.5 days, all stolen assets were recovered, and a 10% white-hat bounty agreement was reached with the attacker.
Organizational Activity
- Lazarus Group
This subsection covers the tactics of North Korean APT group Lazarus, highlights several major incidents in H1 2025, and analyzes its laundering techniques using the Bybit hack as a case study.
2. Drainers
This subsection was written by our partner Scam Sniffer (https://www.scamsniffer.io/). We extend our thanks.
In H1 2025, the Web3 ecosystem faced significant phishing threats, leading to ~$39.73 million in losses across 43,628 victim addresses. The section outlines major trends and high-value cases, providing security insights for users and industry professionals.
3. HuionePay
As global crackdowns on cyber scams, underground payment networks, and cross-border laundering intensified, the HuionePay platform came under increasing scrutiny. Allegedly used for receiving, moving, and off-ramping illicit funds — especially via TRON-based USDT transactions — HuionePay has been actively analyzed by SlowMist. Using MistTrack and on-chain public data, SlowMist built a Dune analytics dashboard and conducted an in-depth investigation into the platform’s on-chain activity. The data covers January 1, 2024 to June 23, 2025.
Mixers
- Tornado Cash
In H1 2025, users deposited a total of 254,094 ETH ($605.27 million) and withdrew 248,922 ETH ($585 million) from Tornado Cash. Deposit/withdrawal activity spiked in May and June.
2. eXch
Users deposited 28,756 ETH ($82.19 million) and 73,482,393 ERC20 tokens ($73.48 million) into eXch in H1 2025. Activity peaked in early March and ceased on April 30 due to enforcement actions.
IV. Conclusion
In H1 2025, the blockchain industry continued to center around compliance, stability, and security. While hot wallet compromises and phishing attacks remained prevalent, blockchain tracing and fund-freezing capabilities also advanced. Globally, regulatory efforts accelerated, with jurisdictions like Hong Kong, the U.S., and the EU rolling out detailed rules. “Compliance as a prerequisite” is becoming the norm. Overall, the industry is transitioning from its early-stage, chaotic growth toward a more regulated, secure, and resilient ecosystem — where long-term success hinges on surviving within regulatory frameworks.
V. Disclaimer
This report is based on SlowMist’s understanding of the blockchain ecosystem, as well as data from SlowMist Hacked and MistTrack. Due to the anonymous nature of blockchain, we cannot guarantee the absolute accuracy of the data. SlowMist is not liable for any omissions, errors, or consequences arising from use of this report. This report does not constitute investment advice. Feedback and corrections are welcome.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
