May 2025 Monthly Report

May 2025 marked a shift in the nature of crypto threat activity. While the number of major attacks decreased compared to previous months, the contextual events, including real world crimes, phishing operations and compliance breaches, saw a noticeable rise in frequency and complexity. Across just nine significant exploits, nearly $258 million in digital assets were stolen, with the Cetus Protocol hack alone accounting for $230 million, making it one of the most financially impactful attacks of the year. 

The major attacks this month spanned a diverse set of exploit types, including access control failures, business logic flaws and protocol logic vulnerabilities amongst others. These exploits hit both emerging and established platforms, and several were linked to broader geopolitical or regulatory concerns, such as North Korean affiliations.

In parallel the crypto space was shaken by a wave of significant non-exploit events. These contextual threats included AI enhanced phishing operations, social engineering attacks on major blockchain teams, real world violence and kidnapping attempts and insider corruption at centralized exchanges. Also notable was the ongoing impact of historical vulnerabilities, with the Radiant Captial exploit continuing to drain user funds long after the initial breach - highlighting the persistent risks of token approval mismanagement. 

Overall May presented a broader picture; its not just technical exploits, but a wider ecosystem of threat vectors that continue to evolve in complexity and ambition. While the volume of ‘hacks’ may seem lower than in previous months, the expanded context of risk, abuse and regulatory response signals a maturing, but still deeply challenging, crypto threat landscape. 

May 2025: Major attacks 

BitoPro - 08/05/2025 

Type: Misconfigured infrastructure

On May 8, Taiwanese cryptocurrency exchange BitoPro experienced unauthorized outflows from its hot wallets across Ethereum, Tron, Solana and Polygon networks. The stolen assets were funneled through decentralized exchanges, with some routed via Tornado Cash and THORChain to obscure their origin. Despite the breach, BitoPro delayed public acknowledgement until June 2, breaking the silence and attributing the incident to an exploit during a wallet system upgrade. The exchange told users that withdrawals and trading remained unaffected, and that there were sufficient reserves to cover the losses. Investigations are continuing with a third-party security firm to trace the stolen funds. 

 Scam Hunter ZachXBT shared, in a public reply to a post from BitoPro on X (formerly Twitter), his investigations revealing that the platform knew of suspicious outflows, but failed to mention it. This reply, which was posted on June 2, could have been the reason for BitoPro’s ultimate acknowledgement of the incident. 

Impact: $11,500,000.00

LDN.fi - 09/05/2025

Type: Protocol Logic

In May 2025 the LDN.fi protocol, a decentralised protocol that allowed users to deposit crypto assets,  suffered a significant attack due to an access control vulnerability introduced by a rogue developer. This developer modified the smart contract by extending the access modifier to include a Pool Admin role - this allowed them to invoke a function which transfers funds to external addresses. This changed version of the smart contract remained undetected for 41 days, during which the attacker who retained the new controls executed the exploit and drained the pool’s assets. 

Post attack investigations actually suggested that the developer was associated with North Korea, which highlights the importance of robust off-chain security measures, smart contract audits and strong change management protocols to prevent unlawful modifications to smart contracts. LDN.fi shut down its site and removed the hacker’s access. 

Impact: $1,300,000.00

MBU Token - 11/05/2025

Type: Business Logic Flaw

In mid May, Mobius Token ($MBU), a DeFi protector on the BNB chain, suffered a major loss due to a smart contract exploit. The attacker deployed a malicious contract that drained 28.5 million MBU tokens from a victim’s wallet, converting them to stablecoins. A security firm announced the detection of the exploit and noted the suspicious contract deployment and abnormal transaction patterns. The Mobius team has not appeared to have released an official statement.

Impact: $2,100,000.00

Zunami Protocol - 15/05/2025

Type: Protocol Logic

Zunami Protocol, a DeFi platform that issues aggregated stablecoins, suffered a hack resulting in the theft of zunUSD and zunETH, their collateral assets. The attacker appeared to have transferred the stolen funds to Tornado Cash, mixing the funds and obscuring the flow of movement. The most recent statement regarding the attack suggested that they would consider both a ‘compromised deployer’ or ‘malicious intent by the key holder’ and were working with a professional investigator to find conclusions. This is not the first time that Zunami was the victim of a sizable attack - in 2023, Zunami was hacked for $2.1 million due to a price manipulation vulnerability. 

Impact: $500,000.00

Demex - 16/05/2025

Type: Oracle Attack

In mid May, Demex’s Nitron lending platform suffered an exploit due to a manipulation of the deprecated dGLP vault. An attacker donated fsGLP tokens to the low liquidity vault, artificially inflating its redemption rate. This manipulation value was then reflected by the Demex oracle, allowing the attacker to use the overvalued dGLP as collateral to borrow real assets which were subsequently withdrawn. Unfortunately the platform did not have a planned oracle price cap, and did not disable the dGLP market after the deprecation, allowing the assets impacted to increase. Demex has said it is monitoring the situation, coordinating efforts to freeze or intercept funds, and creating plans for restitution.

Impact: $950,000.00

Cetus protocol - 22/05/2025

Type: Overflow -Liquidity manipulation

Cetus protocol, a liquidity provider on the SUI blockchain, suffered a significant exploit resulting in the theft of millions in assets. Attackers exploited a vulnerability in an open-source library within Cetus’s smart contract, manipulating pool prices and draining token reserves across multiple iterations. The stolen assets were converted from USDT to USDC, bridged to the ETH blockchain, and further converted to ETH. Cetus managed to freeze over half of the stolen funds, and is working with the Sui Foundation and other partners to recover the remaining assets, receiving a critical loan from the foundation to reimburse victims. Cetus has also offered the hackers a ‘whitehat settlement’ allowing them to keep $5 million as a bounty if they return the remaining stolen funds. 

Impact: $230,000,000.00

Dexodus - 26/05/2025

Type: Oracle Attack

Towards the end of May, Dexodus finance, a perpetual derivatives protocol on the Base network suffered a sizable exploit due to a signature replay vulnerability. The attacker initiated a flash loan from the Balancer vault and manipulated the protocol into accepting outdated oracle-signed data, setting the ETH price significantly below the market rate. Leveraging this, they opened a 100x leveraged long position with $10k collateral, creating a $1 million position. Then, they closed the position at actual market price, profiting about $290k and draining the protocol’s liquidity pool. The exploit stemmed from the protocol’s failure to validate the freshness of oracle signatures, allowing the reuse of old data. After the attack, the funds were bridged to Ethereum, where a portion returned to a team-controlled multisig wallet. This suggests either a partial recovery, or a whitehat agreement. 

Impact: $291,000.00

Usual - 27/05/2025

Type: Arbitration Exploit 

Usual, a defi protocol, suffered an exploit when a user employed a capped unwrap route in the protocol’s beta usUSUS++ Vault, creating profit through arbitrage. The exploit involved manipulating the conversion process from USD0++ to USD0 during deposits. Despite the incident, no user funds were lost, and the protocol’s safeguards ensured that the affected vault was paused and the issue was contained. Usual is reviewing and deploying the router, and shared a full breakdown the day after the attack. 

Impact: $43,000.00

Cork Protocol - 28/05/2025

Type: Access Control

The final large hack of the month exploited DeFi platform Cork Protocol, which hedges against stablecoin depegging risks. The attacker manipulated the protocol’s smart contract by creating a fake market that improperly set a real market’s depeg swap token as its redemption asset. Exploiting flawed access control in the beforeSwap()function, the attacker tricked the system into issuing fake tokens, which were then redeemed for real assets, resulting in the theft of 3,761 wstETH. To combat the attack, the Protocol paused all smart contracts to prevent further losses, and initiated an investigation into the exploit. 

Information from the Nominis Vue dashboard regarding the exploiter’s address demonstrates the critical risk level assigned to it. Additional information adding to the risk score conclusion includes shadow intelligence, tracking the mentions of the address on OSINT such as Telegram. 

Impact: $12 million

Significant events in May 

Hacks, exploits and crime

Though May 2025 saw a decrease in major hacks, there were still a number of social engineering hacks, exploits and criminal activity that took place. This included kidnappings, hacks and social engineering attacks. 

In early May, Tron DAO, the governing body behind the TRON decentralized blockchain platform, experienced a hack of its verified X (formerly Twitter) account, through a social engineering attack targeting an internal team member.  The attacker then used the account to post fraudulent smart contract addresses, send unsolicited DMs to followers, and followed suspicious accounts. After Tron DAO regained control, the hackers continued to try to exploit users, offering to publish promotional posts on the official account. Approximately $45,000 is suspected to have been solicited through the scam. 

In mid-May in central Paris, an attempted kidnapping targeted the pregnant daughter, her husband and the 2 year old grandson of CEO of Paymium Pierre Noizat. Armed with knives, the attackers attempted to force the family into a van, while passersby assisted in the intervention and foil of the attack. The incident follows a similar case in January 2025, where co-founder of Ledger David Balland was kidnapped and tortured for ransom. This reflects a disturbing trend of violent crime targeting well-known individuals in the crypto scene. 

Also in mid May, Coinbase, a centralized exchange, suffered a security breach when overseas agents had been bribed to steal personal information from a small number of monthly active users. The leaked information included names and contact details amongst other data, but did not include passwords or private keys. However, the attackers did try to use the stolen contact details to further hack users for their assets via attempted social engineering attacks. The attackers asked for a $20 million ransom from Coinbase, who refused, instead setting up a matching $20 million bounty fund for information about the attackers. Coinbase have fired the rogue agents, are working closely with law enforcement and followed up the incident with a full disclosure report of events. 

You can read more about it in our articles exploring the events and aftermath of the attack, here and here. 

May 2025 saw the discovery and reporting of a large-scale phishing operation, having taken place since ‘at least 2022’, according to sources. The campaign, known as FreeDrain, deployed over 38,000 malicious subdomains hosted on the free-tier platforms like GitHub.io to exploit SEO and lure users seeking wallet-related information to fake pages, mimicking legitimate wallet interfaces. After seed phrases were entered, funds were drained immediately. The operation also apparently uses AI content to boost search visibility and adds a new element to the way in which AI is used for malicious efforts to hack and steal funds and data in the crypto space. 

Another huge discovery, reported in mid May, was the finding that ‘$3.2 trillion in artificial crypto trading was pumped through Telegram’, by just ‘489 people’. This revelation comes after researchers at University College London recognised that between February 16 and October 9 2024, just under 500 people orchestrated this entire pump-and-dump scheme on Telegram. Allegedly, these malicious actors created ‘Persius’, a tool tracking over 700,000 messages and 200 individuals who would coordinate ‘crowd-pumping’ to encourage individuals to invest, manipulating the market dramatically. This research was shared on Medium by Netfture Security, citing the findings of the UCL researchers. 

Finally, May 2025 saw the confirmation that individuals are still suffering attacks following the October 2024 Radiant Capital exploit. Sources have confirmed that although the attack took place over half a year ago, funds continue to be siphoned through previously granted token approvals, resulting in over 5,500 compromised wallets and over $689,000 in losses in the last two months. This reflects the persistent danger of token approvals - permission remains active indefinitely, permanently compromising the safety hygiene of a wallet. It also underscores the critical need for better wallet UX< security education and alerts from wallet providers to ensure users know how to manage and when to revoke approvals. 

Legal actions 

This month saw a number of actions taken by regulatory and law enforcement authorities in order to prevent or halt illegal activity in the crypto space. This included arrests, shut downs of exchanges and platforms and the designation of high-risk scores associated with groups performing nefarious activity. 

In early May, Israeli authorities arrested Alexander Gurevich at an airport while he attempted to travel to Russia under false documents. Gurevich is suspected to have instigated the August 2022 exploit of the Nomad crypto bridge, which resulted in the theft of $190 million in digital assets. The exploit led to a surge of copycat attacks, further increasing the impact and damages to the community. Israeli authorities are working with US officials to extradite Gurevich to the US, where he faces charges of money laundering and computer related offences. 

Another arrest this month involved founder and former CEO of Celsius Network, Alex Mashinsky, who was sentenced to 12 years in federal prison after pleading guilty to securities and commodities fraud. The court found he had misled customers about the financial stability of the platform and manipulated the price of the native token CEL, leading to over $7 billion in losses. 

German authorities shut down the cryptocurrency exchange eXch.cx over allegations of facilitating money laundering and operating a criminal trading platform. The operation, conducted at the very end of April 2025, led to the seizure of over $38 million in various cryptocurrencies. Prior to the shutdown, the exchange shared plans to cease operations, citing an active operation targeting the platform for alleged money laundering and terrorist activity, but denied their own involvement in nefarious activities. Suspicions have also been raised regarding the platform, after they refused to assist in freezing funds connected to the Bybit hack in February 2025. 

Also this month, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) has designated Cambodia-based Huione Group as a ‘primary money laundering concern’ under the USA PATRIOT Act. In early May the Nominis Intelligence Unit discovered over $3 billion worth of illegal funds laundered and moved by wallets directly linked with the Huione group. These findings corroborate with FinCEN’s decision to designate them as a main concern, and further findings suggest that despite efforts to ban the group, operations are proceeding, highlighting the persistent efforts of Huione. 

May 2025 saw Thailand join the list of countries placing restrictions on Bybit and other exchanges, such as OKX, CoinEx and XT.com for operating without proper licenses. Effective at the end of June, these platforms will be inaccessible to Thai investors. The SEC’s investigation revealed these exchanges offered digital assets without regulatory approval, prompting concerns over potential illicit activities like money laundering. 

Concluding thoughts

May 2025 revealed that crypto threats are not always measured solely by the funds lost, but by the depth and diversity of vulnerabilities that continue to expose users, platforms and protocols alike. From sophisticated DeFi exploits and smart contract vulnerabilities to persistent wallet approval risks and targeted attacks on individuals and platforms, this month served as a stark reminder of the evolving nature of crypto-related threats.This month also showcased the rising integration of social engineering, phishing campaigns, scams involving AI and even real-world violence tied to digital assets. Regulatory bodies responded with arrests, shutdowns and new restrictions, underscoring an increasingly active global enforcement landscape. While May did not witness the highest financial toll in crypto’s history, it painted a broader picture: a maturing industry still grappling with fundamental weaknesses in security, trust and compliance. 

However, not all hope is lost. Platforms providing effective compliance tools, like real-time continuous transaction monitoring, are gaining recognition. Nominis, having won first place at the Mastercard Forum and 3rd place of the hundreds of participants in the CryptoValley Start-Up competition , demonstrates that the way forward is being paved, and reinforces the seriousness of the challenge. The solution provided by Nominis Vue, being taken seriously at the highest level, demonstrates that it is a very real method in combatting the exploitation we saw this month. 

While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!