MyCryptoMania

Interesting

$647M Stolen — The May 2025 Crypto Crime Report

By

$647M Stolen — The May 2025 Crypto Crime Report

In May 2025, $647 million was lost to crypto crimes across 26 separate incidents — almost pushing the total losses for the year toward the $3.5 billion threshold, and we’re only five months in!

Most of the losses were attributed to hacks, with smart contract exploits taking center stage — accounting for $242.4 million across five major incidents. Private key exploits followed, with $7 million lost across three cases.

The $223 million Cetus hack became the second-largest hack of the year, following the $1.43 billion Bybit exploit, and ranked as the ninth-largest hack in crypto history.

What truly made May 2025 stand out, however, was the cluster of eclectic and headline-worthy crypto crime stories.

A U.S. court vacated the fraud and manipulation convictions related to the $100 million Mango Markets oracle exploit, noting that Mango Markets lacked clear rules or safeguards to prevent such losses — aka the attacker operated within the boundaries of the protocol’s code.

Meanwhile, SafeMoon users finally saw justice as CEO Braden John Karony was convicted on May 21, 2025, on all three charges: securities fraud conspiracy, wire fraud conspiracy, and money laundering conspiracy — related to the $200 million SafeMoon fraud.

May 2025 also turned out to be one of the most intense months for crimes targeting individuals, including a case where a protocol handed over its treasury in exchange for paper coins, and revelations that Chainge Finance may have been a $65 million rug pull.

We’ve cherry-picked some of the most impactful stories for our May 2025 Crypto Crime Report. Now, let’s dive in.

MAY 2025 I Crypto Crime Data

May 2025 Crypto Crime Data — NEFTURE

Cetus Hack — The Easiest $223 Million Ever Stolen?

$223 million was stolen in what might be one of the simplest hacks the crypto space has seen.

All the attacker needed to do was come knocking at the door with a high liquidity position, and they were handed the entire Cetus treasury.

While Cetus labeled the attack a “sophisticated smart contract exploit,” in truth, the exploit was incredibly simple both in technique and execution.

It earned the attacker the title of the second-largest exploit of the year, and the ninth-largest in crypto history.

Discover how they did it in our full breakdown dedicated to the hack:

Cetus Hack — Post-Mortem of a $223M Heist

Cork Hack — Input Fake Tokens, Get $12 Million

Cork is a DeFi protocol that lets users bet on the risk of certain crypto assets like stablecoins and liquid (re)staking tokens of losing their peg — as they so simply put it you can “Hedge, trade, and earn with Cork’s depeg swaps.”

It works kind of like an on-chain insurance market using smart contracts.

Users deposit a collateral asset (called the Redemption Asset), in return, they get two tokens:

DS (Depeg Swap): Pays out if the peg breaks.CT (Cover Token): Keeps the collateral if everything stays fine.

These two tokens represent opposite bets. DS holders are buying insurance: they win if the asset depegs. CT holders are selling insurance: they win if the asset stays stable.

Usually it goes as follow, Alice wants to bet on a depeg → she keeps the DS tokens and sells the CTs. Bob wants to earn premium by providing insurance → he buys CTs from people like Alice.

At the end of a set period, if there is no depeg, CT holders get the collateral back. If there is a depeg, the DS holders get the collateral.

Cork Protocol Structure Schematic— Source: Three Sigma

TL;DR of the hack: Cork failed to properly validate the legitimacy or value of the Pegged Asset (not the Redemption Asset) — and as a result, it allowed the attacker to trigger a fake depeg event and claim real wstETH collateral, amounting to $12 million in exchange for paper tokens.

Here’s how it happened.

The Cork protocol uses hooks. Hooks let smart contracts run extra code automatically when like during a swap or when liquidity is added. It’s like giving developers a “plugin slot” where they freely add custom code.

To make this work, Cork allows users to provide a contract address that implements a special function called CorkCall(…).

That’s the first vulnerability the attacker exploited.

The attacker took advantage of this by writing a malicious proxy contract that looked like a normal hook-compatible contract during a flash swap.

They deployed it and Cork accepted it, assuming it was safe.

When it was everything but so.

The malicious contract actually deployed a fake market scenario within the wstETH:weETH pool.

Instead of presenting wstETH (the real Reserve Asset) as payment, the attacker substituted a decoy token — specifically, an old DS token from a previous issuance.

According to Weilin, the DS tokens that the hacker took originally belonged to the Cork protocol (or a contract controlled by it, like 0x55b9).

The hacker tricked that contract into treating its own DS tokens as if they were new tokens the hacker deposited, causing the contract to split and transfer those DS tokens to the hacker.

Source: Twitter

So the attacker basically stole DS tokens that were already inside the protocol by confusing the system.

By presenting this fake token during the callback, Cork’s internal logic was fooled into thinking real collateral had been deposited.

Why? Because Cork didn’t strictly check that the token used during the CorkCall was the correct one for that market.

That’s the second vulnerability the attacker exploited.

By having no safeguard to verify that the payment token matched the designated Reserve Asset, the protocol minted DS and CT tokens — even though no actual wstETH was supplied.

When the attacker triggered the “depeg” event, the protocol released real wstETH collateral it held, paying out to DS tokens.

The attacker received 3,761.87 wstETH, which they quickly swapped for around 4,530 ETH before disappearing.

Three Sigma reviewed all the audits on Cork and found that verifying whether the creation of a new market (with a new token) was permissioned, as well as reviewing hook functions, were out of scope for those audits.

This was either because the auditors were not tasked with those areas or, in the case of Runtime Verification, because the time constraints were too tight to cover them.

Runtime Verification Justification on their Cork Audit — Source: Three SigmaThree Sigma concluded that based on the countless “ high-severity vulnerabilities identified across all audits” the protocol itself was “unsafe” to launch.

The Cork exploit is a clear reminder that audits alone aren’t a silver bullet for protocol security. The foundation has to be solid first — audits should catch minor oversights, not compensate for weak or incomplete development. Auditors aren’t there to rewrite your entire codebase.

If you rely on them to handle your development quality, at least give them the time, resources, and full access they need. Conducting audits with half the protocol declared “out-of-scope” is a recipe for disaster.

Chainge Finance, A $65 Million Rug?

At the end of May, Rekt News put the spotlight on Chainge Finance and the various shenanigans they’ve been involved in, which resulted in users having their funds “stuck” due to frozen withdrawals.

The team blames issues like “blacklisted vaults” and corrupted databases, but these problems have persisted for months — apparently as early as the end of 2024 — with no clear solution in sight and only empty promises.

Meanwhile, the Chainge Finance app continues to accept new deposits, raising eyebrows over the morality of letting people put money in while being unable to take it out.

Beleaguered users are at their wits’ end, taking to Twitter to share their frustrations, as it appears they are systematically banned from Chainge Finance spaces for asking the right questions.

Chainge’s system, called “cross-chain roaming,” locks assets in vaults controlled by multiple key holders. These vaults authorize transfers across blockchains, but when the authorization stopped, withdrawals froze.

Since late last year, tokens like ETH, BTC, and USDT have been trapped, leaving users with pending transactions and no clear timeline for resolution.

DJ Qian, the CEO, promised a personal bailout that has yet to materialize — unsurprisingly, some might say, given his role as co-founder and early backer of Multichain (formerly Anyswap), a project widely seen as a $126 million slow rug. That project’s CEO disappeared and was later reported to have been arrested in China.

Adding to the trouble, a wrapped Kaspa token on Chainge lost its peg, causing partners to cut ties, and forewarned aspiring Chainge users to bypass the protocol entirely as long as the liquidity issue persisted.

Source: Twitter

A large vault, widely believed to be controlled by Chainge, still holds the majority of user funds and has quietly moved millions without returning them to their rightful owners. According to Rekt, two suspicious transfers occurred: the first one between October 24th and 26th, during which Chainge’s total value locked (TVL) plunged from $65 million to under $14 million.

According to Rekt, the second is a slow bleeding of the suspected vault/proxy address since December, with its value dropping from around $16 million to $2 million while the protocol was supposedly unable to allow withdrawals.

Despite the crisis, the app shows no warnings or paused deposits, leading many to view it as a kind of DeFi protocol wide honey pot.

Unfortunately for Chainge users, Chainge is based in the British Virgin Islands, with limited regulatory oversight, and its legal terms shift responsibility to users. Meanwhile, board members have resigned, VC investors in the project are radio silent and communication from Chainge has dropped off.

It awfully looks like another shady protocol, led by someone involved in another shady protocol, that created victims who will never see the light of their funds again.

May 2025 — The Month of Crypto Kidnapping

2025 is on track to set a record for violent crimes against persons (VCAP) involving cryptocurrency theft.

And May 2025 a record breaking month.

When we first reported on the subject around mid-May at least 27 such incidents (kidnapping, burglary, robbery) had already been publicly reported worldwide.

At this pace, the total could have exceeded 65 cases by year’s end — nearly doubling the previous record of 36 set in 2021, and marking the highest number in the past decade.

Yearly Publicly Reported Cases (2022–2025) of Crimes Against Persons (Kidnapping, Robbery, Burglary) Committed for Cryptocurrency Theft — Data compiled by Nefture based on Jlopp Github reporting.

Since then, five new CAPs have occurred — mainly kidnappings — making May 2025 the most prolific month in CAP history, with 10 cases recorded.

In the past three and a half years, 113 cases have been publicly reported, resulting in over $166 million in losses, the deaths of six victims, and the unspeakable torture of many others.

Those figures are only the very tippy-top of the VCAP iceberg, as they represent only the publicly reported cases — typically because the perpetrators were arrested, the victims were high-profile, or the incident was particularly violent or unusual.

These are the types of cases that make it into the press and are thus recorded by “JLopp”, who maintains a public GitHub database cataloging physical attacks related to cryptocurrency.

Source: Jlopp Github

We analyzed data dating back to 2022 and identified patterns and peculiarities within this multifaceted and malicious industry.

Read our report on it now!

Crypto Up, Kidnapping Up? — Dissecting Cases from 2022 to 2025

Our May 2025 crypto-criminal report ends here!

See you all next month for another crypto crime report.

Until then, stay safe!

About us

Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.Book a demo 🤝

$647M Stolen — The May 2025 Crypto Crime Report was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

By

Related Post

Interesting

Why Is Strategy Valuable? CEO Says MSTR Is More Than Its BTC Holdings

Interesting

Why CLARITY Act Matters: Grayscale Sees Next Phase for Digital Assets

Interesting

2013 Bitcoin Whale Wallet Transfers 500 BTC After 12 Years of Dormancy

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

News

Bitcoin briefly surpasses $82K amid macroeconomic shifts; SUI up 25%

News

SoftBank plans large-scale battery cell manufacturing for AI services

News

JPMorgan raises KOSPI bull case target to 8,500 on memory chip boom, and crypto may feel the squeeze

Discovery

Ethereum Price Tries To Extend Gains, $2,420 Stands In The Way