SlowMist Monthly Security Report: February Estimated Losses at $1.681 Billion
Overview
In February 2025, Web3 security incidents resulted in an estimated total loss of $1.681 billion. According to the SlowMist Blockchain Hacked Archives (https://hacked.slowmist.io), 15 hacking incidents were recorded, leading to approximately $1.676 billion in losses, with $52.45 million frozen or recovered. The causes of these incidents included smart contract vulnerabilities, social engineering, account compromises, and private key leaks.
Additionally, according to the Web3 anti-scam platform Scam Sniffer, there were 7,442 victims of phishing attacks this month, with total losses amounting to $5.32 million.
Major Security Incidents
Bybit
On February 21, 2025, on-chain investigator ZachXBT reported a large-scale fund outflow from the Bybit platform. According to statistics, the incident resulted in nearly $1.5 billion in losses. Following the incident, the SlowMist security team promptly issued a security alert, tracked the stolen assets, and analyzed the attack methods. Additionally, discussions were held on strengthening the protection of multi-signature wallets using Safe’s enhanced security mechanisms.
On the evening of February 26, both Bybit and Safe released security investigation reports regarding the theft of nearly $1.5 billion worth of cryptocurrency from Bybit. Safe stated that forensic analysis of the targeted attack on Bybit by the Lazarus Group revealed that the attackers compromised a Safe{Wallet} developer’s machine, allowing them to submit a disguised malicious transaction proposal. They then tricked the Owner of Bybit’s Safe wallet into signing the malicious transaction, ultimately enabling the attack on Bybit’s Safe wallet.
The following diagram illustrates the overall attack process, as compiled by the SlowMist security team:
Based on currently available information, the fund tracing and freezing efforts for the Bybit theft incident are still ongoing. As of March 3, through coordinated efforts from multiple parties, Bybit has successfully frozen approximately $43.65 million of the stolen funds.
LIBRA
On February 15, 2025, Argentine President Javier Milei promoted a cryptocurrency called LIBRA on social media, claiming it would help revive Argentina’s economy and sharing the contract address. Following the announcement, many memecoin enthusiasts rushed to participate, causing LIBRA’s price to skyrocket, with its market capitalization briefly approaching $5 billion. However, just hours after the token launch, the project team withdrew liquidity, leading to a sharp market collapse. For a detailed analysis, see Risk Alert | A Look at the “Politicized” Cryptocurrency Scams Through LIBRA.
Infini
On February 24, 2025, the emerging stablecoin bank Infini was attacked. The attacker gained access to a wallet with admin privileges, stealing nearly $50 million. Infini’s founder, Christian, stated on Twitter that his private key was not compromised but acknowledged an oversight during the transfer of admin permissions. She assured that liquidity remains stable and full compensation is possible while investigations continue.
According to an analysis by MistTrack, the on-chain tracking and anti-money laundering tool under SlowMist AML, the stolen funds have been converted into ETH and are currently held at address 0xfcc8ad911976d752890f2140d9f4edd2c64a6e49. We will continue to monitor the movement of these funds.
zkLend
On February 12, 2025, zkLend, a leading lending platform on the Starknet chain, was attacked, resulting in a loss of approximately $9.6 million.
According to an analysis by the SlowMist security team, the root cause of the incident was a rounding vulnerability in the safeMath library used in zkLend’s market contract. The library performed direct division operations, which led to an incorrect calculation of the number of zTokens to be burned during withdrawal transactions. The attacker exploited this flaw for profit.
Using MistTrack to trace and analyze the attacker’s addresses, we discovered links between the zkLend attacker and the perpetrator behind the EraLend attack, which resulted in a loss of approximately $3.4 million. This suggests that both attacks were carried out by the same individual.
ionic
According to the incident analysis report released by ionic, on February 4, 2025, the ionic protocol suffered a social engineering attack, allowing the attacker to use a forged Lombard Bitcoin Token (LBTC) as collateral. This asset was deployed on the Mode network.
The attacker deployed the fake LBTC on January 9, 2025, but ionic’s records show that the attacker had begun interacting with the platform around December 12, 2024. After several weeks of business development (BD) discussions, the ionic team approved the fraudulent asset as collateral, setting up a Balancer liquidity pool (with $400,000 in liquidity) and integrating API3 oracle price feeds. Eventually, the ionic Mode main market accepted the fake LBTC as collateral, with a total supply of 250 LBTC. The attacker minted 250 LBTC in their own wallet, deposited them into ionic, and exploited this setup to steal $12.3 million in supplied assets.
Due to the swift response and coordination between the ionic team and the Mode team, the attacker’s wallet address was successfully frozen at the Mode network level, including holdings in Layerbank and Ironclad. Currently, the frozen Mode wallet holds $8.8 million in stolen assets, limiting the attacker’s successfully bridged-out funds to $3.5 million.
Analysis and Recommendations
As more politicians venture into the cryptocurrency space, issuing tokens under the guise of “economic revival” or “technological innovation”, investors must remain cautious about the underlying risks. These tokens often leverage celebrity influence for market hype, leading to short-term price surges. However, once the bubble bursts, retail investors frequently bear the heaviest losses. We strongly advise investors to stay rational, refrain from blindly trusting sudden announcements on social media, and assess projects from multiple angles to verify their authenticity and security. Avoiding herd mentality investments is crucial in minimizing potential risks and safeguarding assets.
This month’s security incidents once again highlight the importance of implementing additional defense measures beyond traditional security audits. Previously, the SlowMist security team published an analysis exposing Lazarus Group’s infiltration tactics. Through extensive investigation and accumulated intelligence, we have identified this as a state-sponsored Advanced Persistent Threat (APT) attack targeting cryptocurrency exchanges. APT attacks are highly covert, persistent, and strategically targeted, making them extremely difficult to defend against. Their complex infiltration techniques often bypass conventional security measures. In response, the SlowMist security team has proposed eight key defense strategies, detailed in our report: “Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques.”
Additionally, this month’s total security losses reached $1.681 billion, marking a significant increase compared to previous months, with the Bybit breach accounting for the majority of losses. Both the scale of attacks and the magnitude of financial impact serve as a stark reminder that the blockchain ecosystem operates within a “dark forest” where risks are ever-present. However, there is still light in the darkness — this month, $52.45 million of stolen funds were successfully frozen or recovered. The industry’s coordinated response demonstrates ongoing efforts to mitigate losses and combat cyber threats. Despite the frequent occurrence of attacks, the sector’s security resilience, collaboration mechanisms, and incident response capabilities continue to improve.
Finally, this report covers key security incidents from this month. For a more comprehensive list of blockchain security breaches, please visit the SlowMist Hacked Archive at https://hacked.slowmist.io/.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
