SlowMist Monthly Security Report: January Estimated Losses at $98.19 Million
Overview
In January 2025, the total loss from Web3 security incidents was approximately $98.19 million. According to the SlowMist Hacked Database, there were 40 hacking incidents, resulting in a loss of about $87.94 million, with $1.47 million recovered. The causes of these incidents included contract vulnerabilities, account compromises, and private key leaks. Additionally, according to the Web3 anti-scam platform Scam Sniffer, 9,220 victims fell prey to phishing attacks this month, with losses totaling $10.25 million.
Major Security Incidents
Phemex
On January 23, 2025, the Singapore-based cryptocurrency exchange Phemex suffered a hot wallet attack, resulting in a loss of approximately $70 million. Phemex CEO Federico Variola stated on X:
“Hello everyone, as we look into a report on one of our hot wallets rest assured our cold wallets remain safe and can be checked by everyone here, will post more updates shortly.”
NoOnes
On January 1, 2025, the P2P trading platform NoOnes was attacked, with its hot wallets on Ethereum, Tron, Solana, and BSC experiencing hundreds of suspicious outbound transactions, leading to a loss of approximately $7.2 million. CEO Ray Youssef explained that the incident was caused by an exploit of its Solana bridge.
AdsPower
On January 24, 2025, the AdsPower security team discovered an intrusion incident where hackers spread malicious code, leading to the compromise of some third-party browser extensions, resulting in the theft of over $4.7 million. The SlowMist security team has stepped in to analyze the situation.
If users have used AdsPower and installed or manually updated an extension wallet between January 21, 18:00, and January 24, 18:00 (UTC+8), their extension wallet on AdsPower may have a backdoored version (posing a risk of mnemonic/private key theft). It is advised to transfer assets from affected wallets as soon as possible.
Moby
On January 8, 2025, an attacker took control of the private key used to authorize upgrades to Moby’s core contracts, leading to protocol compromise. This attack put 3.77 wBTC, 207.76 wETH, and 1,500,351.5 USDC in the sOLP and mOLP liquidity pools at risk. With the assistance of the Seal911 team, Moby has successfully recovered approximately 1.47 million USDC.
Orange Finance
On January 8, 2025, the Arbitrum-based liquidity management project Orange Finance was exploited due to a multisig configuration error, leading to the theft of approximately $830,000 in assets. The attacker gained ownership of each vault, modified their implementations, and extracted deposited assets as well as excessively authorized funds.
Of the total losses, around 94% ($780,000) came from deposited assets, while the remaining 6% ($47,000) resulted from excessive approvals.
Analysis and Recommendations
There has been a recent surge in account compromise incidents. According to the SlowMist Hacked Database, 21 account breaches occurred in January, accounting for about half of all recorded incidents. Notably, accounts related to political figures or political content were particularly targeted.
Hackers and malicious actors have been using social media to promote meme coins, exploiting users’ FOMO to attract funds before making a swift exit. For example, the X account @TrumpDailyPosts posted four tweets promoting a meme coin, only to delete them within minutes, walking away with approximately $1.25 million.
Users are advised to remain vigilant, verify information sources before purchasing tokens, and be wary of sudden announcements on social media — especially those related to meme coins involving political figures, well-known institutions, or celebrities — to avoid falling for scams.
Additionally, the SlowMist security team has noticed a growing number of victim reports related to the “Fake Safeguard” scam on Telegram. Details on this scam method and countermeasures can be found in New Scam Technique | Fake Safeguard Scam on Telegram.
Lastly, this article covers the major security incidents of the month. For more blockchain security incidents, visit the SlowMist Hacked Database.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
