Due to space constraints, this article only lists key content from the analysis report; the complete content can be downloaded via the following link.
Chinese: https://www.slowmist.com/report/SlowMist-first-half-of-the-2025-report(CN).pdf
English: https://www.slowmist.com/report/SlowMist-first-half-of-the-2025-report(EN).pdf
I. Introduction
In the first half of 2025, while the blockchain industry was rapidly developing, it also continued to face increasing pressure from increasingly complex security threats and compliance challenges. On one hand, hacker attacks remained active, with APT organizations’ attack methods becoming modular and systematic, and phishing and social engineering attacks rampant, causing significant asset losses and user trust crises. On the other hand, global regulation is accelerating, with governments and international organizations frequently issuing new regulations regarding anti-money laundering, sanctions, and investor protection. Notably, stablecoins are gradually evolving into key infrastructure connecting traditional finance and on-chain finance, with major financial institutions and leading crypto platforms accelerating their stablecoin strategic layouts. Additionally, the money flow patterns of illicit activities are continuously evolving, on-chain tracking technologies and intelligence collaboration mechanisms are also evolving, and the cooperation between regulatory agencies and leading platforms is becoming increasingly close, with significant increases in cases of fund freezing and recovery, forming a stronger deterrent against on-chain crimes and illicit funds.
As a pioneer in the field of blockchain security, SlowMist continues to delve into threat intelligence, attack monitoring, tracing, and compliance support. Against this backdrop, this report focuses on significant security incidents in the first half of 2025, global regulatory evolution, and on-chain anti-money laundering trends. We hope this report can provide timely, systematic, and insightful security compliance references for industry practitioners, security researchers, and compliance officers, enhancing their ability to identify, respond to, and anticipate risks.
II. Blockchain Security Situation
Security Incident Review
In the first half of 2025, the blockchain field still faced severe security challenges. According to SlowMist's incomplete statistics from the SlowMist Hacked incident archive, there were a total of 121 security incidents in the first half of the year, causing losses of approximately $2.373 billion. Compared to the first half of 2024 (a total of 223 incidents with losses of approximately $1.43 billion), although the number of incidents decreased, the overall loss amount increased year-on-year by about 65.94%.
Note: The data in this report is based on the token price at the time of the incident. Due to price fluctuations, some undisclosed incidents, and the exclusion of ordinary users' losses from the statistics, the actual losses should be higher than the statistical results.
(https://hacked.slowmist.io/)
1. From the ecological dimension
Ethereum remains a high-risk area for attacks, with related losses of approximately $38.59 million. Next is Solana, with losses of approximately $5.8 million, followed by BSC, with losses of approximately $5.49 million.
2. From the project type perspective
DeFi is the most frequently attacked type. In the first half of 2025, there were a total of 92 security incidents related to DeFi, accounting for 76.03% of the total number of incidents (121), with losses reaching up to $470 million. Compared to the first half of 2024 (a total of 158 incidents with losses of approximately $659 million), the year-on-year loss decreased by 28.67%. The next highest were incidents related to exchange platforms, totaling 11, but with a staggering loss of $1.883 billion, among which Bybit was attacked the most severely, causing a loss of approximately $1.46 billion in a single incident.
3. From the perspective of loss scale
In the first half of the year, there were 2 incidents with losses exceeding $100 million, and the top ten attack incidents totaled losses of $2.018 billion.
4. From the perspective of attack causes
Account hacks caused the most security incidents, reaching 42. The second highest was security incidents caused by contract vulnerabilities, totaling 35.
Fraud Techniques
In addition to directly attacking projects or protocols, the 'scams' targeting ordinary users are also rapidly evolving. This section selects several typical or new types of fraud techniques that are noteworthy in the first half of 2025.
1. Using EIP-7702 for Phishing
These phishing attacks exploit the delegated mechanism change brought about by EIP-7702 - the user's EOA address can be authorized to a certain contract, granting it the characteristics of that contract (such as batch transfer, batch authorization, gas payment, etc.). If a user authorizes their address to a malicious contract, there will be risks. If a user authorizes their address to a legitimate contract but it is maliciously exploited by a phishing site, there will also be risks. Additionally, some anti-phishing tools cannot accurately capture the risks of batch authorization operations, creating opportunities for phishing groups.
2. Using Deepfake for Scams
With the rapid development of generative artificial intelligence technology, the rise of 'trust-based scams' using deepfake technology has quickly emerged. The essence of this type of scam is that attackers use AI synthesis tools to impersonate the audio and video images of well-known project founders, exchange executives, or community KOLs to guide the public in investing in projects; or induce victims to authorize further actions and transfers through instructions from fake security experts; even more, attackers create dynamic images using deepfake technology combined with victims' photos to attempt to bypass KYC systems of exchanges or wallet platforms, thereby controlling accounts and stealing assets. These forged contents often exhibit a high degree of realism, making it difficult for ordinary users to discern authenticity.
3. Telegram Fake Safeguard Scam
In early 2025, many users encountered fake Safeguard scams on the Telegram platform, ultimately leading to asset theft or device infection. These scams center around inducing users to execute malicious code in the clipboard, widely spreading through high-frequency scenarios like token airdrops and impersonating KOL posts, resulting in serious security consequences. Even experienced players may fall victim under FOMO emotions and the illusion of 'official verification.'
4. Malicious Browser Extensions
Malicious browser extensions have long been a common fraud technique in the crypto field. Attackers disguise themselves as 'Web3 security tools' or use automatic update mechanisms of plugins to steal user data and control permissions, even inducing users to perform sensitive operations, exhibiting a stronger concealment and deception.
5. LinkedIn Recruitment Phishing
Since the beginning of 2025, there has been an increasing trend of scam cases involving recruiting under the guise of injecting malicious code, especially frequent on professional social platforms like LinkedIn, posing a new type of threat to the engineering community. Such attacks often adopt a combination strategy of 'professional packaging + precise targeting,' with a high level of disguise.
6. Social Engineering Attacks
In the first half of 2025, social engineering attacks continued to occur frequently in the crypto industry, with increasingly sophisticated and concealed attack methods, especially cases that combined internal permission abuse on platforms with external precise fraud, garnering widespread attention. Among them, the social engineering attacks faced by Coinbase users are particularly typical. Since the beginning of the year, many Coinbase users reported receiving calls from 'official customer service' and were induced to transfer funds to so-called 'secure wallets.' On May 15, Coinbase officially announced that 'internal personnel are suspected of leaking customer information' and stated that they are cooperating with the U.S. Department of Justice (DOJ) for an investigation. The investigation results showed that hackers obtained system permissions by bribing overseas customer service personnel, stealing KYC information including names, addresses, and emails. Although it did not involve user passwords, private keys, or account balances, it was sufficient to implement a highly realistic scam process. The scammers even demanded a ransom of $20 million from Coinbase.
7. Low-priced AI Tools Backdoor Poisoning
Attackers used the bait of 'the lowest price for calling AI tool APIs' to attract traffic on short video platforms, inducing developers to install malicious npm packages named sw-cur, aiide-cur, sw-cur1, etc. Once these dependencies are executed, they will deeply tamper with the local Cursor application, implant backdoors, and remotely take over the code environment, not only stealing credentials but also potentially turning devices into 'zombies' under the long-term control of attackers. Statistics show that over 4,200 developers are known to be affected, mainly concentrated among MacOS users.
8. Unrestricted Large Language Models (LLM)
所谓“无限制 LLM”,是指那些被特意修改或“越狱”,绕过主流模型的安全机制与伦理限制的模型。主流厂商投入大量资源,防止模型被用于生成仇恨言论、虚假信息、恶意代码或违法指令,而一些不法分子则有意开发或滥用这些限制较少的模型,用于网络犯罪。在加密领域,这种模型的滥用正在降低攻击门槛。攻击者可以获取开源模型权重和源码,再通过包含恶意内容的数据集进行微调(fine-tuning),打造出定制化的欺诈工具。这类模型可用于生成钓鱼邮件、恶意代码、诈骗话术等,哪怕没有编程经验的人也能轻松上手。
III. Anti-Money Laundering Situation
This section is divided into four parts: global regulatory dynamics, fund freezing and return data, organizational dynamics, and mixing tools.
Anti-Money Laundering and Regulatory Dynamics
In the first half of 2025, countries showed a clear trend toward maturity and institutionalization in the regulation of digital assets. From the management of licenses for crypto platforms, the regulatory framework for stablecoins, to the strengthening of anti-money laundering systems, and restrictions on privacy coins and P2P transactions, the world is forming an increasingly intricate governance network for crypto finance.
Fund Freezing/Return Data
In the first half of 2025, Tether froze USDT-ERC20 assets on 209 ETH addresses. (Data source: https://dune.com/phabc/usdt---banned-addresses)
In the first half of 2025, Circle froze USDC-ERC20 assets on 44 ETH addresses. (Data source: https://dune.com/phabc/usdc-banned-addresses)
In the first half of 2025, there were 9 incidents where funds could be recovered or frozen after being attacked. In these 9 incidents, the total amount of stolen funds was approximately $1.73 billion, of which nearly $270 million was returned/frozen, accounting for 11.38% of the total losses in the first half of the year. This ratio is supported by the continuous improvement of collaborative responses and on-chain tracking capabilities.
In addition, with strong support from the SlowMist InMist Lab threat intelligence collaboration network, in the first half of 2025, SlowMist assisted clients, partners, and publicly hacked incidents in freezing and recovering approximately $14.56 million.
Notably, on April 15, the decentralized perpetual contract trading platform KiloEX was attacked by hackers, resulting in losses of approximately $8.44 million. After the incident, SlowMist immediately organized a security team to respond, collaborating with KiloEx to clarify the attack path and fund flow. At the same time, relying on the self-developed on-chain anti-money laundering tracking analysis platform MistTrack (https://misttrack.io/) and the InMist threat intelligence network, they completed the profiling of the attackers' information and characteristics, and assisted the project team in negotiating multiple rounds with the attackers. Ultimately, with the efforts of SlowMist and multiple collaborations, all stolen assets of $8.44 million were successfully recovered just 3.5 days after the incident, and KiloEx reached a 10% white hat bounty agreement with the attackers.
(https://etherscan.io/idm?addresses=0x00fac92881556a90fdb19eae9f23640b95b4bcbd%2C0x1D568fc08a1d3978985bc3e896A22abD1222ABcF%2C&type=1)
Organizational Dynamics
1. Lazarus Group
This subsection mainly introduces the methods used by the North Korean hacker organization Lazarus Group, several related incidents they caused in the first half of 2025, and analyzes Lazarus Group's money laundering techniques using the Bybit theft incident as an example.
2. Drainers
This section is written by our partner - Web3 anti-fraud platform Scam Sniffer (https://www.scamsniffer.io/), and we express our gratitude.
In the first half of 2025, the Web3 ecosystem faced phishing attack threats, causing total losses of approximately $39.73 million, impacting 43,628 addresses. This subsection analyzes the main trends and significant cases of Wallet Drainer attacks in the first half of 2025, providing security references for industry practitioners and users.
3. HuionePay
As the global crackdown on online fraud, underground payment networks, and illegal cross-border money laundering activities intensifies, a platform named HuionePay has drawn significant regulatory attention. This platform is suspected of being used for receiving, transferring, and withdrawing scam funds, particularly frequently conducting on-chain operations via USDT on the TRON chain. SlowMist has constructed a Dune data statistical panel based on on-chain anti-money laundering and tracking tools MistTrack and publicly available data, and has conducted an in-depth analysis of HuionePay's USDT deposit and withdrawal behavior on the TRON chain. The data time range is from January 1, 2024, to June 23, 2025, data source: https://dune.com/misttrack/huionepay-data.
Mixing Tools
1. Tornado Cash
In the first half of 2025, users deposited a total of 254,094 ETH (approximately $605,272,821) into Tornado Cash, and withdrew a total of 248,922 ETH (approximately $584,998,160) from Tornado Cash; deposit and withdrawal activities were quite active in May and June.
(https://dune.com/misttrack/first-half-of-2025-stats)
2. eXch
In the first half of 2025, users deposited a total of 28,756 ETH (approximately $82,193,535) into eXch, and a total of 73,482,393 ERC20 (approximately $73,482,393) into eXch; deposits reached a peak value of $1.94 million in early March, but were halted on April 30 due to a crackdown.
(https://dune.com/misttrack/first-half-of-2025-stats)
IV. Summary
In the first half of 2025, the blockchain industry continued to emphasize compliance, stability, and security. Hacker attacks remained frequent, especially targeting project hot wallets and social engineering phishing, which are still high-risk areas; however, on-chain tracking, fund freezing, and other security capabilities are continuously evolving. On the other hand, global compliance regulation is accelerating, with regions such as Hong Kong, the United States, and the European Union intensively issuing detailed rules, making the trend of 'compliance equals access' increasingly evident. Overall, the industry is gradually emerging from the early rough stage and developing towards a direction centered on 'compliance as the foundation, security as the priority, and stability as the basis,' with competition increasingly focused on who can survive longer and more stably under the compliance regulatory system.
V. Disclaimer
The content of this report is based on our understanding of the blockchain industry, the SlowMist Hacked incident archive, and data support from the anti-money laundering tracking system MistTrack. However, due to the 'anonymity' feature of blockchain, we cannot guarantee the absolute accuracy of all data nor bear responsibility for any errors, omissions, or losses incurred from the use of this report. Additionally, this report does not constitute any investment advice or basis for other analyses. If there are any omissions or deficiencies in this report, we welcome criticism and correction.
