Due to space limitations, this article only lists the key contents of the analysis report. The full content can be downloaded via the following link.
Chinese : https://www.slowmist.com/report/SlowMist-first-half-of-the-2025-report(CN).pdf
English: https://www.slowmist.com/report/SlowMist-first-half-of-the-2025-report(EN).pdf
1. Introduction
In the first half of 2025, while the blockchain industry is developing at a high speed, it is also under pressure from increasingly complex security threats and compliance challenges. On the one hand, hacker attacks continue to be active, APT organizations' attack methods tend to be modular and systematic, and phishing and social engineering attacks are rampant, causing major asset losses and user trust crises. On the other hand, global supervision is accelerating, and governments and international organizations frequently issue new regulations on anti-money laundering, sanctions, and investor protection. It is worth noting that stablecoins are gradually evolving into key infrastructure connecting traditional finance and on-chain finance, and major global financial institutions and head crypto platforms are accelerating the strategic layout of stablecoins. In addition, the black market capital flow model continues to evolve, on-chain tracking technology and intelligence cooperation mechanisms continue to evolve, regulatory agencies and head platforms are cooperating more closely, and fund freezing and recovery cases have increased significantly, forming a stronger deterrent to on-chain crimes and illegal funds.
As a pioneer in the field of blockchain security, SlowMist continues to deepen its efforts in threat intelligence, attack monitoring, tracing and compliance support. In this context, this report focuses on major security incidents, global regulatory evolution, and on-chain anti-money laundering trends in the first half of 2025. It is hoped that this report can provide timely, systematic, and insightful security compliance references for industry practitioners, security researchers, and compliance managers, and enhance their ability to identify, respond to, and predict risks.
2. Blockchain Security Situation
Security incident review
In the first half of 2025, the blockchain field still faces severe security challenges. According to incomplete statistics from the SlowMist blockchain hacking incident archive (SlowMist Hacked), there were 121 security incidents in the first half of the year, causing losses of approximately US$2.373 billion. Compared with the first half of 2024 (a total of 223 incidents, losses of approximately US$1.43 billion), although the number of incidents has decreased, the overall loss amount has increased by approximately 65.94% year-on-year.
Note: The data in this report is based on the token price at the time the incident occurred. Due to factors such as currency price fluctuations, some undisclosed events, and the fact that the losses of ordinary users are not included in the statistics, the actual losses should be higher than the statistical results.
(https://hacked.slowmist.io/)
1. From the ecological perspective
Ethereum was still the hardest hit by attacks, with losses of about $38.59 million, followed by Solana, with losses of about $5.8 million, and BSC, with losses of about $5.49 million.
2. From the perspective of project type
DeFi is the most frequently attacked type. In the first half of 2025, there were 92 DeFi-type security incidents, accounting for 76.03% of the total number of incidents (121), with losses as high as US$470 million. Compared with the first half of 2024 (a total of 158 incidents, with losses of approximately US$659 million), the losses decreased by 28.67% year-on-year. The second largest number of incidents was exchange platform-related incidents, with a total of 11 incidents, but the amount of losses was as high as US$1.883 billion. Among them, Bybit was the most severely attacked, with a single incident causing a loss of approximately US$1.46 billion.
3. From the perspective of the scale of losses
In the first half of the year, two incidents caused losses of more than $100 million, and the top ten attack incidents caused a total loss of $2.018 billion.
4. From the cause of the attack
The largest number of security incidents were caused by account hacking, reaching 42, followed by security incidents caused by contract vulnerabilities, reaching 35.
Fraudulent tactics
In addition to directly attacking projects or protocols, the "scams" surrounding ordinary users are also evolving rapidly. This section selects several typical or new fraud methods that deserve special attention in the first half of 2025.
1. Phishing using EIP-7702
This type of phishing attack takes advantage of the change in the delegation mechanism brought about by EIP-7702 - the user's EOA address can be authorized to a certain contract, giving it the characteristics of this contract (such as batch transfers, batch authorization, gas payment, etc.). If the user authorizes the address to a malicious contract, there will be risks. If the user authorizes the address to a regular contract, but the characteristics of the contract are maliciously exploited by the phishing website, there will also be risks. In addition, some anti-phishing tools cannot accurately capture the risks of batch authorization operations, which also creates opportunities for phishing gangs.
2. Using Deepfakes to Scam
With the rapid development of generative artificial intelligence technology, "trust fraud" using deepfake technology has rapidly emerged. The essence of this type of fraud is that attackers use AI synthesis tools to forge audio and video images of well-known project founders, exchange executives or community KOLs to guide the public to invest in projects; or through the instructions of false security experts, induce victims to further authorize and transfer money; even worse, attackers use Deepfake technology combined with photos of victims to create dynamic images, try to bypass the KYC system of exchanges or wallet platforms, and then control accounts and steal assets. These forged contents are often extremely realistic, making it difficult for ordinary users to distinguish the authenticity.
3. Telegram fake Safeguard scam
In early 2025, a large number of users encountered fake Safeguard scams on the Telegram platform , which eventually led to asset theft or device poisoning. This type of scam focuses on inducing users to execute malicious code in the clipboard, using high-frequency scenarios such as token airdrops and fake KOL posts to cast a wide net, causing serious security consequences. Even experienced players may fall for it under the FOMO sentiment and the illusion of "official verification."
4. Malicious browser extensions
Malicious browser extensions have always been one of the common fraud methods in the crypto space. Attackers disguise themselves as "Web3 security tools" or use the automatic update mechanism of plug-ins to steal data and manipulate permissions on user devices, and even trick users into performing sensitive operations, which is more concealed and confusing.
5. LinkedIn Recruitment Phishing
Since 2025, fraud cases in the name of recruitment and injection of malicious code have been on the rise, especially on professional social platforms such as LinkedIn, becoming a new threat to the engineering community. This type of attack often adopts a combination strategy of "professional packaging + precise attack", with a high degree of disguise.
6. Social Engineering Attacks
In the first half of 2025, social engineering attacks continued to occur frequently in the crypto industry, and the attack methods became more sophisticated and covert, especially the cases of combining the abuse of internal platform permissions with external precision fraud, which attracted widespread attention. Among them, the social engineering attacks encountered by Coinbase users are particularly typical. Since the beginning of the year, a large number of Coinbase users have reported receiving calls from "official customer service" and being induced to transfer funds to the so-called "safe wallet". On May 15, Coinbase officially issued an announcement confirming that "internal personnel are suspected of leaking customer information" and stated that it is cooperating with the US Department of Justice (DOJ) to investigate. The results of the investigation showed that hackers bribed overseas customer service personnel to obtain system permissions and stole KYC information including name, address, and email address. Although it did not involve user passwords, private keys and account balances, it was enough to implement a highly realistic fraud process. The scammers even demanded a ransom of $20 million from Coinbase.
7. Backdoor poisoning of cheap AI tools
Attackers used the bait of "calling AI tool API at the lowest price on the Internet" to attract traffic on short video platforms and induce developers to install malicious npm packages named sw-cur, aiide-cur, sw-cur1, etc. Once these dependent packages are executed, they will deeply tamper with the local Cursor application, implant backdoors and remotely take over the code environment, not only stealing credentials, but also turning the device into a "zombie" under the control of the attacker for a long time. According to statistics , more than 4,200 developers are known to be affected, mainly concentrated in the group using MacOS.
8. Unrestricted Large Language Model (LLM)
The so-called "unrestricted LLM" refers to models that have been deliberately modified or "jailbroken" to bypass the security mechanisms and ethical restrictions of mainstream models. Mainstream manufacturers have invested a lot of resources to prevent models from being used to generate hate speech, false information, malicious code or illegal instructions, while some criminals deliberately develop or abuse these less restricted models for cybercrime. In the field of encryption, the abuse of this model is lowering the threshold for attack. Attackers can obtain open source model weights and source code, and then fine-tune them through data sets containing malicious content to create customized fraud tools. This type of model can be used to generate phishing emails, malicious code, fraudulent rhetoric, etc., and even people without programming experience can easily get started.
3. Anti-money laundering situation
This section is divided into four parts: global regulatory dynamics, fund freezing and return data, organizational dynamics, and currency mixing tools.
Anti-money laundering and regulatory developments
In the first half of 2025, countries have clearly become more mature and institutionalized in digital asset regulation. From the management of crypto platform licenses, the regulatory framework for stablecoins, to the strengthening of anti-money laundering systems, to restrictions on privacy coins and P2P transactions, the world is forming an increasingly sophisticated crypto-financial governance network.
Funds freeze/return data
In the first half of 2025, Tether froze USDT-ERC20 assets on 209 ETH addresses. (Data source: https://dune.com/phabc/usdt—banned-addresses )
In the first half of 2025, Circle froze USDC-ERC20 assets on 44 ETH addresses. (Data source: https://dune.com/phabc/usdc-banned-addresses )
In the first half of 2025, there were 9 incidents where lost funds were recovered or frozen after being attacked. In these 9 incidents, the total amount of stolen funds was about 1.73 billion US dollars, of which nearly 270 million US dollars were returned/frozen, accounting for 11.38% of the total losses in the first half of the year. This proportion is inseparable from the continuous improvement of multi-party collaborative response and on-chain tracking capabilities.
In addition, with the strong support of the SlowMist InMist Lab threat intelligence cooperation network, in the first half of 2025, SlowMist assisted customers, partners and public hacking incidents in freezing and recovering funds of approximately US$14.56 million.
It is worth mentioning that on April 15, the decentralized perpetual contract trading platform KiloEX was hacked and lost about 8.44 million US dollars. After the incident, SlowMist immediately organized a security team to respond, and worked with KiloEx to sort out the attack path and capital flow. At the same time, relying on the self-developed on-chain anti-money laundering tracking and analysis platform MistTrack (https://misttrack.io/) and InMist threat intelligence network, it completed the extraction of the attacker's information and characteristics, and assisted the project party in multiple rounds of negotiations with the attacker. In the end, with the collaboration of SlowMist and multiple parties, all stolen assets of 8.44 million US dollars were successfully recovered only 3.5 days after the incident, and KiloEx reached a 10% white hat bounty agreement with the attacker.
(https://etherscan.io/idm?addresses=0x00fac92881556a90fdb19eae9f23640b95b4bcbd%2C0x1D568fc08a1d3978985bc3e896A22abD1222ABcF%2C&type=1)
Organization News
1. Lazarus Group
This section mainly introduces the modus operandi of the North Korean hacker organization Lazarus Group, a number of related incidents created in the first half of 2025, and analyzes the currency laundering methods of Lazarus Group using the Bybit theft incident as an example.
2. Drainers
This section was written by our partner, Web3 anti- fraud platform Scam Sniffer ( https://www.scamsniffer.io/ ) , and we would like to express our gratitude.
In the first half of 2025, the Web3 ecosystem was threatened by phishing attacks, resulting in a total loss of approximately $39.73 million and 43,628 victim addresses. This section analyzes the main trends and large-scale cases of Wallet Drainer attacks in the first half of 2025 to provide a security reference for industry practitioners and users.
3. HuionePay
As the global fight against online fraud, underground payment networks, and illegal cross-border money laundering continues to intensify, a platform called HuionePay has attracted great attention from regulators. The platform is suspected of being used to receive, transfer, and withdraw fraudulent funds, especially frequent on-chain operations through USDT on the TRON chain. SlowMist built the Dune data statistics panel based on the on-chain anti-money laundering and tracking tool MistTrack and on-chain public data, and on this basis conducted an in-depth analysis of HuionePay's USDT deposit and withdrawal behavior on the TRON chain. The data time range is from January 1, 2024 to June 23, 2025, data source: https://dune.com/misttrack/huionepay-data .
Coin mixing tools
1. Tornado Cash
In the first half of 2025, users deposited a total of 254,094 ETH (about 605,272,821 US dollars) into Tornado Cash, and withdrew a total of 248,922 ETH (about 584,998,160 US dollars) from Tornado Cash; deposit and withdrawal activities were relatively active in May and June.
(https://dune.com/misttrack/first-half-of-2025-stats)
2. eXch
In the first half of 2025, users deposited a total of 28,756 ETH (about 82,193,535 US dollars) into eXch, and a total of 73,482,393 ERC20 (about 73,482,393 US dollars) into eXch; the deposit value reached a peak of 1.94 million US dollars in early March, and was later stopped on April 30 due to seizure.
(https://dune.com/misttrack/first-half-of-2025-stats)
IV. Conclusion
In the first half of 2025, the blockchain industry as a whole continued to follow the three key words of compliance, stability, and security. Hacker attacks still occur frequently, especially the hot wallets of project parties and social worker phishing are still the hardest hit areas; but correspondingly, security capabilities such as on-chain tracking and fund freezing are constantly evolving. On the other hand, global compliance supervision is accelerating, and Hong Kong, China, the United States, the European Union and other places have intensively issued detailed rules, and the trend of "compliance is access" in the industry is becoming more and more obvious. Overall, the industry is gradually moving out of the early extensive stage and moving towards the direction of "compliance-based, safety-oriented, and stability-based". Competition is increasingly focused on who can survive longer and more stably under the compliance supervision system.
V. Disclaimer
The content of this report is based on our understanding of the blockchain industry, the data support of SlowMist Hacked, the SlowMist blockchain hacked archive, and MistTrack, the anti-money laundering tracking system. However, due to the "anonymous" nature of blockchain, we cannot guarantee the absolute accuracy of all data, nor can we be held responsible for errors, omissions, or losses caused by the use of this report. At the same time, this report does not constitute the basis for any investment advice or other analysis. If there are omissions and deficiencies in this report, you are welcome to criticize and correct it.
