Overview
In May 2025, the total loss from Web3 security incidents was approximately $266 million. According to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), there were 15 hacking incidents, resulting in losses of about $257 million, with $162 million frozen or returned. The causes of these incidents involved contract vulnerabilities, oracle attacks, and account breaches. Additionally, according to the Web3 anti-fraud platform Scam Sniffer, there were 7,164 phishing victims this month, with losses amounting to $9.63 million.
Major Security Events
Cetus Protocol
On May 22, 2025, Cetus Protocol, a liquidity provider on the Sui ecosystem, was attacked. The liquidity pool depth significantly decreased, with multiple token trading pairs experiencing a decline, resulting in a loss of approximately $230 million.
After the incident, the SlowMist security team immediately intervened and analyzed that the core of the attack was the attacker carefully constructing parameters to cause an overflow while bypassing detection, ultimately exchanging a tiny amount of tokens for massive liquidity assets. For detailed analysis, see SlowMist: Analysis of the $230 Million Theft from Cetus.
(Attack Sequence Diagram)
Fortunately, according to Cetus, in cooperation with the Sui Foundation and other ecosystem members, they have successfully frozen $162 million of stolen funds on Sui.
(https://x.com/CetusProtocol/status/1925567348586815622)
Cork Protocol
On May 28, 2025, SlowMist detected potential suspicious activity related to Cork Protocol. According to the SlowMist security team's analysis, the root cause of the attack was that Cork allowed users to create redemption assets (RA) with arbitrary assets through the CorkConfig contract, enabling attackers to use DS as RA. Additionally, any user could call the beforeSwap function of the CorkHook contract without authorization and pass custom hook data for CorkCall operations, allowing attackers to manipulate and deposit DS from a legitimate market into another market as RA, obtaining corresponding DS and CT tokens.
(https://x.com/SlowMist_Team/status/1927705256915333359)
According to the on-chain anti-money laundering and tracking tool MistTrack, the attacker's address 0xea6f30e360192bae715599e15e2f765b49e4da98 profited 3,761.878 wstETH, valued at over $12 million. As of now, 4,530.5955 ETH remains in the attacker's address, and we will continue to monitor the funds.
BitoPro
According to on-chain detective ZachXBT, the Taiwanese cryptocurrency exchange BitoPro was allegedly attacked on May 8, 2025, with losses of approximately $11.5 million. Abnormal fund outflows occurred in hot wallets across multiple chains including TRON, Ethereum, Solana, and Polygon. The stolen assets were quickly sold on decentralized exchanges. Subsequently, these funds were transferred to Tornado Cash or cross-chained to the Bitcoin network via THORChain, and further deposited into Wasabi wallet for money laundering.
(https://x.com/zachxbt/status/1929417001296146868)
Demex
On May 16, 2025, Demex's lending market Nitron was attacked, with losses of about $950,000. According to Demex's incident analysis report, the root cause of the attack was the attacker's oracle manipulation attack based on donation on the abandoned dGLP vault.
(https://blog.dem.exchange/nitron-post-mortem/)
On May 19, Demex updated the event progress, stating that with the support of partners, they successfully recovered $78,000.
Zunami Protocol
On May 15, 2025, Zunami Protocol announced via tweet that it was attacked, with collateral assets of zunUSD and zunETH stolen, resulting in a loss of about $500,000. The attacker has transferred the stolen funds to Tornado Cash.
(https://x.com/ZunamiProtocol/status/1922993510925435267)
On May 30, Zunami Protocol founder @kirill_zunami tweeted that they are investigating the attack and simultaneously considering two possible scenarios: stolen deployer keys or malicious behavior by key holders.
(https://x.com/kirill_zunami/status/1928131508117651725)
Characteristic Analysis and Security Recommendations
In this month's blockchain security incidents, contract vulnerabilities remain the primary cause of losses. Among them, 6 contract vulnerability-related incidents caused approximately $244 million in losses, accounting for 95% of this month's hacking incident losses. The SlowMist security team recommends that project parties maintain high vigilance, regularly conduct comprehensive security audits, timely discover and fix potential vulnerabilities, and pay attention to the latest attack methods and security trends to effectively safeguard assets and user safety.
Account breaches have again drawn widespread attention this month, with 6 incidents occurring. Besides Web3 project official accounts, media institutions and other high-profile accounts have also become attack targets. For example, on May 12, the X account of the English football club @SheffieldUnited was hacked, with attackers using it to publish false token addresses. Attackers also used Cointelegraph's X account to send targeted phishing links via private messages. For guidance on securing X platform accounts, refer to the previously published SlowMist: X Account Security Inspection and Reinforcement Guide.
It is worth noting that the North Korean hacker group Lazarus Group has recently begun shifting attack targets from institutions to individual investors. On May 24, the group stole over $5.2 million from a merchant through malware, which may signify a significant change in their attack strategy. Therefore, ordinary users should also actively enhance their security awareness and can refer to the 'Blockchain Dark Forest Self-Rescue Handbook' to improve their protection capabilities. (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook)
This month, there has been new progress in the investigation of frequent social engineering attacks on Coinbase users. According to information disclosed by Coinbase, attackers utilized internal employee permissions to obtain sensitive user data and launched precise social engineering attacks based on this information. This discovery reveals the massive potential risks of internal collusion in security systems and again reminds various platforms to strengthen internal permission management. For more event details, see "Customer Service" in the Dark Forest: Social Engineering Scams Target Coinbase Users.
Finally, the events included in this article are the main security events of the month. More blockchain security incidents can be found in the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io/). Click the original text to directly jump to the source.
