SlowMist Monthly Security Report: May Estimated Losses at $266 Million
Overview
In May 2025, Web3 security incidents resulted in total losses of approximately $266 million. According to the SlowMist Hacked Archive, a total of 15 hacking incidents occurred, leading to $257 million in losses, with $162 million successfully frozen or recovered. The incidents involved causes such as smart contract vulnerabilities, oracle manipulation, and account compromises.
In addition, according to the Web3 anti-scam platform Scam Sniffer, 7,164 victims were affected by phishing attacks this month, with total losses reaching approximately $9.63 million.
Major Security Incidents
Cetus Protocol
On May 22, 2025, liquidity protocol Cetus on SUI suffered an attack, resulting in a significant reduction in liquidity pool depth. Several trading pairs experienced sharp price drops, with losses reaching approximately $230 million.
The SlowMist Security Team quickly launched an in-depth investigation and determined that the attacker manipulated specific parameters to bypass checks and cause an arithmetic overflow, allowing them to swap a small amount of tokens for a large share of liquidity assets. For the full analysis, see SlowMist: Analysis of the $230 Million Cetus Hack.
Fortunately, according to Cetus, with the support of the SUI Foundation and ecosystem partners, $162 million worth of stolen assets on SUI were successfully frozen.
Cork Protocol
On May 28, 2025, SlowMist detected suspicious activity related to the Cork Protocol. According to the SlowMist Security Team, the root cause lies in the following two aspects:
- Users are allowed to create redemption assets (RA) in the
CorkConfigcontract using arbitrary tokens, which enabled attackers to set DS as RA. - Any user could call the
beforeSwapfunction in theCorkHookcontract without authentication and pass in crafted hook data forCorkCall, allowing attackers to inject DS from one valid market into another as RA, thus gaining DS and CT tokens.
According to on-chain tracking tool MistTrack, the attacker address 0xea6f...da98 profited 3,761.878 wstETH, worth over $12 million. The address still holds 4,530.5955 ETH and is being monitored.
BitoPro
According to blockchain investigator ZachXBT, the Taiwan-based crypto exchange BitoPro may have suffered a hack on May 8, 2025, with an estimated loss of around $11.5 million. Abnormal outflows occurred from hot wallets across Tron, Ethereum, Solana, and Polygon, and the stolen funds were quickly dumped via DEXs.
The assets were subsequently laundered using Tornado Cash, or bridged to Bitcoin via Thorchain and further mixed with Wasabi Wallet.
Demex
On May 16, 2025, Demex’s lending market Nitron was exploited, resulting in a loss of approximately $950,000. According to Demex’s official post-mortem, the attack was due to a donation-based oracle manipulation targeting a deprecated dGLP vault.
Demex later stated in a May 19 update that $78,000 had been recovered with the help of its partners.
Zunami Protocol
On May 15, 2025, Zunami Protocol tweeted that it had been attacked. The collateral for zunUSD and zunETH was drained, with losses totaling around $500,000. The funds were sent to Tornado Cash.
On May 30, Zunami founder @kirill_zunami stated that the team suspects either the deployer key was compromised or a key-holding member carried out a malicious act.
Attack Patterns and Security Recommendations
This month, smart contract vulnerabilities remained the leading cause of losses. Six incidents involving contract flaws led to $244 million in losses, accounting for 95% of all hacking-related losses this month.
The SlowMist Security Team strongly recommends that Web3 project teams maintain high vigilance, conduct thorough and regular audits, patch any known vulnerabilities in a timely manner, and stay informed of the latest exploit techniques and security practices to safeguard user and asset safety.
This month also saw an uptick in account compromises, with six incidents reported. Attackers not only targeted official project accounts, but also media outlets and prominent individuals:
- On May 12, the official X account of the UK football club @SheffieldUnited was hijacked to post fake token links.
- Attackers also leveraged Cointelegraph’s official account to send phishing DMs to specific users.
For detailed tips on enhancing your X account security, refer to: SlowMist: Security Guide for Securing X Accounts.
Alarmingly, the North Korean hacker group Lazarus appears to be shifting its focus from institutional targets to individual investors. On May 24, the group allegedly deployed malware to steal over $5.2 million from a merchant. This may indicate a strategic pivot.
Retail users should stay alert and enhance their security awareness. For practical protection tips, refer to the Blockchain Dark Forest Selfguard Handbook.
Finally, further revelations have emerged around the Coinbase social engineering incident. According to official updates from Coinbase, attackers abused internal employee privileges to obtain sensitive user information and carry out targeted phishing attacks. This underscores the severe risk of insider threats and the importance of internal permission controls. More details: “Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users.
In conclusion, the events covered in this article represent the major security incidents of the month. For more blockchain security incidents, please visit the SlowMist Hacked database (https://hacked.slowmist.io).
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
