2025年区块链安全与反洗钱年度报告（英文版）-SlowMist慢雾

1

Tableofcontents

I.Introduction3

II.BlockchainSecurityTrends4

2.1OverviewofBlockchainSecurityIncidents4

2.2Top10SecurityIncidentsof20257

2.2.1Bybit7

2.2.2CetusProtocol8

2.2.3BalancerV28

2.2.4Nobitex9

2.2.5Phemex9

2.2.6UPCX10

2.2.7BtcTurk10

2.2.8Infini10

2.2.9CoinDCX11

2.2.10GMX11

2.3ScamTechniques12

2.3.1PhishingAttack12

2.3.2SocialEngineeringAttack22

2.3.3SupplyChainandOpenSourceEcosystemPoisoning31

2.3.4MaliciousBrowserExtensionsandExtensionEcosystemRisks38

2.3.5AttacksUsingAITechnology44

2.3.6PonziSchemeFraud51

III.Anti-MoneyLaunderingTrends58

3.1AMLandRegulatoryDynamics58

3.1.1LEandSanctionsActions58

3.1.2RegulatoryPolicies63

Asia63

2

Europe68

NorthAmerica70

LatinAmerica72

MiddleEast73

Africa73

Oceania74

3.2Freeze/RecoverFundsData75

3.3CybercrimeOrganizationsandtheUndergroundCyberEcosystem78

3.3.1DPRKHackers78

3.3.2Drainer95

3.3.3HuioneGroup103

3.3.4Ransomware/Malware108

3.3.5Privacy/CoinMixingTools114

IV.Conclusion118

V.Disclaimer120

VI.AboutSlowMist121

3

I.Introduction

In2025,theblockchainindustrycontinueditsrapidevolution,withtheinterplayofmacro-financialconditions,regulatoryuncertainties,andintensifiedattacksmakingtheoverallsecuritylandscapesignificantlymorecomplex.Ononehand,hackergroupsandundergroundcybercrimenetworksexhibitedstrongerorganizationandprofessionalization.NorthKorea–linkedhackersremained

highlyactive,withinformation-stealingtrojans,privatekeyhijacking,andsocialengineering

phishingbeingthemainattackvectorsthroughouttheyear.RisksintheDeFiecosystem

continuedtosurface,withMemetokenlaunches,permissionmanagementissues,andothervulnerabilitiesrepeatedlycausingsignificantlosses.TheemergenceofRaaS

(Ransomware-as-a-Service)andMaaS(Malware-as-a-Service)hasloweredtheentrybarrierforattackers,enablingthosewithouttechnicalbackgroundstolaunchattacksquickly.

Meanwhile,undergroundmoneylaunderingsystemscontinuedtomature,withmulti-layeredfundflowsformedbySoutheastAsianscamclusters,privacytools,andmixingservices.Onthe

regulatoryfront,countriesacceleratedtheimplementationofAML/CFTframeworksforcryptoassets.TheU.S.,U.K.,EU,andAsianjurisdictionscarriedoutmultiplecross-borderenforcementoperations.On-chaintracing,intelligencesharing,andassetfreezemechanismsbecamemoreefficient,shiftinginternationalenforcementfromisolatedactionstosystematiccontainment.

Notably,thelegalboundariesofdifferenttypesofprivacyprotocolsarebeingredefined,withregulationgraduallymovingfromblanketsanctionstoamorenuancedapproachthat

distinguishestechnicalcharacteristicsfromcriminaluses.Thelinebetweentechnologicalfreedomandlegalaccountabilityhasbecomeclearerthanever.

Asapioneerinblockchainsecurity,SlowMistcontinuestofocusonthreatintelligence,attackmonitoring,forensictracing,andcompliancesupport,assistinginmultiplecasesofhackerfundtracingandfreezing.Thisreporthighlightskeysecurityincidentsin2025,trendsinAPTgroupactivities,theevolutionofmoneylaunderingmodels,andregulatoryandenforcement

developments.Itaimstoprovideindustrypractitioners,securityresearchers,andcomplianceprofessionalswithtimely,systematic,andinsightfulguidancetoenhancetheirabilitytoidentify,respondto,andanticipaterisks.

4

II.BlockchainSecurityTrends

In2025,theblockchainsectorcontinuedtofaceseveresecuritychallenges.Accordingto

incompletestatisticsfromSlowMistHacked,ablockchainsecurityincidentarchivemaintainedbySlowMist,atotalof200securityincidentsoccurredduringtheyear,resultinginapproximately

$2.935billioninlosses.

Incomparison,2024saw410incidentswitharound$2.013billioninlosses.Whilethenumberofincidentsdeclinedyear-over-year,thetotalamountoflossesincreasedbyapproximately46%.

(Note:Thedatainthisreportisbasedontokenpricesatthetimeofeachincident.Duetopricefluctuations,unreportedcases,andtheexclusionofindividualuserlosses,theactualamountoflossesislikelyhigherthanthefigurespresented.)

(

https://hacked.slowmist.io/

)

2.1OverviewofBlockchainSecurityIncidents

(1)ByEcosystem

●Ethereumremainedthemosttargetedecosystem,withrelatedlossesofapproximately$183.25million;

●Solanarankedsecond,withlossesofaround$17.45million;

●Arbitrumwasthird,withlossesofabout$17.10million.

5

(DistributionandLossesofSecurityIncidentsAcrossEcosystemsin2025)

(2)ByProjectType

●DeFiremainedthemostfrequentlytargetedsectorin2025,withatotalof126securityincidents,accountingforapproximately63%ofallincidentsthatyear,andtotallossesreachingaround$649million.Comparedto2024(339incidents,about$1.029billioninlosses),thisrepresentsayear-over-yeardecreaseofapproximately37%intotallosses.

●Centralizedexchangeplatformsreportedonly22incidents,yettheseresultedina

staggering$1.809billioninlosses.ThemostseverecaseinvolvedanattackonBybit,causingapproximately$1.46billioninlossesfromasingleincident,makingitthemostserioussecurityeventoftheyear.

6

(DistributionandLossesofSecurityIncidentsAcrossDifferentSectorsin2025)

(3)ByAttackVector

●Smartcontractvulnerabilitiesweretheprimarycause,withatotalof56incidents.

●Accountcompromisesrankedsecond,withatotalof50incidents.

(DistributionofCausesforSecurityIncidentsin2025)

7

2.2Top10SecurityIncidentsof2025

(Top10SecurityAttackIncidentswiththeHighestLossesin2025)

2.2.1Bybit

OnFebruary21,2025,on-chaininvestigatorZachXBTdisclosedanabnormallarge-scaleoutflowoffundsfromthe

Bybit

platform.Itwasultimatelyconfirmedthattheincidentresultedinthetheftofmorethan$1.46billionworthofcryptoassets,makingitoneofthelargestcryptocurrency

securityincidentsintermsoflossesinrecentyears.

Followingtheincident,theSlowMistsecurityteampromptlyconductedananalysisbasedonhowtheattackerobtainedSafemultisigpermissionsandthesubsequentlaunderingactivities,

concludingthattheattackerwaslikelylinkedtoaNorthKoreanhackinggroup.Thisassessmentwaslatercorroboratedbyon-chainevidenceprovidedbyZachXBT.

Furtheranalysisrevealedthattheattackerfirstgainedcontroloftheapp.safe.globalfrontend

codeanduseditasanentrypointtocarryoutatargetedattackagainsttheSafe{Wallet}multisigwalletsusedbyBybit.Afterward,SafeandBybitjointlyreleasedasecurityinvestigationreport

confirmingthattheattackoriginatedfromSafe{Wallet}’sAWSinfrastructure(potentiallyinvolving

8

leakedorcompromisedS3/CloudFrontaccountsorAPIkeys),whileBybit’sowninfrastructurewasnotcompromised.

2.2.2CetusProtocol

OnMay22,2025,accordingtocommunityreports,

CetusProtocol

,aliquidityproviderintheSuiecosystem,wassuspectedofsufferinganattack.Liquidityacrossmultiplepoolsdroppedsharply,andpricesofseveraltokentradingpairsontheplatformexperiencedsignificantdeclines.

Preliminaryestimatesputthelossesatover$230million.

Subsequently,theprojectteamannouncedthatapproximately$162millioninassetshadbeenrecoveredthroughavalidator-basedfreezingmechanism.Aftertheincident,theSlowMist

securityteampromptlyintervenedandconfirmedthattherootcauseoftheattackstemmedmainlyfromtwofactors:

First,theCorkmechanismalloweduserstocreatemarketsviatheCorkConfigcontractusinganyassetastheRedemptionAsset(RA),whichenabledtheattackertodesignateDSastheRA.

Second,anyusercouldcallthebeforeSwapfunctionoftheCorkHookcontractwithout

authorizationandpassincustomhookdatatoexecuteCorkCalloperations.Thisallowedtheattackertomanipulatetheprocess,transferringDSfromalegitimatemarkettoanothermarketandusingitastheRA,therebyobtainingthecorrespondingDSandCTtokens.

OnJune8,Cetusannouncedtherelaunchoftheplatform.Usingtherecoveredassets,

approximately$7millioninitsentirecashreserves,anda$30millionUSDCloanfromtheSuiFoundation,theprojectcompensatedaffectedliquiditypools,restoringtheirassetvaluesto85%–99%oftheiroriginallevels.Theremaininglosseswillbecompensatedlinearlyover12monthsthroughCETUStokens.

2.2.3BalancerV2

OnNovember3,2025,theDeFiprotocol

BalancerV2

sufferedavulnerabilityexploitaffecting

ComposableStablePools.Theattackresultedintotallossesof$121.1millionacrossEthereum,Arbitrum,Base,Optimism,andPolygon.

9

Followingtheincident,theSlowMistsecurityteamconductedananalysisandconfirmedthattherootcauselayinanincorrectroundingdirectionwithintheStablePool“exact-out”swappath.Thisflawwasfurtheramplifiedbyprecisionerrorsintroducedbyrateprovidersandextremely

low-liquidityconditions,allowingtheattackertomanipulatethepoolinvariantanddistortBPTpricecalculations,therebyextractinglargeamountsofassetsfromthepoolsatacost

significantlylowerthantheirtruevalue.

OnNovember19,Balancerreleasedapost-incidentanalysisreportstatingthataftertheissue

wasidentified,allpartiescoordinatedrapidlyanddeployedmultiplesecuritymeasures,ultimatelyprotectingorrecoveringapproximately$45.7millioninuserfunds.

2.2.4Nobitex

OnJune18,2025,theIran-basedcryptocurrencyexchange

Nobitex

sufferedahackerattack.

Accordingtotheplatform,theattackerstransferredfundstoburnaddressescontainingslogansagainsttheIranianRevolutionaryGuard,destroyingapproximately$100millionworthofcryptoassets,whichclearlyhadapsychologicalimpact.Apro-Israelhackergroupcallingitself

“GonjeshkeDarande”(meaning“PredatorySparrow”)claimedresponsibilityfortheattackandreleasedtheplatform’ssourcecodeandinternaldatawithin24hours.ThegroupisreportedlyaffiliatedwithIsraelandaccusedNobitexofbeinga“keyregimetoolforfundingterrorismandevadingsanctions.”OnJune29,Nobitextweetedthatitwouldbeginrestoringuserwallet

balancesinphases,startingwithverifiedusers’spotwalletsandgraduallyextendingtootherwallettypes.

2.2.5Phemex

OnJanuary23,2025,thehotwalletsofSingapore-basedcryptocurrencyexchange

Phemex

wereattacked,resultinginapproximately$69.1millioninassetlossesacrossmultiplechainsand

tokens.SeveralblockchainsecurityexpertsbelievetheincidentmaybelinkedtotheNorthKoreanhackergroupTraderTraitor.Followingtheattack,Phemeximplementedriskmitigationmeasures,graduallyrestoringUSDT,USDC,andBTCwithdrawalfunctions,andtooksnapshotsofuser

assetstofacilitatesubsequentcompensationarrangements.ByJanuary26,depositand

withdrawalfunctionsonnetworksincludingArbitrum,Optimism,BSC,Polygon,andBasehadbeenrestored.OnFebruary20,on-chainmonitoringindicatedthattheattackersbegansplitting

10

andtransferringthestolenfunds,withsomeassetsflowingintomixingservicessuchasTornadoCash,suggestingattemptstoanonymizethestolenfunds.

2.2.6UPCX

OnApril1,2025,theofficialaddressofblockchainpaymentplatform

UPCX

wasaccessedwithoutauthorization.Theattackersallegedlygainedadministrativeprivilegesand,byupgradingthe

ProxyAdmincontractandcallingthewithdrawByAdminfunction,transferredatotalof

approximately18.4millionUPC(around$70million)fromthreeadministrativeaccounts.

Followingtheincident,theplatformimmediatelysuspendedUPCdepositsandwithdrawals.OnApril4,UPCXpostedonsocialmediathattheprojectteamstillretainedcontrolofapproximately18,473,290UPCandwouldcontinuethetransferoperationsoftherelevantUPC.

2.2.7BtcTurk

OnAugust14,2025,theTurkishcryptocurrencyexchange

BtcTurk

wasreportedlyattackedagain,resultinginalossofapproximately$54million,involvingmultiplechainsincludingETH,AVAX,

ARB,Base,Optimism,Mantle,andMATIC.On-chaindatashowedthatmostofthestolenassetsflowedintotwoaddresses,suggestingcoordinatedattackactivity,andtheattackershad

convertedallstolenfundsintoETH.BtcTurksubsequentlyacknowledged“unusualactivity”initshotwalletsandsuspendeddepositsandwithdrawalsontheplatformuntiltheinvestigationis

completed.Theexchangestatedthatthemajorityofassetsremainsecurelystoredincold

wallets,thecompany’sfinancesarestable,anduserassetswerenotaffected.Meanwhile,

deposits,withdrawals,andtradinginTurkishliracontinuedasnormal,andthesituationhasbeenreportedtoregulatoryauthorities,withcomprehensivesecuritymeasuresimplemented.

2.2.8Infini

OnFebruary24,2025,thestablecoin-focusedcryptobank

Infini

wasattacked.Theattackers

gainedaccesstoawalletwithadministrativeprivilegesandstolenearly$50millionofcompanyfunds.Infini’sfounder,Christian,tweetedthatnopersonalprivatekeyswerecompromisedand

thattheincidentresultedfromoperationaloversightduringtheprevioushandoverofpermissions.Heconfirmedthatplatformliquidityremainednormalandfullcompensationwaspossible,and

thattheteamwastracingtheflowoffunds.

11

OnFebruary26,Infiniissuedanoperationalupdate,confirmingthatthefundshadbeensecurelystoredinaCoboCustodianwallet,andthatInfiniCardfunctions—includingtransfers,deposits,withdrawals,andpayments—hadbeenfullyrestored.TheteamwasactivelysafeguardingInfiniEarn,withyielddistributionexpectedtobepausedfor3–4weeks.

OnMarch20,Infinisentanon-chainmessagetotheattackers,attachingcourtdocuments

accusingformeremployeeChenShanxuanofstealingapproximately49.5millionUSDCand

requestingfreezingofrelatedassetsanddisclosureoftransactioninformation.OnAugust11,Infinisentanotheron-chainmessagetotheattackers,statingthatifthestolenfundswere

returnedby20:00onAugust13,nofurtherlegalactionwouldbetaken,andtheattackerscouldkeepallprofitsasawhite-hatreward.

2.2.9CoinDCX

OnJuly19,2025,on-chaininvestigatorZachXBTpostedonhispersonalchannelthat“itappearsIndia’scentralizedexchange

CoinDCX

mayhavebeenhackedapproximately17hoursago,

resultinginalossofabout$44.2million,thoughtheincidenthasnotyetbeendisclosedtothe

community.”Shortlythereafter,thecompany’sco-founder,SumitGupta,respondedonX.Inhis

response,Sumitrevealedthatthewalletaffectedbytheattackwasaninternaloperational

accountusedsolelyforprovidingliquidity,andthatcustomerfundswereunaffectedastheywerestoredinsecurecoldwallets.Tradingandwithdrawalswouldresumenormally,andalllosses

fromtheattackwouldbecoveredbyCoinDCX’sreservefunds.

OnJuly31,FinanceFeedsreportedthataCoinDCXsoftwareengineerhadbeenarrestedfor

allegedlyassistingtheattack.Theattackershadinstalledmalwareontheengineer’scomputerunderthepretenseofapart-timejobandpaidahighpart-timesalary.Themalware,a

sophisticatedkeylogger,allowedtheattackerstoobtainlogincredentialsandaccessCoinDCX’sinternalsystems,ultimatelycausingtheincident.

2.2.10GMX

OnJuly9,2025,accordingtomonitoringbySlowMist’sMistEyesecuritysystem,thewell-knowndecentralizedtradingplatform

GMX

sufferedanattack,resultinginalossofoverUSD42millioninassets.AfteranalysisbytheSlowMistsecurityteam,thecoreoftheattackwasthatthe

12

attackerexploitedtwofeatures:theKeepersystemenablingleveragewhenexecutingorders,andthefactthatshortpositionsupdatetheglobalaveragepricewhileclosingashortdoesnot.By

performingareentrancyattack,theattackercreatedlargeshortpositions,manipulatingtheglobalshortaveragepriceandtheglobalshortpositionsize,whichdirectlyinflatedtheGLPpriceand

allowedthemtoredeemprofits.OnJuly19,GMXpostedafollow-uponX.Afternegotiations,theattackerreturnedallstolenfundsandreceivedaUSD5millionbounty.

2.3ScamTechniques

In2025,scamsandintrusiveattackswithintheblockchainecosystemcontinuedtoevolve,

becomingmoredeceptiveandhardertodetect.Traditionalphishinghasgraduallyexpandedintopermissionhijacking,maliciouscodeexecution,andsupply-chainpoisoning.Attacksareno

longerreliantonasinglemethod;instead,theyincreasinglycombinesocialengineering,browserexploitation,newprotocolmechanics,andhybridlurestrategiestoformstealthyanddestructiveattackchains.Belowareseveraltypical,emergingfraudtechniquesthatdeservecloseattentionin2025.

2.3.1PhishingAttack

In2025,phishingremainedoneofthemostactiveriskvectors,evolvingfarbeyondsimplefakewebsitesorcounterfeitauthorizationpages.Attackersincreasinglycombinedsystem-level

commands,walletpermissions,protocolmechanics,andevendevicecontrolintomulti-stage

hybridattacks.Manyschemesnolongeraskdirectlyforseedphrases;instead,theyguidevictimsto“completethetheftstep-by-stepthemselves”,makingtheprocessmoreconcealedandfar

moredamaging.Asaresult,theimpactscopeofphishingattackshasexpandedsignificantly.

(1)ClickfixPhishingAttack

Clickfixphishingattacksareatypicalexampleof“front-endinteractionphishing.”Theircoredoesnotinvolvedirectlytrickingusersintomakingtransfersorgrantingpermissions;instead,theyrelyonhighlyrealisticwebinteractionstocoaxusersintoexecutingmaliciousactionsthemselves.

Attackersoftenmimicsecurityverificationworkflowsfamiliartousers,suchasCAPTCHAchecks,anomalyremediation,orsecurityinspectionpages,makingtheprocessappearindistinguishablefromeverydaywebactivities.

13

Duringanactualattack,whenauserclicksaverificationbuttonorchecksavalidationbox,thephishingsitesilentlywritesmaliciouscommandstothesystemclipboardinthebackgroundandfurtherguidestheuserto“completetheverification”viahotkeysorsystemexecutionwindows.Clearon-screeninstructionstypicallymaketheuserbelievetheyaremerelyperforminga

necessaryverificationstep.Onceexecuted,themaliciouscommandsdownloadandrun

additionalprogramsfromaremoteserver,establishingpersistentmechanismsonthelocalsystem.

14

Analysis

ofrelatedsamplesbySlowMistshowsthatsuchmalwareusuallyhasfull

information-stealingcapabilities,targetingbrowserdata,cryptowalletfiles,privatekeys,seedphrases,passwords,andkeystrokes,withtheabilitytocontinuouslyexfiltratedatatoaremotecontrolserver.

Itisimportanttonotethatthesephishingattacksoftencombinesocialengineering

tactics—trickingusersintoexecutingmaliciouscommands—toachievetheinstallationof

malware.Usersexecutingsuchcommandswithoutsuspicionriskhavingsensitiveinformation(suchaswalletprivatekeys)stolen.

(2)SolanaWalletOwnerPermissionsMayBeAltered

15

Inthistypeofattack,phishingescalatesfromthe“assetlayer”tothe“accountcontrollayer.”Ina

case

SlowMistassistedinanalyzingin2025,thevictimfellforaphishingattackandnoticed

abnormalauthorizationrecordsintheirwallet.Attemptstorevoketheseauthorizationsfailed,andthewallet’sOwnerpermissionshadbeentransferredtotheattacker,directlyresultinginover$3millioninstolenassets,withadditionallargefundstemporarilylockedinDeFiprotocolsand

inaccessible.

Thevictimeventriedinitiatingtransfersfromthecompromisedaccounttotheirownaddresstoverifypermissions,butalltransactionsfailed.Thisscenariocloselyresemblesthe“malicious

multisig”attacksfrequentlyseenintheTRONecosystem.Inotherwords,thisattackwasnotaconventional“authorizationtheft.”Instead,theattackerreplacedthewallet’scorepermission

(Owner),meaningthatevenifthevictimwantedtotransferfunds,revokepermissions,oroperateDeFiassets,theyhadnocontrol.Thefundsremainedvisibleon-chainbutwereentirely

16

uncontrollable.Theattackerssuccessfullytrickedtheuserintosigningtransactionsusingtwo

counterintuitivemechanisms.First,walletstypicallysimulatetransactionexecution,displaying

anychangesinassetsontheinterface;theattackercarefullyconstructedatransactionthat

causednovisiblechangeinfunds.Second,whileEthereumEOAaccountsarecontrolledsolelybyprivatekeys,usersaregenerallyunawarethatSolanaaccountsallowmodificationofaccount

ownership.

WhenawalletcreatesaSolanaaccount,theOwnerisinitiallysettothesystemaccount

(11111111111111111111111111111111),andtransactionsrequireverificationthatsignaturesmatchtheassociatedpublickey.Normally,thisOwnercannotbechangedexternallyvia

commandsorscripts,butitcanbemodifiedthroughasmartcontractcall.Usingtheassign

instruction,theaccount’sOwnercanbechangedfromthecurrentvaluetoanew_owner,andthiscanbeexecutedviaSolanaCLIorclientslikeSolanaWeb3.jsoncetheprogramisdeployed.Inthisphishingevent,attackersexploitedthisfeaturetotrickthevictimintosigningatransactioncontainingtheassigninstruction,silentlytransferringtheOwnerofthevictim’swallet.

Thistypeofattackisextremelystealthy;itsessenceisnot“authorizationmisuse”but“accountownershipreplacement.”Fromtheuser’sperspective,assetsstillappearon-chainbutareentirelyoutoftheircontrol,makingtheriskfarhigherthanintraditionalphishingscenarios.

(3)EIP-7702AuthorizationAbuse

Asaccountabstractionproposalsgraduallyrollout,thenewprotocolcapabilitieshavealso

becomeakeyentrypointforphishingattacks.OnMay24,ausersufferedaphishingattack

relatedtoanEIP-7702authorizationoperation,resultinginalossof$146,551.Theattackwas

orchestratedbythewell-knownphishinggroupInfernoDrainer.Theirmethodexploitednew

featuresoftheEIP-7702contractdelegationmechanism.Specifically,thephishingdidnotinvolveswitchingtheuser’sEOAaddresstothe7702contractaddress.Instead,thedelegatedad