The damage was split almost evenly between hacks and scams, with both racking up $139.1 million in losses. Access control exploits took the spotlight, responsible for $59 million across just five major breaches.<\/p>\n
The top four attacks\u200a\u2014\u200aall targeting exchanges (centralized and decentralized) with wildly different MOs\u200a\u2014\u200atogether drained over $127\u00a0million.<\/p>\n
July 2025 was also full of (un)expected revelations!<\/p>\n
A massive $132 million rug pull was finally exposed, leaving investors in pieces. At the same time, reports showed that North Korean hacker groups had quietly slipped into multiple protocols and planted backdoors that hadn\u2019t even been used\u00a0yet.<\/p>\n
And then there\u2019s Kinto Finance, which suddenly found itself under the spotlight\u200a\u2014\u200awith some people openly saying it could be an exit scam in progress.<\/p>\n
Discover some of the most impactful stories of July 2025 in our latest Crypto Crime\u00a0Report!<\/p>\n
Crypto Crime Data July 2025\u200a\u2014\u200aNefture<\/p>\n
Rowan Energy pitched itself as a pioneering clean-energy blockchain, offering homeowners solar-powered SmartMiner devices that would mint RWN tokens tied to \u201creal-time renewable generation.\u201d Ahem.<\/p>\n
Source: Rown Energy\u2019s\u00a0Twitter<\/p>\n
Public messaging depicted a fixed supply capped at 545 million tokens, with only incremental issuance aligned to \u201cverified energy\u00a0output.\u201d<\/p>\n
It was very successful in its marketing effort, as it seems solar installers were snubbed by their UK potential customers if they refused to install Rowan Energy\u2019s \u201ccarbon mining\u201d\u00a0device.<\/p>\n
Source: Conor Quinn\u00a0Linkedin<\/p>\n
Behind the scenes, however, the infrastructure was alarmingly centralized and opaque: an independent researcher discovered that the Rowan wallet app exposed RPC endpoints and allowed arbitrary minting\u200a\u2014\u200arevealing that the entire blockchain, which was private, was of course manipulable despite claims of decentralization.<\/p>\n
In April 2025, a forensic expos\u00e9<\/em> published on Mirror.xyz demonstrated the exploit outright.<\/p>\n Source: Mirror<\/a><\/p>\n This white-hat researcher discovered that the real supply wasn\u2019t 545 million tokens, but around 945\u00a0million.<\/p>\n To demonstrate the depth of the manipulation, he used leaked RPC access to trigger the mintToken<\/strong> function in Rowan\u2019s ERC\u201120 contract, inflating the total supply from roughly 945 million to nearly 1.945 billion tokens in seconds, then burned the extra\u00a0tokens.<\/p>\n This fully revealed that the founders\u2019 claim of a fixed cap was false, and that large undisclosed quantities of RWN\u200a\u2014\u200acontrolled by insiders\u200a\u2014\u200awere primed for dumping during price\u00a0spikes.<\/p>\n The project\u2019s explorer selectively hidden mint transactions, while visible burn and distribution data exposed major holdings in exchange wallets like MEXC\u2014holding 266 million RWN alone, nearly half the alleged max\u00a0supply.<\/p>\n On June 25, 2025, Rowan Energy quietly pulled the plug after months of silence and stringing along its community following the April revelations.<\/p>\n Without announcement, the blockchain was retired, token trading halted, and dashboards went dark. Within hours, RWN\u2019s value collapsed by over 99.9 percent. Social and communications channels\u200a\u2014\u200aincluding Telegram and YouTube\u200a\u2014\u200awere deleted, and CEO David Duckworth and team vanished from public\u00a0view.<\/p>\n Affected users were left holding worthless tokens and unreturned hardware, with no compensation or clear roadmap forward. Trustpilot reviews and community voices later slammed it as a scam purposely designed from day one\u200a\u2014\u200ait just took years to reveal itself as the slow rug pull it was always meant to\u00a0be.<\/p>\n Without the blockchain researcher who exposed the truth, Rowan Energy could still be cashing in and making new victims\u00a0today.<\/em><\/strong><\/p>\n On July 9, 2025, researchers from VennBuild and collaborating teams exposed a devastating vulnerability affecting thousands of smart contracts<\/a>.<\/p>\n At the center was a backdoor embedded through uninitialized ERC\u20111967 proxy contracts\u200a\u2014\u200aa widely used standard across Ethereum-compatible chains.<\/p>\n Attackers had been able to front-run contract deployments, inject their own malicious logic before initialization, and then erase any trace from public explorers.<\/p>\n The vulnerability granted them permanent upgrade rights over contracts they didn\u2019t own, cloaking their presence behind misleading logs.<\/em><\/strong><\/p>\n This wasn\u2019t a bug in a fringe protocol; it was a systemic weakness that cut across infrastructure used by top-tier projects, exposing over $10 million in active assets\u200a\u2014\u200aall sitting unknowingly on a trapdoor.<\/p>\n Source: Deebeez\u00a0Twitter<\/p>\n What made the situation even more chilling was how deliberate it appeared. Security teams found no evidence of actual funds being drained, suggesting the attackers weren\u2019t after petty theft but patiently waiting for the right high-value target.<\/p>\n This patience, the subtlety of the exploit, and the coordination required led several researchers to suspect the hand of Lazarus Group\u200a\u2014\u200aa North Korean state-sponsored cyber unit notorious for leveraging software supply chains to bypass conventional defenses.<\/p>\n VennBuild\u2019s lead investigator emphasized that this was not the work of amateurs; the exploit\u2019s technical execution showed a deep understanding of EVM mechanics, and the obfuscation tactics made it invisible to most scanners and auditors.<\/p>\n Left unchecked, it could\u2019ve triggered a cascading collapse across multiple ecosystems.<\/p>\n In response, a rapid 36-hour triage unfolded across Discord war rooms, Twitter threads, and encrypted DMs. Teams like SEAL 911, pcaversaccio, Dedaub, and affected protocols scrambled to analyze contract footprints, withdraw exposed funds, and redeploy secure implementations. Berachain, one of the platforms at risk, promptly migrated user assets and patched the vector before any loss occurred.<\/p>\n The incident exposed a dangerous norm in DeFi: many contracts rely on delayed or split initialization routines, leaving a window of opportunity for attackers to hijack the contract\u2019s logic. This way of splitting or delaying initialization is risky because it allows attackers to sneak in and take control before the contract is fully\u00a0secured.<\/p>\n In mid\u2011 and late-July 2025, four major crypto exchanges\u200a\u2014\u200athree centralized and one decentralized\u200a\u2014\u200awere rocked by sophisticated hacks, combining to drain nearly $127 million in\u00a0total.<\/p>\n Though diverging in technical execution and target profiles, all four incidents showcased systemic vulnerabilities in hot wallets, internal account infrastructure, and user security practices.<\/p>\n On July 9, GMX\u200a\u2014\u200aa decentralized exchange operating on Arbitrum and Avalanche\u200a\u2014\u200afell victim to a classic reentrancy exploit involving the executeDecreaseOrder function.<\/p>\n By manipulating GLP token pricing and entering\/exiting positions in a single transaction, the attacker exploited a stale global average short price to siphon approximately $40\u201342M from liquidity pools. The attacker later returned most of the stolen assets in exchange for a $5M white\u2011hat bounty, signaling to the community that the breach may have been opportunistic rather than purely malicious. GMX quickly paused its vulnerable V1 contracts and urged migration to V2 for security.<\/p>\n Just a week later, CoinDCX, one of India\u2019s largest exchanges, disclosed a $44M breach from an internal operational wallet used for liquidity provisioning. Notably, no user funds were affected\u200a\u2014\u200aall customer assets stored in cold wallets remained untouched.<\/p>\n The attackers are suspected to have leveraged server credentials or internal keys to access the treasury. CoinDCX issued a recovery bounty of up to $11M and chose to absorb the full financial loss from its own reserves. The forensic trail also included on-chain laundering through Tornado Cash and cross-chain transfers via Solana\u2010Ethereum bridges. Analysts have drawn parallels to the July 2024 WazirX hack\u200a\u2014\u200asame attackers, similar timing, replay tactics and ominous execution patterns.<\/p>\n Intercepted mid\u2011month, the BigONE exchange lost approximately $27M in an attack targeting its hot wallet. The blame fell on a supply chain compromise\u200a\u2014\u200aaltered server logic or production network access enabled third parties to initiate unauthorized withdrawals across BTC, ETH, USDT, SOL, and\u00a0XIN.<\/p>\n Attackers exploited vulnerabilities in the Continuous Integration \/ Continuous Deployment (CI\/CD) pipeline, deploying malicious code that altered the operating logic of account and risk control\u00a0servers.<\/p>\n This manipulation allowed unauthorized withdrawals from the hot wallet, bypassing traditional security measures without compromising private\u00a0keys.<\/p>\n Finally, on July 24, WOO X, a centralized exchange focused on zero\u2011fee retail trading, experienced a $14M breach affecting nine user accounts via a phishing attack targeting a team member\u2019s\u00a0device.<\/p>\n Once inside the development environment, the attacker executed coordinated withdrawals across BTC, ETH, BNB, and Arbitrum networks, converting a portion of funds through token\u00a0swaps.<\/p>\n WOO X swiftly halted withdrawals, notified impacted users, and vowed full reimbursement. Security investigators, including Cyvers Alerts, Seal911, and Hypernative, helped trace transactions and freeze suspicious addresses.<\/p>\n Kinto Finance, once positioned as a compliant, institution-friendly DeFi Layer 2 on Arbitrum, suffered a breach in early July 2025 when its $K token contract was hijacked through a low-level proxy\u00a0exploit.<\/p>\n Attackers took advantage of an uninitialized OpenZeppelin ERC-1967 proxy, gaining control over the contract\u2019s upgrade mechanism. With ownership in hand, they minted 110,000 unauthorized $K tokens and proceeded to drain $1.55 million from Morpho Blue vaults and Uniswap V4\u00a0pools.<\/p>\n The exploit, which had been dormant and undetected, triggered a brutal 95% collapse in the $K token\u2019s value, effectively wiping out nearly $13 million in market capitalization.<\/em><\/p>\n According to post-mortem reports and deep technical breakdowns from Rekt News, the exploit remained invisible in block explorers like Etherscan due to spoofed log data, making detection nearly impossible until after funds were\u00a0gone.<\/p>\n Kinto\u2019s official response framed the incident as a tragic convergence of inherited vulnerabilities rather than a failing of its own infrastructure.<\/p>\n The exploit occurred exclusively on the Arbitrum deployment of the $K token\u200a\u2014\u200anot the Kinto rollup, bridge, or wallet stack. Affected contracts were immediately deactivated, trading on centralized exchanges was frozen, and the team committed to redeploying a hardened version of the token. According to a statement from Kinto, a snapshot of balances would be taken at block 356170028, restoring user holdings to their pre-exploit state. Affected Morpho lenders would also be compensated, and speculative buyers would receive pro-rata reimbursements via\u00a0airdrop.<\/p>\n The coordination of incident response teams\u200a\u2014\u200aincluding VennBuild, Hypernative, ZeroShadow, and SEAL 911\u200a\u2014\u200awas rapid and effective, limiting the scale of further\u00a0damage.<\/p>\n Still, <\/em><\/strong>Rekt News<\/em><\/strong><\/a> raised pointed questions about whether this was really just a case of \u201cbad\u00a0luck.\u201d<\/em><\/strong><\/p>\n Their analysis spotlighted troubling on-chain behavior leading up to the attack: the attacker didn\u2019t simply mint tokens and dump them\u200a\u2014\u200ahe minted $K in multiple waves, used the tokens to borrow stablecoins from Morpho, and sidestepped slippage risks by avoiding sales into shallow liquidity pools.<\/p>\n This calculated strategy echoed classic rug-pull mechanics. Rekt also noted the uncanny timing: a massive token unlock just days before the attack doubled circulating supply, possibly enabling insiders or well-informed actors to manipulate markets and exit positions under the chaos of the\u00a0exploit.<\/p>\n The combination of technical precision, value extraction tactics, and suspicious tokenomics prompted some in the community to call\u00a0foul.<\/p>\n Rekt rightly emphasized that although the exploit technically stemmed from inherited proxy logic, the broader situation\u200a\u2014\u200aprevious project failures by the team, suspiciously timed token unlocks, and market behavior\u200a\u2014\u200acast a long shadow over Kinto\u2019s credibility.<\/p>\n Whether this was an external exploit that exploited a tragic oversight, or a cleverly disguised insider rug in the clothes of an exploit, remains up for\u00a0debate!<\/p>\n Only time, it seems, will reveal the full\u00a0truth.<\/p>\n Our July 2025 crypto-criminal report ends\u00a0here!<\/p>\n See you all next month for another crypto crime\u00a0report.<\/p>\n Until then, stay\u00a0safe!<\/p>\n Nefture<\/em><\/a> is a <\/em>Web3 real-time security and risk prevention platform<\/em><\/strong> that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or\u00a0threats.<\/em>Nefture core services includes <\/em>Real-Time Transaction Security<\/em><\/strong> and a <\/em>Threat Monitoring Platform<\/em><\/strong> that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in\u00a0DeFi.<\/em>Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.<\/em>Book a demo<\/em><\/strong><\/a>\u00a0<\/em><\/strong>\ud83e\udd1d<\/em><\/p>\n $285M Stolen\u200a\u2014\u200aThe July 2025 Crypto Crime Report<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" $285M Stolen\u200a\u2014\u200aThe July 2025 Crypto Crime\u00a0Report July 2025 saw a staggering $285.3 million lost to crypto crimes across 21 separate incidents\u200a\u2014\u200aofficially pushing total losses for the year past the $4.7 billion threshold. And we\u2019re only seven months\u00a0in! The damage was split almost evenly between hacks and scams, with both racking up $139.1 million in losses. […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-86932","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/86932"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=86932"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/86932\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=86932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=86932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=86932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}North Korean Threat Groups Planting Backdoors All Over\u00a0DeFi?<\/h3>\n
The Top 4 Hacks Targeted Exchanges, Costing $127\u00a0Million<\/h3>\n
GMX<\/h4>\n
CoinDCX<\/h4>\n
BigONE<\/h4>\n
WOO X<\/h4>\n
Kinto Finance: Hack Victim or Exit Scam in The\u00a0Making?<\/h3>\n
About us<\/h3>\n