June 2025 Monthly Report

June 2025 was a turbulent month for on-chain security, with a broad range of attacks having taken place, involving smart contract exploits, politically motivated exchange breaches, and more. In total, the month saw over $106.9 million in confirmed losses across a range of incidents, victimising DeFi protocols, centralized exchanges, and infrastructure providers. These attacks expose persistent weaknesses in contract validation, access controls, oracle design and key management, with particularly high-impact events like the $82 million Nobitex breach, and multi-chain exploits targeting ResupplyFi, ALEX Protocol and Force Bridge. In parallel, June also highlighted efforts by law enforcement to prevent crypto crime, and also an interesting spike in the compromise of front-end interfaces of trusted platforms, in this case, the media outlets CoinMarketCap and CoinTelegraph. 

This report provides a breakdown of the major incidents, how the attackers performed the exploits, and what they reveal about the evolving threat landscape in crypto security. 

June 2025: Major attacks 

Force Bridge - 02/06/2025

Type: Access Control Issue 

At the beginning of June, a hacker exploited a critical access-control flaw in the Nervos Network’s Force Bridge, a cross-chain protocol linking Ethereum and BNB Chain, and draining millions of dollars in assets across ETH, USDT, DAI, and wrapped BTC. A root cause report weeks after the incident revealed that in mid-April, an automated system upgrade injected a malicious Docker image into several validator nodes, allowing attackers to withdraw private keys sent to an external server. This malicious code led to unusual unlocking transactions in the following days and the leaking of three private keys, which allowed the exploit at the beginning of the month. After funds were stolen, they were rapidly laundered through a mixer to obscure the trail of funds. In response, the Force Bridge paused and the compromised Docker image was removed via a secure update. 

Impact: $3,700,000.00

Tail Metaverse - 02/06/2025

Type: Replay Attack via NFT Staking Loop

On the same day, Tail Metaverse suffered a security breach targeting its Tevis Mining pool staking contracts. The exploit stemmed from flawed reward logic in a particular contract, which allowed users to repeatedly claim staking rewards using the same NFT-like token. The attacker cycled a single token across multiple wallets, depositing and withdrawing it to farm excessive amounts of $TAILVERSE tokens. The attacked platform halted trading following the attack, and Tail Metaverse announced int would provide a resolution to affected users. 

Impact: $88,000.00

ALEX Protocol - 06/06/2025 

Type: Contract Vulnerability

In Early June, the ALEX Protocol by ALEX Lab, built on the Stacks blockchain, was compromised due to a bug in its ‘self-listing verification’ logic, which drained assets across a number of chains including STX, USDT and USDC. The attacker deployed a malicious token (ssl-labub-672d3) with a togue transfer() function. By creating a fake staking pool and calling set-approved-token, the attacker tricked the protocol into granting access. The attacker then bypassed the protocol’s access controls and drained the assets. 

At the time of writing the current losses are recorded at over $8 million, however the total loss, which may include stolen aBTC and ALEX tokens, may be as high as $16 million. ALEX Lab paused the self-lising feature and promised to fully reimburse victims in USDC as a response to the attack. 

This is the protocol’s second significant breach, following a $4.3 million cross-chain bridge hack in May 2024 which is suspected to have been tied to the North Korean state hacking entity, Lazarus Group. 

Impact: $8,370,000.00

Anome - 10/06/2025

Type: Token Price Manipulation

Anome, a DeFi platform operating on the Base Network, was exploited due to a critical flaw in its token valuation logic. The attacker purchased a sizeable amount of almost worthless Bnome tokens for just 0.2 ETH, then deposited them into a contract where the system drastically overvalued the tokens. Exploiting this inflated valuation, the attacker repeatedly borrowed Anome USD, ultimately draining around 44 ETH worth of assets, before funneling the stolen funds through Tornado Cash to obscure their tracks. 

Impact: $120,000.00

Aave - 12/06/2025 

Type: Improper Input Validation

A deprecated AaveBoost contract on Ethereum, was exploited for about 48 AAVE tokens, after an attacker discovered a flaw in the contract’s deposit logic. By leveraging an unrestricted token allowance and calling a proxyDeposit(0)function, despite depositing zero tokens, the attacker was still able to trigger the system to mint synthetic AAVE rewards. The exploit worked because the contract lacked proper input validation, and had no access controls on rewards distribution. By doing this process many times, the attacker farmed phantom rewards without ever staking real assets. 

Impact: $15,000.00

Meta Pool - 17/06/2025

Type: Access Control Issue

Meta Pool, a ‘multi chain, Liquid Staking Based Ecosystem’ suffered a security incident involved in mpETH contract on Ethereum, resulted in the unauthorized minting of 9.705 mpETH and a loss of about 52.5 ETH. According to Meta Pool’s official report , the exploit was due to a vulnerability in the mintWithToken function, which incorrectly relied on token price conversations from an external router, without proper validation. This allowed the attacker to manipulate the input value and mint pmETH without providing sufficient underlying collateral. The issue has since been contained by Meta Pool, who assured users that no staked ETH is at risk. 

Impact: $140,000.00

The Nobitex Breach - 18/06/2025 

Type: Access Control/ Hot wallet hack

In mid-June, Iranian Crypto exchange Nobitex was compromised through a breach of its weak hot wallet infrastructure, resulting in major theft of coins across various chains, including Tron, Ethereum, Bitcoin, Dogecoin and TON. The hack was claimed by hacktivist group Predatory Sparrow, also known as Gonjeshke Darande, who accused Nobitex of enabling sanctions evasion and funding the IRGC, and who claimed an attack of Iran’s Bank Sepah just the day before. The attackers transferred funds into inaccessible ‘burn’ wallets, likely to send a political message. They then threatened to release internal source code the following day, warning any Nobitex users to use alternative services immediately. The group did indeed follow through on this threat, releasing the source code on platforms like X and Telegram. In the aftermath, Nobitex suspended its services, confirmed that cold-stored assets remained safe, and pledged to refund affected users. 

More information can be found in our in-depth examination and analysis of the breach here. 

Impact: $82,000,000.00

Bankroll  - 19/06/2025

Type: Contract Vulnerability

Bankroll Network, a DeFi protocol and gaming-focused platform, experienced an exploit after an attacker took advantage of an integer flow vulnerability in the platform’s smart contract. The flaw was in the contract’s sell()function, which failed to properly validate arithmetic operations. By manipulating input values, the attacker triggered an underflow that caused the contract to miscalculate token balances, allowing them to withdraw more funds than they should have been entitled to. The exploit affected Bankroll’s deployment on both Ethereum and Binance Smart Chain (BSC). The protocol has remained silent on their X platform, since even before the incident occurred.

Impact: $65,000.00

Hacken Bridge - 21/06/2025

Type: Access Control Issue / Key Leak

Hacken, a blockchain security company, experienced a compromise on their cross-chain bridge, after a private minting key for its native $HAI token, was leaked due to human error. This allowed an attacker to illegitimately mint 900 million HAI tokens, which were then dumped on decentralized exchanges, causing sizeable direct losses and a huge crash in HAI’s market value. In response, Hacken acknowledged responsibility,  paused the bridge, initiated an internal investigation, and plans to migrate HAI to a new smart contract, ensuring that the stolen tokens will be excluded from the new supply. 

Impact: $250,000.00

MEV Bot - 25/06/2025 

Type: Contract Vulnerability

Towards the end of the month, a MEV bot on the BSC appears to have been exploited, through an ‘arbitrary call vulnerability in its fallback function’, which allowed the attacker to bypass access controls. The attacker exploited a particular function in the contract which has restricted access, but mistakenly granted permission to the exploitable bot contract, in a previous transaction. The flaw was abused in at least three transactions.

Impact: $2,000,000.00

Silo Labs - 25/06/2025

Type: Contract Vulnerability

Silo Finance, a decentralized, non-custodial DeFi lending protocol, suffered an exploit on an unreleased, externally inaccessible leverage contract, which was accidentally deployed with a misfigured function that allowed unauthorized access.  According to their in depth post mortem, the attacker discovered the contract and used a flash loan to manipulate share accounting, allowing them to mint a large amount of Silo strategy tokens without proper collateral. These were then redeemed as real assets, resulting in a huge loss. The affected contract was not yet integrated into the user interface, so users remained unaffected,  but its public deployment on-chain made it exploitable. Following the attack, Silo has reimbursed the protocol and implemented stricter internal controls to prevent similar incidents. 

Impact: $545,000 

ResupplyFi - 26/06/2025

Type: Price Oracle Manipulation

On 26th June, ResupplyFi, a stablecoin lending protocol linked to Convex/Yearn suffered a significant exploit due to a donation attack on its newly launched wstUSR vault. The attacker reportedly used a $4,000 of USDC flash loan to obtain crvUSD, then donated 2,000 crbUSD to the empty ERC-4626 vault, artificially inflating the vault’s price per share. They then deposited just 2 crvUSD to receive shares valued at millions, allowing them to borrow 10 million reUSD against it. These tokens were then apparently converted through Curve liquidity pools back to crvUSD and ultimately into WETH. The root cause was a miscalculation in share valuation in an empty vault, which did not have the adequate safeguards. 

Impact: $9,500,000.00

June 2025 Major Hacks - by Type 

June 2025 Major Hacks - by Target 

Significant events in June

Legal action against BidenCash 

In early June, US and Dutch law enforcement agencies dismantled BidenCash, a major cybercrime ‘carding’ marketplace that sold stolen credit card data and compromised credentials. The coordinated operation seized about 145 domains, both on the dark and clear web, including BidenCash’s .asia site, and confiscated related cryptocurrency assets. Active since March 2022, the marketplace served more than 117,000 registered users, trafficked over 15 million payment records, and generated approximately $17 million in illicit revenue. Authorities including the FBI, US Secret Service and, DOJ and Dutch National Police, coordinated the takedown. While the domains now redirect to law enforcement seizure pages, the stolen data still endangers victims. 

South Korean crypto CEO acquitted 

In mid June, a South Korean court acquitted Lee Hyung-Soo, CEO of Haru Invest, of criminal fraud ties to the losses of approximately $650 million from some 6,000 investors; far lower than the initial $1 billion estimate involving 16,000 users, concluding that although the company failed to meet obligations, Lee did not intentionally deceive clients amid broader market turmoil and the FTX collapse. The ruling also saw co-CEOs Park and Song cleared of fraud, while Blockcrafters’ COO, Kang, was indeed found guilty of embezzlement and handled a two-year prison sentence. Notably, the judgement came months after Lee was stabbed during court proceedings in August 2023. The attacker, who claimed a loss of 100 BTC, received a five year prison sentence. 

Front-end compromises of two major crypto news outlets 

On 21 June, Scam Sniffer highlighted followers to an apparent compromise of the front end of CoinMarketCap. Two days later, the same group alerted followers to the same issue, a front end compromise but this time of CoinTelegraph. These public warnings are deeply significant, suggesting a growing threat vector in the crypto space: the weaponization of trust media and data platforms to potentially disseminate malicious links or wallet drainers.

These sites are often whitelisted in users’ minds, making their compromise particularly worrying. For example, phishing campaigns delivered through such sources are far more likely to reach a large platform and succeed. The fact that two major industry platforms were targeted around a similar time may suggest a coordinated effort by threat actors, however, there is no suggesting evidence for this hypothesis yet. Scam Sniffers’ rapid detection and public alerts likely significantly minimized damage, but should prompt users and platform operations to adopt caution and create stronger frontend monitoring and integrity checks of sites. 

Stolen funds by North Korean hacking group reappear and get mixed 

In mid May, the North Korean funded Lazarus Group reportedly executed a sophisticated $3.2 million heist by hacking multiple Solana wallets, swiftly bridging stolen assets to Ethereum before laundering via Tornado Cash. Blockchain investigators including ZackXBT flagged the transfer patterns that mirrored Lazarus Group’s usual behaviours. Between June 25 and June 27, the attackers routed about 800 ETH (approviamtely $1.6 million) into Tornado Cash in two separate transactions, and left $1.25 million dormant in a specific ethereum address. This incident reinforces Lazarus Group’s strategy of exploiting chain bridges for cross-chain theft and leveraging mixers to obfuscate trails, highlighting the potential vulnerabilities of wallet security, and importance to take proactive steps to ensure protection. 

Conclusion: 

June 2025 saw a significant number of on-chain exploits, with a total confirmed losses exceeding $106.9 million across multiple protocols. The most prominent attack type observed this month was access control-related failures, evident in high-profile breaches such as Nobitex, Force Bridge, Meta Pool and Hacken Bridge. These incidents reinforce a critical trend: inadequate key management and privilege misconfigurations remain persistent vulnerabilities across both centralized and decentralized infrastructures. 

What really stands out from June’s data is the breadth and sophistication of attack strategies employed, from NFT replay loops and oracle manipulation, to complex share valuation distortions and fallback function abuse. This specifically applies to the ResupplyFi exploit and the Silo Finance flash-loan based strategy, which shows how even unreleased or peripheral contracts can become attack surfaces when publicly deployed without safeguards. 

The Nobitex hack, with an estimated $82 million impact, was by far the most severe incident, and notably involved politically motivated threat actors. This further blurs the line that has always existed between financially driven cybercrime and ideological disruption, suggesting regulators and crypto businesses must prepare for non-state or hacktivist level threats in addition to opportunistic exploits. 

Beyond protocol vulnerabilities, June also saw the compromise of frontend interfaces for trusted crypto media platforms CoinMarketCap and CoinTelegraph, revealing an emerging threat vector: social engineering via trusted digital infrastructure. These incidents highlight the pressing need for both frontend integrity monitoring and user education, as phishing attacks increasingly originate from legitimate sources turned hostile. 

June’s breach patterns reflect an increasingly mature threat landscape where smart contract security, access control architecture and operational hygiene must evolve to match the ingenuity of adversaries. The month also underscores the growing intersection of cybersecurity, financial crime, and geopolitics in the crypto domain. As always, real-time monitoring and proactive threat intelligence are not option, they are foundational. 

To aid this, Nominis.io rolled out a major upgrade to its Money Trail engine this month, the core module behind the wallet screening system. This overhaul significantly enhances our ability to trace funds across blockchains, now supporting deeper and more complex transaction histories. The update will boost the detection of hidden risks and behavioural anomalies like layering, equipping compliance teams with sharper insights to combat the type of attacks we have seen this month. 

While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!