Beosin Blockbuster | Web3 blockchain security landscape analysis in the first half of 2025

*This report is jointly produced by Beosin and Footprint Analytics

1. Overview of the Web3 blockchain security landscape in the first half of 2025

According to Beosin Alert, the total loss caused by hacking, phishing scams and Rug Pull in the Web3 field in the first half of 2025 will be about $2.138 billion. Among them, there were 90 major attacks, with a total loss of about $2.093 billion; Rug Pull's total losses amounted to approximately $3.2 million; The total loss of phishing scams was about $41.38 million.

From the perspective of the types of projects attacked, exchanges have become the type of projects with the highest amount of losses. The six attacks on the exchange platform caused a total of more than $1.591 billion in damages, accounting for 74.4% of all attack losses.

In terms of the amount of losses of each chain, Ethereum is still the chain with the highest loss amount and the most attack events. The 81 attacks on Ethereum caused $1.739 billion in damages, or 81.3% of the total losses. Sui lost about $224 million due to the Cetus Protocol incident, ranking second.

In terms of attack methods, the first half of the year saw the most frequent attacks that exploited contract vulnerabilities, with a total of 63 attacks, resulting in losses of $408 million. Bybit was the type of attack with the highest percentage of losses due to $1.44 billion stolen due to a flaw in the wallet's infrastructure, accounting for 67.4% of the total attack losses.

In terms of fund flows, only a small part (about $238 million) of stolen funds were frozen or recovered in the first half of the year, and about 71.2% of the stolen funds are still circulating in on-chain wallets and have not flowed into exchanges or mixers.

2. Overview of attacks in the first half of 2025

The 90 major attacks resulted in a total of $2.093 billion in damages

In the first half of 2025, Beosin Alert detected a total of 90 major attacks in the Web3 space, with a total loss of $2.093 billion. Among them, there were 2 security incidents with losses of more than $100 million, 7 incidents with losses in the range of $10 million to $100 million, and 18 incidents with losses in the range of $1 million to $10 million.

Attacks with losses exceeding $10 million (in alphabetical order):

● Bybit - $1.44 billion

Attack method: Safe wallet front-end is tampered with Chain platform: Ethereum

On February 21, cryptocurrency exchange Bybit was attacked, and about $1.44 billion of funds were stolen from its Safe multisig wallet. By hacking into Safe's servers, the hackers planted malicious code that replaced normal transaction requests, causing the signer to sign the tampered transaction without their knowledge.

● Cetus Protocol - $224 million

Attack method: contract vulnerability Chain platform: Sui

On May 22, the DEX Cetus Protocol on the Sui ecosystem was attacked, and its vulnerability originated from an implementation error of the shift-left operation in the open-source library code. Subsequently, with the cooperation of the Sui Foundation and other ecological projects, $162 million in stolen funds on Sui have been successfully frozen.

● Nobitex - $90 million

Attack method: not yet clear Chain platform: multi-chain

On June 18, Nobitex, Iran's largest crypto exchange, announced that it had been hacked and lost more than $90 million, involving a variety of cryptocurrencies such as BTC, ETH, Doge, XRP, SOL, TRX, and TON. A pro-Israel group called "Gonjeshke Darande" has claimed responsibility for the attack and characterized it as a strike against Iran's crypto infrastructure.

● Phemex - $70 million

Attack method: private key leakage Chain platform: multi-chain

On January 23, about $70 million in crypto assets were stolen from the Phemex hot wallet, a Singapore-based cryptocurrency exchange, involving multiple crypto assets such as ETH, SOL, BTC, BNB, USDT, and more.

● UPCX - $70 million

Attack method: access control vulnerability Chain platform: Ethereum

On April 1, UPCX lost about $70 million worth of tokens due to unauthorized access. The hackers upgraded UPCX's ProxyAdmin contract and subsequently executed a feature that allowed administrators to withdraw funds, resulting in funds being transferred from three different management accounts.

● Infini - $49.5 million

Attack method: permission management vulnerability Chain platform: Ethereum

On February 24, $49.5 million was stolen from Infini after an internal developer stole funds by upgrading the contract by tricking the team into secretly retaining contract management privileges.

● Abracadabra Finance - $13 million

Attack method: contract vulnerability Chain platform: Ethereum

On March 25, Abracadabra Finance, a decentralized lending protocol, lost about $13 million by stealing about 6, 262 ETH due to a contract loophole.

● Cork Protocol - $12 million

Attack method: contract vulnerability Chain platform: Ethereum

On May 28, Cork Protocol, an anchor asset protocol on the Ether chain, was attacked, and the attacker made a profit of $12 million through a logical vulnerability in the project's contract (key parameters were not verified).

● BitoPro - $11.5 million

Attack method: private key leakage Chain platform: multi-chain

On June 2, crypto exchange BitoPro issued an announcement confirming the attack, saying that its hot wallet was attacked by hackers during the recent wallet system upgrade and crypto asset transfer, and the abnormal outflow of funds from multiple on-chain hot wallets was about $11.5 million.

3. The type of project to be attacked

CEX is the type of project with the highest amount of loss

The type of project with the highest losses in the first half of the year was centralized exchanges, with six attacks on centralized exchanges causing a total of more than $1.591 billion in losses, of which the largest loss was Bybit, with a loss of about $1.44 billion. The rest of the larger losses were Nobitex (about $90 million in losses), Phemex (about $70 million in losses), and Noones, BitoPro, and Coinbase were also attacked.

The second most attacked type is DeFi. Among them, about $224 million was stolen from Cetus Protocol, accounting for 69.1% of the stolen funds in DeFi, and the rest of the DeFi projects with larger losses were Abracadabra Finance ($13 million), Cork Protocol (about $12 million), Resupply (about $9.6 million), zkLend (about $9.5 million), Ionic (about $8.8 million), Alex Protocol (approximately $8.37 million).

In addition, 2 security incidents occurred in the crypto payments space, with a loss of about $120 million, ranking third among all project types. Other types of projects that have been attacked include: browsers, token contracts, cross-chain bridges, Memecoin launchpads, etc.

4. The amount of loss of each chain

Ethereum is the chain with the highest amount of losses and the most attacks

As in previous years, Ethereum is still the public chain with the highest amount of loss. The 81 attacks on Ethereum caused $1.739 billion in damages, or 81.3% of the total losses.

The public chain with the second highest number of attacks is BNB Chain, with 33 attacks causing a total loss of about $42.53 million. BNB Chain has a large number of on-chain attacks and relatively small losses, but compared to the same period last year, the number of attacks and the amount of losses have increased significantly, and the amount of losses has increased by 357%.

Arbitrum and Base ranked third and fourth, respectively, with losses of $21.2 million and $13.05 million, respectively. Compared with the same period last year, the number of attacks on the Arbitrum chain has increased, but the amount of losses has decreased by 71.8%; The number of Base chain attacks and the amount of losses have increased significantly, and the amount of losses has increased by 294%.

5. Analysis of attack methods

70% of attacks come from contract vulnerabilities

In the first half of the year, there were 63 attacks against contract vulnerabilities, resulting in losses of $408 million, the largest type of attack except for Bybit's theft due to a flaw in the wallet infrastructure. In the first half of this year, the losses caused by the private key breach were significantly lower than in the same period last year, but the total losses were still more than $102 million.

Broken down by contract vulnerabilities, the top three vulnerabilities that caused losses were: business logic vulnerabilities ($356 million), algorithm flaws ($21.37 million), and validation vulnerabilities ($12.7 million). The top three contract vulnerabilities were business logic vulnerabilities (45 times), access control vulnerabilities (7 times), and algorithm defects (5 times).

6. Analysis of the flow of stolen funds

Only 11.1% of stolen assets were frozen and recovered

According to Beosin KYT's anti-money laundering platform analysis, about $238 million of the stolen funds in the first half of 2025 were frozen or recovered, accounting for about 11.1%.

About $97.89 million in stolen funds were transferred to exchanges, accounting for about 4.6%. A total of $278 million (13.0%) went to the mixer: about $19.46 million went to Tornado Cash; $259 million was transferred to other mixers. In the first half of 2025, there was a significant increase in stolen funds through coin mixing and laundering compared to last year.

7. Summary of the Web3 blockchain security situation in the first half of 2025

Compared with the first half of 2024, the total losses caused by hacking, phishing scams, and Rug Pull in the first half of this year have risen significantly, reaching $2.138 billion. The number of attacks and losses on exchanges and mainstream public chain ecosystems are increasing as a whole, and the situation in the Web3 security field is still very serious.

The most damaging attack in the first half of the year was the Bybit theft, which accounted for about 67.4% of the loss. From the perspective of project types, the attacks are all over the Web3 field: exchanges, DeFi, personal wallets, infrastructure, token contracts, payment platforms, browsers, Memecoin launch platforms, etc. Every Web3 project owner/individual user needs to be vigilant about storing private keys offline, using multi-signatures, using third-party services with caution, and conducting regular permission updates and security training for privileged employees.

Only a small fraction of assets were frozen or recovered in the first half of the year, suggesting that global regulatory and anti-money laundering efforts still need to be strengthened. In the first half of the year, the proportion of stolen funds transferred by hackers to the exchange decreased significantly, which is related to the exchange's strengthening of anti-money laundering, timely identification of hacking behaviors, and active cooperation with law enforcement agencies and project parties to freeze funds and conduct verification. At present, the cooperation between the exchange and law enforcement agencies, project parties, and security teams has achieved obvious results, so hackers are more likely to try to choose a variety of coin mixers for fund laundering.

Among the 90 attacks in the first half of the year, 63 were still exploited by contract vulnerabilities, and it is recommended that the project team seek a professional security company to conduct an audit before going live. As one of the world's earliest blockchain security companies engaged in formal verification, Beosin focuses on the "security + compliance" ecological business, and has set up branches in more than 10 countries and regions around the world, covering "one-stop" blockchain compliance products + security services such as code security audit before project launch, security risk monitoring and blocking during project runtime, theft recovery, virtual asset anti-money laundering (AML), and compliance assessment in line with local regulatory requirements.