1909 hack event(s)
Description of the event: According to monitoring by SlowMist, Usual Protocol suffered a sophisticated arbitrage attack. The attacker exploited a price discrepancy between the protocol’s internal mechanisms and external markets. The core issue lay in the Vault system, which allowed a fixed 1:1 exchange between USD0++ and USD0—despite the two tokens trading at different prices on decentralized exchanges. The attacker strategically created a custom liquidity pool and manipulated the transaction path to trick the Vault into releasing USD0 tokens without receiving the expected sUSDS collateral. These USD0 tokens were then sold on external markets at prices higher than the internal rate, allowing the attacker to profit through arbitrage.
Amount of loss: $ 42,800 Attack method: Contract Vulnerability
Description of the event: On May 22, according to community reports, the SUI ecosystem’s liquidity provider Cetus Protocol was reportedly attacked. Liquidity pool depth dropped sharply, and multiple token pairs on Cetus experienced significant price declines. The estimated losses exceed $230 million. The project announced shortly after that $162 million of the funds had been frozen.
Amount of loss: $ 230,000,000 Attack method: Contract Vulnerability
Description of the event: According to monitoring by the SlowMist security team, the digital asset wealth management platform Nexo suffered a sandwich attack due to a lack of access control in one of its contracts, resulting in a loss of approximately $31,000.
Amount of loss: $ 31,535 Attack method: Contract Vulnerability
Description of the event: On May 16th, Demex's lending market Nitron was exploited, resulting in a loss of $950,559 in user funds. According to Demex's post-incident analysis, the root cause of the exploit was a donation-based oracle manipulation attack targeting the deprecated dGLP vault.
Amount of loss: $ 950,559 Attack method: Oracle Attack
Description of the event: Zunami Protocol has reported a hack in which the collateral for zunUSD and zunETH was stolen, resulting in a loss of approximately $500,000. The attacker has transferred the stolen funds to Tornado Cash.
Amount of loss: $ 500,000 Attack method: Unknown
Description of the event: ZKsync Developers posted on X that the official X accounts of both ZKsync and Matter Labs have been compromised. Please do not interact with these accounts or click on any related links.
Amount of loss: - Attack method: Account Compromise
Description of the event: The English football club @SheffieldUnited has confirmed that its official X account was hacked. The attacker posted a Solana token address.
Amount of loss: - Attack method: Account Compromise
Description of the event: Mobius Token on BSC is suspected to have been exploited, with estimated losses of $2.15 million.
Amount of loss: $ 2,150,000 Attack method: Contract Vulnerability
Description of the event: Cointelegraph’s official X account was reportedly compromised and used to send phishing links to contributors on the platform. Crypto KOL @thedefiedge reported receiving a DM from the account, asking him to review an article that allegedly mentioned him. When he clicked the link in a private browsing window, it prompted an X login — but the domain was “Cointetegraph,” a misspelled version of Cointelegraph. Previously, there were also market reports that Cointelegraph’s account had posted an on-chain token contract and disabled comments. That post has since been deleted.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to on-chain investigator ZachXBT, crypto exchange BitoPro was reportedly hacked on May 8, 2025, resulting in losses of approximately $11.5 million. The attacker drained assets from BitoPro’s hot wallets on Tron, Ethereum, Solana, and Polygon, then sold them via DEXs. The stolen funds were subsequently laundered through Tornado Cash or bridged via Thorchain to the Bitcoin network, eventually ending up in a Wasabi Wallet. BitoPro stated that the tactics used in this incident closely resemble those seen in several major international cases, attributing the attack to the North Korean hacking group Lazarus.
Amount of loss: $ 11,500,000 Attack method: Malicious Software
Description of the event: Curve Finance’s official website and X account were compromised in quick succession. On May 5, attackers first took control of the project’s X account and used it to post a phishing message promoting a fake airdrop. Then on May 12, the project issued a warning that the Curve frontend had been “hijacked,” in what appeared to be a domain takeover incident.
Amount of loss: - Attack method: Account Compromise
Description of the event: TRON DAO stated on X that its account was compromised on May 2, 2025, at 9:25 AM PST. During the breach, an unauthorized party published a post containing contract address, sent private messages, and followed several unknown accounts.
Amount of loss: - Attack method: Account Compromise
Description of the event: Hyperliquid's X account is suspected to have been compromised. Please do not trust any content it posts or click on any links, to avoid potential losses.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to the SlowMist MistEye security monitoring system, Aventa, which specializes in creating intuitive Web3 utilities for the crypto community, appears to have been attacked, resulting in a loss of approximately 3.9 ETH.
Amount of loss: $ 7,000 Attack method: Flash Loan Attack
Description of the event: According to the SlowMist MistEye security monitoring system, LIFE Protocol has been attacked, resulting in a loss of over $51,000.
Amount of loss: $ 51,000 Attack method: Price Manipulation
Description of the event: A member of the crypto community previously revealed that "a smart contract of a certain Web3 project was suspected to have been implanted with malicious code by an employee," leading to losses of several hundred thousand dollars. Thomson, a developer of the DeFi trading and asset management project QuantMaster, stated that he was the primary victim of this theft. According to Thomson, the suspect has been largely identified. The GitHub submission records clearly point to a specific employee, and the device used to submit the code is also unique. Cursor retains a complete local AI activity log, which has been reviewed, ruling out the possibility that the malicious code was generated or modified by AI.
Amount of loss: - Attack method: Insider Manipulation
Description of the event: A modular DeFi lending market built on Solana, Loopscale, has suffered an attack. The root cause of the exploit has been identified as an isolated issue with Loopscale’s pricing of RateX-based collateral. The incident led to the theft of approximately 5.7 million USDC and 1,200 SOL, accounting for about 12% of the platform's total funds. According to an official update posted by Loopscale on April 29, following successful negotiations, all stolen assets — 5,726,725 USDC and 1,211 SOL — were fully returned on April 26. No user deposits were affected.
Amount of loss: $ 5,800,000 Attack method: Oracle Attack
Description of the event: The open-source data visualization tool Grafana has responded to a recent attack, stating that the attacker forked a Grafana repository, executed a curl command to inject malicious code, and exported environment variables into a file encrypted with a private key, thereby stealing access tokens. The attacker then deleted the fork to conceal their activity. Using the compromised credentials, the attacker replicated the attack against four private repositories. This unauthorized access was limited to automation systems and did not affect production environments or release artifacts. Based on the attack behavior, the goal appeared to be token theft and stealthy persistence for future use.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Impermax was attacked on the Base network. In a tweet, Impermax stated that someone launched a flash loan attack and drained its V3 liquidity pools. The team is currently investigating and advises users not to interact with any V3 pools.
Amount of loss: $ 400,000 Attack method: Flash Loan Attack
Description of the event: On April 26, 2025, lending protocol Term Labs introduced an internal inconsistency in decimal precision during an update to the tETH oracle, resulting in incorrect pricing of the tETH asset within the protocol. This mispricing triggered unintended liquidations, affecting approximately 918 ETH. The incident stemmed from human error during a sensitive system upgrade — a failure in operational execution rather than a flaw in the code or smart contracts. Through rapid response and negotiation efforts, Term Labs successfully recovered around 556 ETH, reducing the final net protocol loss to 362 ETH (approximately $650,000).
Amount of loss: $ 1,650,000 Attack method: Human Error