Crypto Security Incidents January 2025

(Re-uploaded April 2025)

The first month of 2025 has seen a wave of crypto exploits, highlighting persistent vulnerabilities in the industry. From bridge exploits and smart contract flaws to phishing scams and compromised admin keys, these attacks have resulted in millions of dollars in losses across multiple blockchain networks. Notably, the largest incident involved Phemex, a Singapore-based exchange, which suffered a $37 million breach linked to sophisticated hackers. Other major incidents, such as NoOnes' $8 million Solana bridge exploit and Orange Finance’s $840,000 admin key compromise, underscore the critical need for improved security measures. Additionally, social media scams and phishing attacks remain a growing threat, further emphasizing the evolving nature of crypto-related risks.

Key Incidents Overview

NoOnes- 01/01/2025

Type: Bridge Exploit

NoOnes, a peer-to-peer cryptocurrency trading platform, was a victim of a security breach on the first day of the year, resulting in losses of $8M in crypto assets. The CEO, firstly reporting a maintenance issue rather than a security incident, then reported that a breach had taken place, involving an exploit of their Solana bridge, which had been immediately disabled by admins. The breach apparently led to a series of unauthorized smaller withdrawals of about $7,000 at a time, from Ethereum, Tron, Solana and Binance Smart Chain networks. Assets were then sent to Tornado Cash for mixing.

Nominis has recently identified ties between NoOnes and Terror Financing, demonstrating a failure to comply with regulatory obligations. Poor compliance evidently leads to poor security, given the size of the losses in crypto assets as a result of a security breach.

Impact: $8,000,000.00

Flowchart showing connections from a central blue node labeled "No Ones" to red nodes marked "Terror Financing," with transaction values.

Sorra - 04/01/2025

Type: Contract Vulnerability

Multiple suspicious attacks were detected involving Sorra on the Ethereum blockchain. The cause of the issue was reportedly a ‘flawed reward mechanism of the withdraw() function in the sorraStaking contract.’ The attacker deposited SOR tokens 2 weeks before executing the exploit. Then, by using this transaction they could initiate the process of repeatedly withdrawing 1 wei of SOR tokens. They were able to claim additional rewards which drained funds from the contract.

Impact: $43,000

98# on #BSC - 04/01/2025

Type: Possible Smart Contract Vulnerability

A token exploit on BSC, associated with the 98# token saw losses of approximately $28,000 when an exploiter transferred about 98 billion 98# tokens from an address into a PancakeSwap liquidity pool. The actor then swapped these tokens for USD tokens, a stablecoin standardized to the US dollar, through PancakeSwap. The large volume of 98# tokens suggest an exploitation of the contract or the integration with the liquidity pool, which may have improper settings of token allowances. These misconfigurations can make them easy to exploit and capitalise on the vulnerabilities.

Impact: $28,000.00

#Mosca on #BSC - 06/01/2025 and 13/01/2025

Type: Contract Vulnerability

The attack on Mosca resulted in losses of $19.5k, seemingly due to exploitation of the exitProgram() function. The function did not update balances when called, meaning users could withdraw funds more than once without values decreasing. The attacker took advantage of this bug, and repeatedly called the function, withdrawing more funds than were originally deposited. On 13/01/2025 another attack on #Mosca on #BSC was discovered, amounting to a further $37.6K in losses after exploitation of a logic flaw in the join() function.

Impact: $19,500 + $37,600

Orange Finance - 08/01/2025

Type: Compromised Admin Key

On January 8th, Orange Finance announced via X a hack that has taken place due to a ‘private key leakage, resulting in admin access being compromised’. The hacker took over the ‘admin address, upgraded contracts, and transferred funds to their wallet’. Orange Finance advised users to cease interaction with the contract while they continued to investigate the hack

Impact: $840,000.00

Moby trade - 08/01/2025

Type: Compromised Admin Key

The attack on Moby Trade involved a compromised private key, which allowed an attacker to upgrade its smart contract and drain funds.

Assistance from Seal911Team recognised a flaw in the attackers contract, and was able to recover $1.5 million of the stolen funds, returning it to Moby Trade.

Impact: $2,500,000

@UniLend_Finance - 13/01/2025

Type: Accounting Error

UniLend Finance is a DeFi platform where you can lend and borrow across multiple assets. It experienced an exploit in which an attacker took advantage of a weakness ‘in the redeem process’, where they could manipulate a process share and change the calculation of the attacker’s collateral value, artificially inflating it.

Highlighted code snippet in an IDE showing a function with lines underlined, error message "The collateral has not been deducted." — Source

Impact: $197,600.00

TheIdolsNFT - 14/01/2025

Type: Business Logic Flaw

According to reports on X, ‘The Idols’ NFT project was hacked across multiple transactions, due to a flawed logic in the contract when claiming rewards. During the attack, The Idols issued a statement via X advising followers against interacting with any contracts associated with the project.

Impact: $340,000.00

BIGO Token #BSC - 14/01/2025

Type: Business Logic Flaw

Reports on X indicated an exploit on the BIGO token on the #BSC blockchain due to an unsecured auto-burn feature in the BIGO contract. The total supply of tokens in the PancakeSwap liquidity pool is supposed to reduce automatically during transfers, with the burn amount controlled by the variable ‘burnAmount’. The hacker manipulated the burnAmount variable to their advantage, by exchanging DOGE into BIGO tokens, and sending ETH to the contract. This allowed them to set the burnAmount, triggered the ‘transfer’ function and this reduced the BIGO balance in the PancakeSwap Liquidity pool. Since the BIGO balance in the pool was now reduced, the hacker could swap the BIGO tokens back into DOGE at an artificially favourable rate.

Impact: $18,000.00

AST Token Hack on #BSC - 21/01/2025

Type: Smart Contract vulnerability

The root of this theft was a vulnerability in the Smart Contract, in which the _transfer function had a flaw in how it handled liquidity removal from the PancakeSwap liquidity pool. The contract failed to properly increase the balance of the user receiving tokens during a transfer, only reducing the balance of the liquidity pair of AST/USDT tokens when the burn function is called.

This resulted in a double decrease in the liquidity pool’s AST balance, first during liquidity removal and second during the token burn, allowing PancakeSwap to hold an extremely low AST balance but a substantial USDT balance. Eventually, the AST balance became critically low, and the pricing imbalance allowed the attacker to exploit it by exchanging small amounts of AST into large amounts of USDT due to the favourable exchange rate. The attacker successfully drained 64.7K in USDT from the PAncakeSwap liquidity pool, and the stolen funds were funneled through Tornado Cash for mixing.

Impact: $64,700.00 in USDT

Fake LAYER Token on #Solana - 21/01/2025

Type: Rugpull

An attacker used a fraudulent contract to deceive investors into buying a token that was actually worthless. The deployment of this token, which had a smart contract to change the token’s value artificially, appeared to be legitimate. The attacker then encouraged investors to believe the token had strong market potential and this attracted significant liquidity to the market, which then in turn increased the price movement, reinforcing the illusion.

Eventually the liquidity pool had been filled with enough investor funds and the attacker executing a rug pull, selling off a significant portion of worthless tokens and draining the liquidity pool. The token then crashed almost 100%, and investors were left with worthless assets.

Impact: $465,000.00

Ads Power Browser - 21/01/2025

Type: Security vulnerability - malicious code

AdsPower, a Singapore-based antidetect browser developer, suffered a cyberattack when hackers replaced its crypto wallet browser extension with a malicious version . The extension allowed attackers to steal password memory phrases and private keys, giving them full access to users’ crypto funds. Millions of dollars were stolen from just 5 users. 3 days later, AdsPower replaced the malicious plugin with a clean version.

Impact: $4.7 million

Phemex - 23/01/2025

Type: Security Vulnerability

Phemex, a Singapore-based crypto-exchange suffered a sophisticated exploit involving hot wallets across multiple blockchains. 125 suspicious transactions linked to the breach involved a mix of digital assets including stablecoins such as USDT and USDC, and other tokens. The stolen assets were then converted to #ETH, likely to evade freezing measures or other monitoring tools. The hacker then most likely funneled funds through Tornado Cash to mix the assets. Phemex temporarily halted withdrawals ot prevent loss, however there are suspicions that due to the sophisticated nature of the attack, it may have involved North Korean Hackers.

Impact: $37,000,000

Individual Use Cases

4 individual use cases stood out to us this month.

Phishing scams remained relevant in individual use cases this month, with sizable losses for two particular individuals. A victim lost a significant amount of funds - $474,422 in various tokens including $OLAS, $SEKOIA , $VIRTUAL and $SFO, after unknowingly signing phishing signatures. Additionally, another victim suffered a loss of $100K due to un-revoked phishing approvals, meaning at one time a user has given token approval to a malicious smart contract - likely via a phishing attack - and has not revoked this approval.

Another victim lost $60,013 worth of $USUAL by mistake, when accidentally copying the incorrect CEX deposit address from a contaminated transfer history. ‘Contaminated’ here indicates there was an incorrect or malicious address involved, perhaps inserted by a scammer or malware. Instead of sending their funds to the correct CEX deposit address, they send it to the wrong one, resulting in permanent loss of funds.

A final victim fell prey to an "increaseApproval" phishing scam, resulting in the loss of $384,645 worth of $LINK tokens after unknowingly granting excessive spending permissions. This phishing transaction is a deceptive smart contract exploit that tricks users into increasing the spending allowance of a malicious actor, enabling them to drain tokens from the victim’s wallet. It usually involves ERC-20 tokens, where users can give permissions for another address to spend tokens on their behalf.

These attacks typically involve a victim interacting with a malicious contract via phishing or social engineering. Instead of requesting a direct transfer of funds, the attacker asks the victim to sign an “increaseApproval” transaction, seemingly for a legitimate purpose. Once the victims approve this transaction they have allowed the attacker’s contract to spend an unlimited amount of their assets. Typically, the victim’s wallet is trained by the attacker, who can move tokens without further confirmation.

Smart Contract Attack Sequence chart with steps: Phishing/Social Engineering, Increase Approval Trick, Token Drain, with icons and arrows.

Rising Threat of Compromised Accounts on X

Recently, a troubling trend has emerged on X (formerly Twitter), where compromised accounts are being used to promote fraudulent meme coins and spread malicious content. Scammers exploit high-profile accounts to lend credibility to their schemes, misleading unsuspecting investors. A notable example is @TrumpDailyPosts, an account with over 1.3 million followers, which was hijacked to promote multiple fake tokens—causing estimated losses of $1.25 million. This highlights the urgent need for stronger security measures to combat social media-driven financial scams.

This month also saw an increase in cryptocurrency topics and scams making headlines in the news. Most notably, we saw social media breaches promoting fake coins, such as former Brazilian President Jair Bolsonaro, whose social media was exploited to promote a scam memecoin ‘$BRAZIL’. Litecoin’s X account was also briefly hacked to promote a fake token, with a tweet stating that “LTC is now in Solana”, before the team regained control of the account, announcing that the hack was due to a compromised delegate account.

Another significant story in the news this month was the release of crypto hard wallet manufacturer Ledger’s Co-founder David Balland. Balland had been held captive for a day while kidnappers demanded a large ransom in cryptocurrency, demonstrating the dangerous real-world consequences that take place, beyond crypto crime online.

Aicclelerate made the news after the immediate crash of their token, $AICC, following their public launch in mid January. Founders claimed that rather than malicious, the apparent ‘rugpull’, which left retail investors with massive losses, was the result of rushed decision-making, and announced plans to restructure their tokenomics.

WazirX, towards the end of January, received approval from the Singapore Court to replay victims of the $235 million hack, committed by North Korea’s Lazarus Group in July 2024. WazirX’s founders have expressed excitement with this approval, suggesting it is the best situation for both victims to regain their assets, and for the platform to rebuild.

Finally, headlines were made after it was revealed that 94% of $TRUMP and $MELANIA tokens, released around the time of Trump’s inauguration, were held by just 40 wallets. This flagged concerns considering the heavy dominance of crypto whales in this case, who can severely influence market dynamics.

The role of compliance in preventing these attacks

January 2025 saw a staggering $54,253,400 in losses due to various crypto-related exploits, highlighting the intense frequency of security weaknesses and breaches across DeFi platforms, centralised services and individual users. This marks a 56% decrease compared to December’s losses, however, this report highlights the continuous effort by cybercriminals to refine their methods

Many of these attacks could have been mitigated or entirely prevented through stronger compliance measures and regulatory adherence. A lack of oversight has allowed projects to launch with weak security measures, while bad actors have been able to exploit poorly designed systems without consequences.

Compliance frameworks such as mandatory smart contract audits, ongoing security reviews, and whitehat ethical hacking, would assist in ensuring that projects meet minimum security standards before going live. Additionally, real-time transaction monitoring and strong education of compliance officers can build the security standards of a project, minimising risk.

This month, we saw high occurrences of smart contract exploits and admin key compromises. Smart contract exploits can be effectively prevented through audits, and enforcing multi-signature controls and robust private key security measures - that form parts of regulatory requirements - could drastically reduce the likelihood of these security breaches. Effective education of compliance and regulations among all parties, from smart contract writers to developers to investors and other involved groups would ensure a strong defence in minimising risk of a security breach from a variety of standpoints and stages in project development.

To prevent malicious actors from executing rug pulls or phishing scams, implementing Know Your Customer and Know Your Transaction tools for DeFi platforms and token issuers can be very effective. A properly-regulated environment would have stronger identification verification processes to prevent fraudulent projects from launching anonymously. Encouraging your clients to perform their own research, investigate suspicious wallets themselves via available tools, such as Nominis’ free wallet screening search bar on nominis.io, and educating them on red flags is also effective in securing both their assets and your reputation.

While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!