Most of the losses were attributed to hacks, with smart contract exploits taking center stage\u200a\u2014\u200aaccounting for $242.4 million across five major incidents. Private key exploits followed, with $7 million lost across three\u00a0cases.<\/p>\n
The $223 million Cetus hack became the second-largest hack of the year, following the $1.43 billion Bybit exploit, and ranked as the ninth-largest hack in crypto\u00a0history.<\/p>\n
What truly made May 2025 stand out, however, was the cluster of eclectic and headline-worthy crypto crime\u00a0stories.<\/p>\n
A U.S. court vacated the fraud and manipulation convictions related to the $100 million Mango Markets oracle exploit, noting that Mango Markets lacked clear rules or safeguards to prevent such losses\u200a\u2014\u200aaka the attacker operated within the boundaries of the protocol\u2019s code.<\/p>\n
Meanwhile, SafeMoon users finally saw justice as CEO Braden John Karony was convicted on May 21, 2025, on all three charges: securities fraud conspiracy, wire fraud conspiracy, and money laundering conspiracy\u200a\u2014\u200arelated to the $200 million SafeMoon\u00a0fraud.<\/p>\n
May 2025 also turned out to be one of the most intense months for crimes targeting individuals, including a case where a protocol handed over its treasury in exchange for paper coins, and revelations that Chainge Finance may have been a $65 million rug\u00a0pull.<\/p>\n
We\u2019ve cherry-picked some of the most impactful stories for our May 2025 Crypto Crime Report. Now, let\u2019s dive\u00a0in.<\/p>\n
May 2025 Crypto Crime Data\u200a\u2014\u200aNEFTURE<\/p>\n
$223 million was stolen in what might be one of the simplest hacks the crypto space has\u00a0seen.<\/p>\n
All the attacker needed to do was come knocking at the door with a high liquidity position, and they were handed the entire Cetus treasury.<\/p>\n
While Cetus labeled the attack a \u201csophisticated smart contract exploit,\u201d in truth, the exploit was incredibly simple both in technique and execution.<\/p>\n
It earned the attacker the title of the second-largest exploit of the year, and the ninth-largest in crypto\u00a0history.<\/p>\n
Discover how they did it in our full breakdown dedicated to the\u00a0hack:<\/p>\n
Cetus Hack\u200a\u2014\u200aPost-Mortem of a $223M Heist<\/a><\/p>\n Cork is a DeFi protocol that lets users bet on the risk of certain crypto assets like stablecoins and liquid (re)staking tokens of losing their peg\u200a\u2014\u200aas they so simply put it you can \u201cHedge, trade, and earn with Cork\u2019s depeg\u00a0swaps.\u201d<\/p>\n It works kind of like an on-chain insurance market using smart contracts.<\/p>\n Users deposit a collateral asset (called the Redemption Asset), in return, they get two\u00a0tokens:<\/p>\n DS (Depeg Swap): Pays out if the peg\u00a0breaks.CT (Cover Token): Keeps the collateral if everything stays\u00a0fine.<\/p>\n These two tokens represent opposite bets. DS holders are buying insurance: they win if the asset depegs. CT holders are selling insurance: they win if the asset stays\u00a0stable.<\/p>\n Usually it goes as follow, Alice wants to bet on a depeg \u2192 she keeps the DS tokens and sells the CTs. Bob wants to earn premium by providing insurance \u2192 he buys CTs from people like\u00a0Alice.<\/p>\n At the end of a set period, if there is no depeg, CT holders get the collateral back. If there is a depeg, the DS holders get the collateral.<\/p>\n Cork Protocol Structure Schematic\u2014 Source: Three\u00a0Sigma<\/a><\/p>\n TL;DR of the hack: <\/strong>Cork failed to properly validate the legitimacy or value of the Pegged Asset (not the Redemption Asset)\u200a\u2014\u200aand as a result, it allowed the attacker to trigger a fake depeg event and claim real wstETH collateral, amounting to $12 million in exchange for paper\u00a0tokens.<\/p>\n Here\u2019s how it happened.<\/p>\n The Cork protocol uses hooks. Hooks let smart contracts run extra code automatically when like during a swap or when liquidity is added. It\u2019s like giving developers a \u201cplugin slot\u201d where they freely add custom\u00a0code.<\/p>\n To make this work, Cork allows users to provide a contract address that implements a special function called CorkCall(…).<\/p>\n That\u2019s the first vulnerability the attacker exploited.<\/strong><\/p>\n The attacker took advantage of this by writing a malicious proxy contract that looked like a normal hook-compatible contract during a flash\u00a0swap.<\/p>\n They deployed it and Cork accepted it, assuming it was\u00a0safe.<\/p>\n When it was everything but\u00a0so.<\/p>\n The malicious contract actually deployed a fake market scenario within the wstETH:weETH pool.<\/p>\n Instead of presenting wstETH (the real Reserve Asset) as payment, the attacker substituted a decoy token\u200a\u2014\u200aspecifically, an old DS token from a previous issuance.<\/p>\n According to Weilin, the DS tokens that the hacker took originally belonged to the Cork protocol (or a contract controlled by it, like\u00a00x55b9).<\/p>\n The hacker tricked that contract into treating its own DS tokens as if they were new tokens the hacker deposited, causing the contract to split and transfer those DS tokens to the\u00a0hacker.<\/p>\n Source: Twitter<\/a><\/p>\n So the attacker basically stole DS tokens that were already inside the protocol by confusing the\u00a0system.<\/p>\n By presenting this fake token during the callback, Cork\u2019s internal logic was fooled into thinking real collateral had been deposited.<\/p>\n Why? Because Cork didn\u2019t strictly check that the token used during the CorkCall was the correct one for that\u00a0market.<\/p>\n That\u2019s the second vulnerability the attacker exploited.<\/strong><\/p>\n By having no safeguard to verify that the payment token matched the designated Reserve Asset, the protocol minted DS and CT tokens\u200a\u2014\u200aeven though no actual wstETH was supplied.<\/p>\n When the attacker triggered the \u201cdepeg\u201d event, the protocol released real wstETH collateral it held, paying out to DS\u00a0tokens.<\/p>\n The attacker received 3,761.87 wstETH, which they quickly swapped for around 4,530 ETH before disappearing.<\/p>\n Three Sigma reviewed all the audits on Cork and found that verifying whether the creation of a new market (with a new token) was permissioned, as well as reviewing hook functions, were out of scope for those\u00a0audits.<\/p>\n This was either because the auditors were not tasked with those areas or, in the case of Runtime Verification, because the time constraints were too tight to cover\u00a0them.<\/p>\n Runtime Verification Justification on their Cork Audit\u200a\u2014\u200aSource: Three\u00a0SigmaThree Sigma concluded that based on the countless \u201c high-severity vulnerabilities identified across all audits\u201d the protocol itself was \u201cunsafe\u201d to\u00a0launch.<\/em><\/strong><\/p>\n The Cork exploit is a clear reminder that audits alone aren\u2019t a silver bullet for protocol security. The foundation has to be solid first\u200a\u2014\u200aaudits should catch minor oversights, not compensate for weak or incomplete development. Auditors aren\u2019t there to rewrite your entire codebase.<\/p>\n If you rely on them to handle your development quality, at least give them the time, resources, and full access they need. Conducting audits with half the protocol declared \u201cout-of-scope\u201d is a recipe for disaster.<\/p>\n At the end of May, Rekt News put the spotlight on Chainge Finance<\/a> and the various shenanigans they\u2019ve been involved in, which resulted in users having their funds \u201cstuck\u201d due to frozen withdrawals.<\/p>\n The team blames issues like \u201cblacklisted vaults\u201d and corrupted databases, but these problems have persisted for months\u200a\u2014\u200aapparently as early as the end of 2024\u200a\u2014\u200awith no clear solution in sight and only empty promises.<\/p>\n Meanwhile, the Chainge Finance app continues to accept new deposits, raising eyebrows over the morality of letting people put money in while being unable to take it\u00a0out.<\/p>\n Beleaguered users are at their wits\u2019 end, taking to Twitter to share their frustrations, as it appears they are systematically banned from Chainge Finance spaces for asking the right questions.<\/p>\n Chainge\u2019s system, called \u201ccross-chain roaming,\u201d locks assets in vaults controlled by multiple key holders. These vaults authorize transfers across blockchains, but when the authorization stopped, withdrawals froze.<\/p>\n Since late last year, tokens like ETH, BTC, and USDT have been trapped, leaving users with pending transactions and no clear timeline for resolution.<\/p>\n DJ Qian, the CEO, promised a personal bailout that has yet to materialize\u200a\u2014\u200aunsurprisingly, some might say, given his role as co-founder and early backer of Multichain (formerly Anyswap), a project widely seen as a $126 million slow rug. That project\u2019s CEO disappeared and was later reported to have been arrested in\u00a0China.<\/p>\n Adding to the trouble, a wrapped Kaspa token on Chainge lost its peg, causing partners to cut ties, and forewarned aspiring Chainge users to bypass the protocol entirely as long as the liquidity issue persisted.<\/p>\n Source: Twitter<\/a><\/p>\n A large vault, widely believed to be controlled by Chainge, still holds the majority of user funds and has quietly moved millions without returning them to their rightful owners. According to Rekt, two suspicious transfers occurred: the first one between October 24th and 26th, during which Chainge\u2019s total value locked (TVL) plunged from $65 million to under $14\u00a0million.<\/p>\n According to Rekt, the second is a slow bleeding of the suspected vault\/proxy address since December, with its value dropping from around $16 million to $2 million while the protocol was supposedly unable to allow withdrawals.<\/p>\n Despite the crisis, the app shows no warnings or paused deposits, leading many to view it as a kind of DeFi protocol wide honey\u00a0pot.<\/p>\n Unfortunately for Chainge users, Chainge is based in the British Virgin Islands, with limited regulatory oversight, and its legal terms shift responsibility to users. Meanwhile, board members have resigned, VC investors in the project are radio silent and communication from Chainge has dropped\u00a0off.<\/p>\n It awfully looks like another shady protocol, led by someone involved in another shady protocol, that created victims who will never see the light of their funds\u00a0again.<\/em><\/p>\n 2025 is on track to set a record for violent crimes against persons (VCAP) involving cryptocurrency theft.<\/p>\n And May 2025 a record breaking\u00a0month.<\/p>\n When we first reported on the subject around mid-May at least 27 such incidents (kidnapping, burglary, robbery) had already been publicly reported worldwide.<\/p>\n At this pace, the total could have exceeded 65 cases by year\u2019s end\u200a\u2014\u200anearly doubling the previous record of 36 set in 2021, and marking the highest number in the past\u00a0decade.<\/p>\n Yearly Publicly Reported Cases (2022\u20132025) of Crimes Against Persons (Kidnapping, Robbery, Burglary) Committed for Cryptocurrency Theft\u200a\u2014\u200aData compiled by Nefture based on Jlopp Github<\/a> reporting.<\/p>\n Since then, five new CAPs have occurred\u200a\u2014\u200amainly kidnappings\u200a\u2014\u200amaking May 2025 the most prolific month in CAP history, with 10 cases recorded.<\/strong><\/p>\n In the past three and a half years, 113 cases have been publicly reported, resulting in over $166 million in losses, the deaths of six victims, and the unspeakable torture of many\u00a0others.<\/em><\/p>\n Those figures are only the very tippy-top of the VCAP iceberg, as they represent only the publicly reported cases\u200a\u2014\u200atypically because the perpetrators were arrested, the victims were high-profile, or the incident was particularly violent or\u00a0unusual.<\/p>\n These are the types of cases that make it into the press and are thus recorded by \u201cJLopp\u201d, who maintains a public GitHub database cataloging physical attacks related to cryptocurrency.<\/p>\n Source: Jlopp\u00a0Github<\/a><\/p>\n We analyzed data dating back to 2022 and identified patterns and peculiarities within this multifaceted and malicious industry.<\/p>\n Read our report on it\u00a0now!<\/p>\n Crypto Up, Kidnapping Up?\u200a\u2014\u200aDissecting Cases from 2022 to 2025<\/a><\/p>\n Our May 2025 crypto-criminal report ends\u00a0here!<\/p>\n See you all next month for another crypto crime\u00a0report.<\/p>\n Until then, stay\u00a0safe!<\/p>\n Nefture<\/em><\/a> is a <\/em>Web3 real-time security and risk prevention platform<\/em><\/strong> that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or\u00a0threats.<\/em>Nefture core services includes <\/em>Real-Time Transaction Security<\/em><\/strong> and a <\/em>Threat Monitoring Platform<\/em><\/strong> that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in\u00a0DeFi.<\/em>Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.<\/em>Book a demo<\/em><\/strong><\/a>\u00a0<\/em><\/strong>\ud83e\udd1d<\/em><\/p>\n $647M Stolen\u200a\u2014\u200aThe May 2025 Crypto Crime Report<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" $647M Stolen\u200a\u2014\u200aThe May 2025 Crypto Crime\u00a0Report In May 2025, $647 million was lost to crypto crimes across 26 separate incidents\u200a\u2014\u200aalmost pushing the total losses for the year toward the $3.5 billion threshold, and we\u2019re only five months\u00a0in! Most of the losses were attributed to hacks, with smart contract exploits taking center stage\u200a\u2014\u200aaccounting for $242.4 million […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-73416","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/73416"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=73416"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/73416\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=73416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=73416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=73416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Cork Hack\u200a\u2014\u200aInput Fake Tokens, Get $12\u00a0Million<\/h3>\n
Chainge Finance, A $65 Million\u00a0Rug?<\/h3>\n
May 2025\u200a\u2014\u200aThe Month of Crypto Kidnapping<\/h3>\n
About us<\/h3>\n