SlowMist's 2025 Annual Report on Blockchain Security and Anti-Money Laundering

This report provides an in-depth analysis of typical blockchain security incidents and attack methods in 2025, trends in APT group activities, the evolution of money laundering models, and global regulatory and enforcement progress.

Author: SlowMist Technology

Due to space limitations, this article only lists the key points of the analysis report. The full content can be downloaded as a PDF at the end of the article.

I. Overview

In 2025, the blockchain industry continued its rapid evolution. The combined effects of a complex macroeconomic financial environment, regulatory uncertainties, and intense attacks significantly complicated the security landscape throughout the year. Specifically, hacker groups and underground crime became highly professional, with North Korean-related hackers frequently active. Information-stealing Trojans, private key hijacking, and social engineering phishing became the main attack methods. Furthermore, DeFi permission management and meme issuance repeatedly resulted in substantial losses. RaaS/MaaS service-oriented architecture lowered the barrier to entry for criminals, enabling attackers without technical backgrounds to quickly launch attacks. Meanwhile, underground money laundering systems continued to mature, with Southeast Asian fraud clusters, privacy tools, and coin mixing facilities forming multi-layered funding channels. On the regulatory front, countries accelerated the implementation of AML/CFT frameworks, and multiple cross-border law enforcement actions improved the efficiency of on-chain tracking and asset freezing. Regulation gradually shifted from single-point strikes to systematic containment, and the legal boundaries of privacy protocols were being redefined, further distinguishing between technical attributes and criminal uses.

Against this backdrop, this report provides an in-depth analysis of typical blockchain security incidents and attack methods in 2025, trends in APT group activities, the evolution of money laundering models, and global regulatory and enforcement progress. We hope this report will provide industry practitioners, security researchers, and risk control and compliance managers with timely, structured, and insightful security and compliance references, enhancing their ability to identify, respond to, and predict risks.

II. Blockchain Security Situation

According to incomplete statistics from the SlowMist Hacked archive, a total of 200 security incidents occurred throughout the year, resulting in losses of approximately $2.935 billion. Compared to 2024 (410 incidents, with losses of approximately $2.013 billion), although the number of incidents decreased significantly, the amount of losses increased by approximately 46% year-on-year.

(Note: The data in this report is based on the token price at the time of the event. Due to factors such as token price fluctuations, some undisclosed events, and the exclusion of losses from ordinary users, the actual losses should be higher than the statistical results.)

Security Incident Overview

In terms of ecological distribution, Ethereum remains the most frequently attacked and most severely affected ecosystem, with an annual loss of approximately $254 million, significantly leading the pack; BSC follows closely behind, with related losses of approximately $21.93 million; Solana ranks third, with an annual loss of approximately $17.45 million.

By project sector, DeFi projects were the most frequently attacked: 126 security incidents occurred in 2025, accounting for approximately 63% of the total for the year, resulting in losses of approximately $649 million, a decrease of approximately 37% compared to 2024 ($339 incidents, $1.029 billion in losses). Trading platform incidents numbered only 12, yet caused losses of a staggering $1.809 billion, with Bybit suffering the most severe loss of approximately $1.46 billion in a single incident.

In terms of the causes of the attacks, contract vulnerabilities were the main trigger, accounting for 61 cases; hacking of X accounts followed closely behind, accounting for 48 cases.

Typical attack incidents

This section selects the top 10 security attack incidents that resulted in losses in 2025. See the PDF file at the end of the article for details.

Fraudulent methods

The following are some typical or new types of fraud that deserve close attention in 2025.

1. phishing attack

In 2025, phishing remained one of the most active risk factors. Its attack methods have evolved from traditional website cloning and fake authorization pages to complex techniques combining system commands, wallet permissions, protocol characteristics, and even device control. Unlike the past when attacks directly requested seed phrase, today's attacks tend to use "guided operations" to induce users to unknowingly transfer assets. These methods are more covert, deceptive, and have significantly expanded the scope of victims. This section focuses on four typical phishing patterns: ClickFix phishing attacks, Solana wallet owner permission tampering, EIP-7702 authorization abuse, and the Telegram "fake Safeguard" scam.

1. Social engineering attack

In 2025, social engineering attacks showed a significant upward trend in blockchain security incidents, gradually becoming a key entry point connecting phishing, malware, and asset theft. These attacks center on "manipulating trust," using identity spoofing, emotional pressure, and information asymmetry to guide victims to actively cooperate in completing high-risk operations. Attackers often don't rush to directly steal assets, but rather gradually build a trustworthy image through multiple rounds of interaction, ultimately inducing victims to download malware, disclose private keys, or transfer assets to addresses controlled by the attacker. This section analyzes three typical social engineering attack techniques: job interview scams, impersonating "security experts" for guidance, and counterfeiting hardware wallets.

1. Supply chain and open source ecosystem poisoning

Software supply chain attacks remained active in the blockchain security field in 2025. Attackers were no longer limited to directly compromising well-known libraries or core infrastructure, but instead turned to open-source projects, developer tools, and dependency distribution chains. They used poisoned code to indirectly attack a large number of downstream users. These attacks often did not target a single victim but spread through "trusted software components." Once triggered, the impact was wide-ranging, tracing the source was difficult, and they were highly susceptible to combining with social engineering techniques. This section provides a detailed analysis of several types of poisoning incidents that occurred frequently in 2025.

1. Malicious browser extensions and extension ecosystem risks

Browser extensions are virtually ubiquitous in Web3 use cases. Whether it's wallet plugins, proxy tools, security extensions, or productivity tools used by developers, they generally possess features such as high privileges, background operation, and automatic updates. Once tampered with or maliciously exploited, they can often steal data without the user's knowledge, even causing direct asset losses. This section summarizes the security risks of browser extensions in Web3 scenarios and analyzes them with typical case studies.

1. Attacks using AI technology

As generative AI has rapidly gained popularity over the past two years, attackers have begun to incorporate it into fraud and attack chains. Compared to traditional tools, AI's capabilities in text, speech synthesis, image, and video generation significantly reduce the cost of fraud. Attacks no longer rely on crude rhetoric or obviously anomalous behavior, but rather on highly realistic content, coherent interactions, and precise object selection, making it psychologically harder for victims to detect the risk. This section summarizes the risks of the misuse of generative AI in crypto asset and enterprise security scenarios.

1. Ponzi scheme fraud

In 2025, Ponzi schemes remained one of the most widespread forms of digital asset fraud. Unlike traditional Ponzi schemes, the new generation of projects tended to disguise themselves as "blockchain finance," "big data technology," or "international trading platforms," ​​rapidly expanding through tiered commission structures. This section summarizes the operational model and risk characteristics of a typical digital asset Ponzi scheme case in 2025—Xinkangjia DGCX.

III. Anti-Money Laundering Strategy

This section mainly covers three parts: anti-money laundering and regulatory developments, data on frozen/returned funds, and cybercrime organizations and the underground network ecosystem.

Anti-money laundering and regulatory developments

1. Law enforcement and sanctions actions
   In 2025, enforcement and sanctions actions in the global crypto asset sector significantly escalated. Regulatory and enforcement agencies in various countries moved beyond simply issuing policies or compliance guidelines, directly intervening in key areas such as crypto money laundering, fraud, sanctions evasion, and illicit financing through asset freezes, entity sanctions, criminal prosecutions, and transnational joint operations. Enforcement coverage expanded and deepened, reaching from exchanges to infrastructure service providers and even individual on-chain addresses. This section focuses on four key enforcement developments in 2025: combating malware, the Dark Web, and cybercrime infrastructure; key regulatory and criminal prosecution of the crypto exchage Garantex; joint operations against fraud, Ponzi schemes, and "pig butchering" networks; and cases of penalties for non-compliance and illegal operations in crypto services.
2. Regulatory policies

In 2025, global cryptocurrency regulation entered a phase of structured and systematic advancement. National policies gradually transitioned from the past "exploratory regulation" to "the implementation of clear rules and the construction of a unified framework." Compliance was widely regarded as a prerequisite for the development of the cryptocurrency market, with tax transparency, AML/KYC, custody security, and information disclosure becoming frequent policy focuses. This section summarizes the regulatory policy developments in various countries in 2025; detailed entries can be found in the appendix PDF at the end of this article.

Funds frozen/return data

With the strong support of the InMist Lab threat intelligence partnership network, SlowMist assisted clients, partners, and publicly disclosed hacking incidents in freezing/recovering approximately US$19.29 million in 2025.

In 2025, Tether froze USDT-ERC20 assets in 576 ETH addresses, and Circle froze USDC-ERC20 assets in 214 ETH addresses.

In 2025, there were 18 cases where stolen funds were recovered or frozen after the attacks. In these 18 cases, the total amount of stolen funds was approximately US$1.957 billion, of which nearly US$387 million was returned/frozen, accounting for 13.2% of the total losses in 2025.

Cybercrime Organizations and the Underground Cyber ​​Ecosystem

1. North Korean hackers

According to a research report released by MSMT in 2025, from January 2024 to September 2025, North Korean-related hacking groups stole at least $2.837 billion in crypto assets by attacking cryptocurrency exchanges, wallet service providers, multi-signature infrastructure, and Web3 ecosystem companies worldwide. Of this, approximately $1.645 billion was stolen in the first nine months of 2025 alone, setting a new record.

This section summarizes the characteristics of North Korean hackers' activities in 2025, their main organizational structure and role division, core attack methods and key targets, as well as the "industrialized process" of money laundering and on-chain circulation. It further reveals their covert money inflow model formed by using IT outsourcing and "legal employment money laundering".

1. Fishing Drainer

This section was written by our partner, Web3 anti-fraud platform Scam Sniffer, to whom we express our gratitude. This section analyzes only the latest trends in Wallet Drainer phishing attacks within the EVM ecosystem to help practitioners and users better protect their assets.

Total losses: $83.85 million, 106,106 victims – down 83% and 68% respectively from 2024.

Largest single theft: $6.5 million, via Permit signature (September).

Main signature types: Permit remains dominant; EIP-7702 malicious signatures emerged after the Pectra upgrade, with two large-scale cases in August.

1. Huione Group

As online fraud and cross-border money laundering activities continue to expand in Southeast Asia, Huione Group and its subsidiaries HuionePay and Huione Guarantee have become a key focus of global regulatory and law enforcement agencies, attracting the attention of numerous intelligence organizations. This section outlines the service expansion path of the Huione ecosystem, the current status of on-chain fund activities, and demonstrates the cross-border joint law enforcement and regulatory pressures it faces.

1. Ransomware/Malware

Ransomware and information-stealing malware remained key techniques for theft of crypto assets and profit generation in 2025. The commercialization model of MaaS/RaaS (Malware/Ransomware-as-a-Service) further lowered the barrier to entry for attackers, allowing many non-technical criminals to launch attacks using bundled services, thus forming a continuously expanding cybercrime supply chain. Over the past year, law enforcement agencies in multiple countries have conducted several key operations against related core groups. This section provides a detailed analysis of two representative cases: LockBit and LummaC2.

1. Privacy/Coin Mixing Tools

In the cryptocurrency money laundering ecosystem, privacy protocols and mixing tools have long played a crucial role, serving both legitimate users who prioritize privacy and those who use them as important channels to circumvent regulations, including hacker groups, ransomware gangs, and underground money laundering networks. This section, based on an analysis of typical regulatory and enforcement cases in 2025, reveals that the boundary between privacy technology and illegal abuse is being redefined, and regulatory approaches are gradually shifting from a "one-size-fits-all" approach to a "tiered governance based on usage and responsibility."

IV. Summary

Looking back at 2025, the blockchain security and anti-money laundering ecosystem exhibited three main characteristics: more professional attack methods, more covert criminal chains, and stronger regulatory enforcement. While the number of security incidents stabilized, significant structural changes were observed, with risks related to access control, social engineering attacks, and private key leaks continuing to rise. The "service-oriented" nature of black market tools made plug-and-play attacks a reality, spilling risks from the technical side to users and the supply chain. Money laundering networks continued to operate around Southeast Asian scams, North Korean attacks, and privacy-focused cryptocurrency mixing tools, while regulation entered a phase of cross-border coordinated suppression. Multiple countries simultaneously promoted the implementation of AML/FATF, tightening the space for such operations by seizing addresses, freezing assets, and holding cryptocurrency mixing operators accountable. Security and compliance have shifted from "added capabilities" to "commercial survival thresholds." The focus of industry competition is no longer on technological narratives, but on who can build a continuously functioning secure internal control and compliance system.

In response to this trend, SlowMist is continuously advancing its AI-driven security and compliance capabilities. We firmly believe that security should not be understood merely as a one-off "project audit" or "emergency tracking," but rather as an integrated closed-loop system covering threat discovery and defense before, during, and after an incident: Before an incident, this includes security audits and training; during an incident, it includes on-chain monitoring and real-time detection of hacker behavior; and after an incident, it includes tracing and incident response. In practice, SlowMist embodies this closed-loop capability through its products and services, including: MistEye (a Web3 threat early warning and dynamic monitoring system based on threat intelligence models), MistTrack (an on-chain analysis and anti-money laundering tracking platform, including AML/KYT compliance and risk control capabilities), InMist Lab (a global threat intelligence cooperation network), and attack and defense, auditing services. Driven by AI, these capabilities automate, intelligently manage, and enable real-time response in threat identification, tracing, and compliance support, providing the industry with long-term, robust underlying security capabilities.

V. Disclaimer

This report is based on our understanding of the blockchain industry, data from the SlowMist hacking archive, and data from the MistTrack anti-money laundering tracking system. However, due to the anonymity of blockchain, we cannot guarantee the absolute accuracy of all data, nor can we assume responsibility for any errors, omissions, or losses arising from the use of this report. Furthermore, this report does not constitute any investment advice or basis for other analysis. We welcome any criticism and corrections regarding any omissions or deficiencies in this report.

Chinese version: https://www.slowmist.com/report/2025-Blockchain-Security-and-AML-Annual-Report(CN).pdf

English: https://www.slowmist.com/report/2025-Blockchain-Security-and-AML-Annual-Report(EN).pdf

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.