$285M Stolen — The July 2025 Crypto Crime Report
July 2025 saw a staggering $285.3 million lost to crypto crimes across 21 separate incidents — officially pushing total losses for the year past the $4.7 billion threshold. And we’re only seven months in!
The damage was split almost evenly between hacks and scams, with both racking up $139.1 million in losses. Access control exploits took the spotlight, responsible for $59 million across just five major breaches.
The top four attacks — all targeting exchanges (centralized and decentralized) with wildly different MOs — together drained over $127 million.
July 2025 was also full of (un)expected revelations!
A massive $132 million rug pull was finally exposed, leaving investors in pieces. At the same time, reports showed that North Korean hacker groups had quietly slipped into multiple protocols and planted backdoors that hadn’t even been used yet.
And then there’s Kinto Finance, which suddenly found itself under the spotlight — with some people openly saying it could be an exit scam in progress.
Discover some of the most impactful stories of July 2025 in our latest Crypto Crime Report!
July 2025 Crypto Crime Data Figure
Crypto Crime Data July 2025 — Nefture
The Rowan Energy $132 Million Rug Pull
Rowan Energy pitched itself as a pioneering clean-energy blockchain, offering homeowners solar-powered SmartMiner devices that would mint RWN tokens tied to “real-time renewable generation.” Ahem.
Source: Rown Energy’s Twitter
Public messaging depicted a fixed supply capped at 545 million tokens, with only incremental issuance aligned to “verified energy output.”
It was very successful in its marketing effort, as it seems solar installers were snubbed by their UK potential customers if they refused to install Rowan Energy’s “carbon mining” device.
Source: Conor Quinn Linkedin
Behind the scenes, however, the infrastructure was alarmingly centralized and opaque: an independent researcher discovered that the Rowan wallet app exposed RPC endpoints and allowed arbitrary minting — revealing that the entire blockchain, which was private, was of course manipulable despite claims of decentralization.
In April 2025, a forensic exposé published on Mirror.xyz demonstrated the exploit outright.
Source: Mirror
This white-hat researcher discovered that the real supply wasn’t 545 million tokens, but around 945 million.
To demonstrate the depth of the manipulation, he used leaked RPC access to trigger the mintToken function in Rowan’s ERC‑20 contract, inflating the total supply from roughly 945 million to nearly 1.945 billion tokens in seconds, then burned the extra tokens.
This fully revealed that the founders’ claim of a fixed cap was false, and that large undisclosed quantities of RWN — controlled by insiders — were primed for dumping during price spikes.
The project’s explorer selectively hidden mint transactions, while visible burn and distribution data exposed major holdings in exchange wallets like MEXC—holding 266 million RWN alone, nearly half the alleged max supply.
On June 25, 2025, Rowan Energy quietly pulled the plug after months of silence and stringing along its community following the April revelations.
Without announcement, the blockchain was retired, token trading halted, and dashboards went dark. Within hours, RWN’s value collapsed by over 99.9 percent. Social and communications channels — including Telegram and YouTube — were deleted, and CEO David Duckworth and team vanished from public view.
Affected users were left holding worthless tokens and unreturned hardware, with no compensation or clear roadmap forward. Trustpilot reviews and community voices later slammed it as a scam purposely designed from day one — it just took years to reveal itself as the slow rug pull it was always meant to be.
Without the blockchain researcher who exposed the truth, Rowan Energy could still be cashing in and making new victims today.
North Korean Threat Groups Planting Backdoors All Over DeFi?
On July 9, 2025, researchers from VennBuild and collaborating teams exposed a devastating vulnerability affecting thousands of smart contracts.
At the center was a backdoor embedded through uninitialized ERC‑1967 proxy contracts — a widely used standard across Ethereum-compatible chains.
Attackers had been able to front-run contract deployments, inject their own malicious logic before initialization, and then erase any trace from public explorers.
The vulnerability granted them permanent upgrade rights over contracts they didn’t own, cloaking their presence behind misleading logs.
This wasn’t a bug in a fringe protocol; it was a systemic weakness that cut across infrastructure used by top-tier projects, exposing over $10 million in active assets — all sitting unknowingly on a trapdoor.
Source: Deebeez Twitter
What made the situation even more chilling was how deliberate it appeared. Security teams found no evidence of actual funds being drained, suggesting the attackers weren’t after petty theft but patiently waiting for the right high-value target.
This patience, the subtlety of the exploit, and the coordination required led several researchers to suspect the hand of Lazarus Group — a North Korean state-sponsored cyber unit notorious for leveraging software supply chains to bypass conventional defenses.
VennBuild’s lead investigator emphasized that this was not the work of amateurs; the exploit’s technical execution showed a deep understanding of EVM mechanics, and the obfuscation tactics made it invisible to most scanners and auditors.
Left unchecked, it could’ve triggered a cascading collapse across multiple ecosystems.
In response, a rapid 36-hour triage unfolded across Discord war rooms, Twitter threads, and encrypted DMs. Teams like SEAL 911, pcaversaccio, Dedaub, and affected protocols scrambled to analyze contract footprints, withdraw exposed funds, and redeploy secure implementations. Berachain, one of the platforms at risk, promptly migrated user assets and patched the vector before any loss occurred.
The incident exposed a dangerous norm in DeFi: many contracts rely on delayed or split initialization routines, leaving a window of opportunity for attackers to hijack the contract’s logic. This way of splitting or delaying initialization is risky because it allows attackers to sneak in and take control before the contract is fully secured.
The Top 4 Hacks Targeted Exchanges, Costing $127 Million
In mid‑ and late-July 2025, four major crypto exchanges — three centralized and one decentralized — were rocked by sophisticated hacks, combining to drain nearly $127 million in total.
Though diverging in technical execution and target profiles, all four incidents showcased systemic vulnerabilities in hot wallets, internal account infrastructure, and user security practices.
GMX
On July 9, GMX — a decentralized exchange operating on Arbitrum and Avalanche — fell victim to a classic reentrancy exploit involving the executeDecreaseOrder function.
By manipulating GLP token pricing and entering/exiting positions in a single transaction, the attacker exploited a stale global average short price to siphon approximately $40–42M from liquidity pools. The attacker later returned most of the stolen assets in exchange for a $5M white‑hat bounty, signaling to the community that the breach may have been opportunistic rather than purely malicious. GMX quickly paused its vulnerable V1 contracts and urged migration to V2 for security.
CoinDCX
Just a week later, CoinDCX, one of India’s largest exchanges, disclosed a $44M breach from an internal operational wallet used for liquidity provisioning. Notably, no user funds were affected — all customer assets stored in cold wallets remained untouched.
The attackers are suspected to have leveraged server credentials or internal keys to access the treasury. CoinDCX issued a recovery bounty of up to $11M and chose to absorb the full financial loss from its own reserves. The forensic trail also included on-chain laundering through Tornado Cash and cross-chain transfers via Solana‐Ethereum bridges. Analysts have drawn parallels to the July 2024 WazirX hack — same attackers, similar timing, replay tactics and ominous execution patterns.
BigONE
Intercepted mid‑month, the BigONE exchange lost approximately $27M in an attack targeting its hot wallet. The blame fell on a supply chain compromise — altered server logic or production network access enabled third parties to initiate unauthorized withdrawals across BTC, ETH, USDT, SOL, and XIN.
Attackers exploited vulnerabilities in the Continuous Integration / Continuous Deployment (CI/CD) pipeline, deploying malicious code that altered the operating logic of account and risk control servers.
This manipulation allowed unauthorized withdrawals from the hot wallet, bypassing traditional security measures without compromising private keys.
WOO X
Finally, on July 24, WOO X, a centralized exchange focused on zero‑fee retail trading, experienced a $14M breach affecting nine user accounts via a phishing attack targeting a team member’s device.
Once inside the development environment, the attacker executed coordinated withdrawals across BTC, ETH, BNB, and Arbitrum networks, converting a portion of funds through token swaps.
WOO X swiftly halted withdrawals, notified impacted users, and vowed full reimbursement. Security investigators, including Cyvers Alerts, Seal911, and Hypernative, helped trace transactions and freeze suspicious addresses.
Kinto Finance: Hack Victim or Exit Scam in The Making?
Kinto Finance, once positioned as a compliant, institution-friendly DeFi Layer 2 on Arbitrum, suffered a breach in early July 2025 when its $K token contract was hijacked through a low-level proxy exploit.
Attackers took advantage of an uninitialized OpenZeppelin ERC-1967 proxy, gaining control over the contract’s upgrade mechanism. With ownership in hand, they minted 110,000 unauthorized $K tokens and proceeded to drain $1.55 million from Morpho Blue vaults and Uniswap V4 pools.
The exploit, which had been dormant and undetected, triggered a brutal 95% collapse in the $K token’s value, effectively wiping out nearly $13 million in market capitalization.
According to post-mortem reports and deep technical breakdowns from Rekt News, the exploit remained invisible in block explorers like Etherscan due to spoofed log data, making detection nearly impossible until after funds were gone.
Kinto’s official response framed the incident as a tragic convergence of inherited vulnerabilities rather than a failing of its own infrastructure.
The exploit occurred exclusively on the Arbitrum deployment of the $K token — not the Kinto rollup, bridge, or wallet stack. Affected contracts were immediately deactivated, trading on centralized exchanges was frozen, and the team committed to redeploying a hardened version of the token. According to a statement from Kinto, a snapshot of balances would be taken at block 356170028, restoring user holdings to their pre-exploit state. Affected Morpho lenders would also be compensated, and speculative buyers would receive pro-rata reimbursements via airdrop.
The coordination of incident response teams — including VennBuild, Hypernative, ZeroShadow, and SEAL 911 — was rapid and effective, limiting the scale of further damage.
Still, Rekt News raised pointed questions about whether this was really just a case of “bad luck.”
Their analysis spotlighted troubling on-chain behavior leading up to the attack: the attacker didn’t simply mint tokens and dump them — he minted $K in multiple waves, used the tokens to borrow stablecoins from Morpho, and sidestepped slippage risks by avoiding sales into shallow liquidity pools.
This calculated strategy echoed classic rug-pull mechanics. Rekt also noted the uncanny timing: a massive token unlock just days before the attack doubled circulating supply, possibly enabling insiders or well-informed actors to manipulate markets and exit positions under the chaos of the exploit.
The combination of technical precision, value extraction tactics, and suspicious tokenomics prompted some in the community to call foul.
Rekt rightly emphasized that although the exploit technically stemmed from inherited proxy logic, the broader situation — previous project failures by the team, suspiciously timed token unlocks, and market behavior — cast a long shadow over Kinto’s credibility.
Whether this was an external exploit that exploited a tragic oversight, or a cleverly disguised insider rug in the clothes of an exploit, remains up for debate!
Only time, it seems, will reveal the full truth.
Our July 2025 crypto-criminal report ends here!
See you all next month for another crypto crime report.
Until then, stay safe!
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.Book a demo 🤝
$285M Stolen — The July 2025 Crypto Crime Report was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.