For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Travel rule
(soon)
For personal use
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Portfolio tracker
Information about all assets and risk assessment in one place.
Portfolio tracker
Information about all assets and risk assessment in one place.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Содержание:
1. UPCX — $70 million (April 2025)
2. Bitget / VOXEL — up to $100 million (April 2025)
3. Cetus Protocol — $223 million (May 2025)
4. Coinbase — Data leak of 69,000+ clients (May 2025)
5. Nobitex — $90 million (June 2025)
6. CoinDCX — $44.2 million (July 2025)
7. GMX — $42 million (July 2025)
8. BtcTurk — $48 million (August 2025)
9. SwissBorg — $41 million (September 2025)
10. Shibarium Bridge — $4.1 million (September 2025)
11. Balancer — $128 million (November 2025)
12. Upbit — ~$30 million (November 2025)
Summary table: All key incidents
General analysis: Key trends of the period
1. UPCX — $70 million (April 2025)
2. Bitget / VOXEL — up to $100 million (April 2025)
3. Cetus Protocol — $223 million (May 2025)
4. Coinbase — Data leak of 69,000+ clients (May 2025)
5. Nobitex — $90 million (June 2025)
6. CoinDCX — $44.2 million (July 2025)
7. GMX — $42 million (July 2025)
8. BtcTurk — $48 million (August 2025)
9. SwissBorg — $41 million (September 2025)
10. Shibarium Bridge — $4.1 million (September 2025)
11. Balancer — $128 million (November 2025)
12. Upbit — ~$30 million (November 2025)
Summary table: All key incidents
General analysis: Key trends of the period
The period from March 2025 to March 2026 became one of the most destructive in the history of the cryptocurrency industry. According to BitOK, approximately $ 3 billion was stolen in 2025 as a result of nearly 150 incidents. According to alternative estimates, total losses may reach $ 3.4−4 billion accounting for scams and minor exploits. The nature of attacks has radically changed: hackers have shifted from searching for code vulnerabilities to exploiting operational weaknesses — compromised keys, bribed employees, and social engineering.
Context: the largest hack of the recent past — Bybit ($ 1.46 billion, February 21, 2025) — occurred just before our timeframe. Nevertheless, its shadow defined the entire period: it was after Bybit that the industry realized the scale of the threat from North Korea’s Lazarus Group, which, according to our analysts' calculations, stole >$ 2 billion in 2025.
Context: the largest hack of the recent past — Bybit ($ 1.46 billion, February 21, 2025) — occurred just before our timeframe. Nevertheless, its shadow defined the entire period: it was after Bybit that the industry realized the scale of the threat from North Korea’s Lazarus Group, which, according to our analysts' calculations, stole >$ 2 billion in 2025.
1. UPCX — $70 million (April 2025)
1. UPCX — $70 million (April 2025)
Parameter
- Type
- Blockchain
- Status
Value
- Private key compromise, malicious contract upgrade
- Ethereum
- Tokens not sold, investigation ongoing
On April 1, 2025, the Web3 payment platform UPCX lost 18.4 million UPC tokens (~$70 million) — more than was in circulation at the time of the attack (~4.14 million). The team confirmed the incident.
P.S. You can conduct your own investigations through BitOK's Graph service.
P.S. You can conduct your own investigations through BitOK's Graph service.
How it happened
How it happened
- The attacker gained access to the project's privileged address — likely through private key theft.
- Performed a malicious upgrade of the ProxyAdmin contract.
- Called the built-in withdrawByAdmin function, emptying three management accounts.
Reaction
Reaction
- UPCX suspended deposits and withdrawals, assuring that user personal funds were not affected.
- UPC price fell 7% — from $4.06 to $3.52.
- Stolen tokens remain on a single Ethereum address: the hacker made no attempts to sell, which is understandable — UPC liquidity is extremely limited (trading only on Gate.io and MEXC).
Lesson
Lesson
- The incident highlighted the risks of privileged admin access in smart contracts.
- The hacker stole 4.5 times more tokens than were in circulation — any attempt to sell would crash the price, creating a deadlock situation.
To avoid accidentally encountering dirty crypto, don't forget to use BitOK's AML service.
2. Bitget / VOXEL — up to $100 million (April 2025)
2. Bitget / VOXEL — up to $100 million (April 2025)
Parameter
- Type
- Bitget losses
- Status
Value
- Market maker bot bug exploitation
- ~$100 million; $38.31 million USDT withdrawn before rollback
- Transaction rollback, lawsuits against 8 accounts
On April 20, 2025, one of the most unusual incidents of the year occurred on the Bitget exchange: a bug in the internal trading bot turned the exchange into "an ATM uncontrollably dispensing cash".
How it happened
How it happened
- A malfunction in the market maker bot caused VOXEL/USDT futures orders to automatically execute in a narrow range of $0.125–$0.138 without a normal counterparty.
- Traders discovered the anomaly and began rapidly switching between long and short positions.
- VOXEL trading volume over the day reached ~$12 billion, exceeding BTC trading volume on the same exchange.
- Individual users turned $100 into six-figure sums in minutes.
Scale of losses
Scale of losses
Estimates vary. The average value — approximately $100 million in losses. Presumably, $38.31 million USDT was withdrawn before the rollback, of which >$20 million came from 8 coordinated accounts. Another ~$12 billion in anomalous volume was rolled back.
Reaction
Reaction
- Bitget froze the VOXEL market, blocked suspicious accounts.
- Performed a rollback of all irregular transactions within 24 hours.
- Announced lawsuits against 8 accounts that obtained >$20 million.
- Promised to return 100% of seized funds to users through an airdrop from a $300 million protection fund.
Lessons
Lessons
- The incident exposed the risks of closed market-making systems on CEXs, where third-party liquidity providers are not allowed.
- The transaction rollback raised accusations of double standards — Bitget CEO Gracie Chen had publicly criticized Hyperliquid for similar actions shortly before.
- The boundaries between "bug," "exploit," and "fair arbitrage" remain blurred.
3. Cetus Protocol — $223 million (May 2025)
3. Cetus Protocol — $223 million (May 2025)
Parameter
- Type
- Blockchain
- Status
Value
- Smart contract exploit
- Sui
- $162 million frozen, partially returned
On May 22, 2025, the largest DEX on Sui fell victim to one of the year's most massive DeFi hacks. The team confirmed the theft of $223 million, and the Sui Foundation described a coordinated validator response. The error was in the math library, specifically in the checked_shlw function responsible for overflow checks during bit shifts.
Attack scheme
Attack scheme
- The attacker opened a liquidity position with a tiny tick range [300000, 300200].
- Deposited 1 unit of token — due to the bug, the system credited a huge amount of liquidity.
- Extracted liquidity over several transactions, withdrawing ~$223 million.
- ~$60 million were converted to ETH and withdrawn to Ethereum; $162 million frozen by Sui validators.
A detailed technical breakdown can be found at Cyfrin and in Cetus's official incident report.
Reaction
Reaction
- Contracts were immediately suspended.
- Emergency validator vote: 90.9% approved returning frozen funds.
- Assets transferred to a multi-signature wallet controlled by Cetus, OtterSec, and the Sui Foundation.
- Sui allocated $10 million to improve ecosystem security.
Lesson
Lesson
- The protocol had undergone numerous audits — none detected the problem. Another stone in the garden of analytical companies.
4. Coinbase — Data leak of 69,000+ clients (May 2025)
4. Coinbase — Data leak of 69,000+ clients (May 2025)
Parameter
- Type
- Financial damage
- Status
Value
- Insider attack, bribery, social engineering
- $180–400 million (various estimates)
- Criminal investigation, class action lawsuits
Not a classic crypto hack, but data theft through bribery of outsourcers. Coinbase disclosed the incident in an official blog post on May 15, 2025, and confirmed details in Form 8-K filing with the SEC.
What was stolen
What was stolen
- Names, dates of birth, addresses, phone numbers, emails.
- Last SSN digits, masked bank account numbers.
- Identity document scans (for some users).
- Transaction history and balances.
What was NOT compromised
What was NOT compromised
- Passwords and private keys.
- Coinbase Prime accounts.
- Wallet funds.
Key facts
Key facts
- According to court documents, TaskUs employee Ashita Mishra photographed up to 200 records per day, selling them for $200 per screenshot — from September 2024 to January 2025.
- On May 11, extortionists demanded a $20 million ransom — Coinbase refused.
- The company announced a counter-reward of $20 million for information on the organizers.
- Damage from subsequent social engineering attacks is estimated at $180–400 million.
5. Nobitex — $90 million (June 2025)
5. Nobitex — $90 million (June 2025)
Parameter
- Type
- Blockchains
- Status
Value
- Politically motivated cyber attack
- Ethereum, TRON, Bitcoin, Solana, Dogecoin, XRP, and others
- Funds irreversibly destroyed (burned)
On June 18, 2025, Iran's largest crypto exchange was attacked by the Gonjeshke Darande (Predatory Sparrow) group, which is linked to Israel. This is the first large-scale case of a "geopolitical" crypto hack, where the goal was not enrichment but causing economic damage.
Key facts
Key facts
- Stolen private keys + administrative credentials, hot wallets on multiple blockchains were emptied through hot wallets on several blockchains.
- Funds sent to vanity addresses with inscriptions like "FuckIRGCTerrorists" — keys to these addresses do not exist, $90 million irreversibly destroyed.
- The next day, hackers published the complete source code and internal Nobitex documentation, threatening all remaining assets on the exchange.
- On the night of the attack, internet traffic in Iran dropped 98% — authorities imposed near-total blackout.
- The exchange's incoming transaction volume fell more than 70% year-over-year (TRM Labs).
- Nobitex CEO promised full compensation from insurance fund and reserves; the exchange resumed operations phased over 4–5 days.
- The day before, June 17, the same group attacked Iran's Bank Sepah, destroying its data.
6. CoinDCX — $44.2 million (July 2025)
6. CoinDCX — $44.2 million (July 2025)
Parameter
- Type
- Blockchains
- Status
Value
- Server hack, private key compromise
- Solana and Ethereum
- Exchange covered losses, employee arrested
On July 19, 2025, one of India's largest exchanges lost $44.2 million from the hot wallet.
How it happened
How it happened
- The attacker compromised one of the exchange's internal servers and stole the private key.
- In ~5 minutes, funds were withdrawn through multiple transactions.
- Stolen assets were transferred to several Solana addresses, then moved across bridges to Ethereum via Tornado Cash.
Reaction
Reaction
- ZachXBT was the first to report the hack.
- CoinDCX confirmed the hack and fully covered losses from company funds.
- Police arrested an employee allegedly involved in facilitating the hack.
7. GMX — $42 million (July 2025)
7. GMX — $42 million (July 2025)
Parameter
- Type
- Blockchain
- Status
Value
- Smart contract exploit
- Arbitrum
- ~$40.5 million successfully recovered
On July 9, 2025, the GMX protocol lost $42 million due to a classic reentrancy vulnerability in V1 contracts.
Attack scheme
Attack scheme
- Vulnerability in the executeDecreaseOrder function — ETH refund was sent before state update.
- A malicious contract intercepted control via receive().
- The hacker opened short BTC positions with 30× leverage, artificially lowering the global average short price.
- Inflated AUM led to inflated GLP price, enabling a $42 million withdrawal through redemption.
Outcome
Outcome
- GMX offered a bounty program >10% of the amount.
- The hacker returned ~$40.5 million (10,000 ETH + $10.5 million FRAX), keeping approximately $5 million.
- GMX token fell 28% after the incident, but recovered after funds were returned.
8. BtcTurk — $48 million (August 2025)
8. BtcTurk — $48 million (August 2025)
Parameter
- Type
- Blockchains
- Date
- Status
Value
- Hot wallet compromise
- ETH, AVAX, ARB, BASE, OP, MANTLE, MATIC
- August 14, 2025
- Investigation
One of Turkey's oldest exchanges (founded in 2013) suffered twice in 14 months. Previously, in June 2024, the platform lost $55 million. The latest incident is related to private key compromise of hot wallets.
- Cyvers recorded suspicious transfers of $48 million across 7 blockchains.
- Most assets were consolidated in two addresses and quickly exchanged through DEX.
- BtcTurk suspended deposits/withdrawals, assuring that cold wallets were not affected.
- After the 2024 hack, the CEO resigned — but judging by the repeat incident, no fundamental changes in key security occurred.
9. SwissBorg — $41 million (September 2025)
9. SwissBorg — $41 million (September 2025)
Parameter
- Type
- Blockchain
- Date
- Status
Value
- Supply-chain attack via partner API (Kiln)
- Solana
- September 8, 2025
- SwissBorg committed to covering all losses
The Swiss crypto asset management platform lost 192,600 SOL (~$41 million) from the SOL Earn program — but not due to a compromise of its own system.
How it happened
How it happened
- The attacker compromised the API of staking partner Kiln, which managed Solana staking for SwissBorg.
- On August 31 — hidden authorization instructions were embedded in a routine unstaking transaction, transferring control of staking accounts to the attacker.
- On September 8 — the hacker activated the "skeleton key" and withdrew all funds.
Reaction
Reaction
- Less than 1% of users and ~2% of platform assets were affected.
- CEO Cyrus Fazel promised full compensation of losses from company funds.
- Some transactions were blocked on exchanges.
10. Shibarium Bridge — $4.1 million (September 2025)
10. Shibarium Bridge — $4.1 million (September 2025)
Parameter
- Type
- Blockchain
- Status
Value
- Flash-loan attack, validator takeover
- Shibarium / Ethereum
- Some funds frozen
Despite its modest amount, this hack stands out for its unconventional attack vector:
- A flash-loan of 4.6 million BONE delegated to a validator, leading to capture of the majority of validator power.
- Signing a fake network state enabled a $4.1 million withdrawal of 17 tokens.
- Borrowed BONE remained locked due to unstaking delay — a mechanism usually frustrating users, saved the day.
Shibarium developer Kaal Dhairya called the attack "sophisticated". K9 Finance DAO lost >$700,000 and issued Shiba Inu a public ultimatum.
11. Balancer — $128 million (November 2025)
11. Balancer — $128 million (November 2025)
Parameter
- Type
- Blockchains
- Status
Value
- Smart contract rounding error exploit
- Ethereum, Arbitrum, Base, Polygon, Optimism, Sonic
- ~$18 million recovered; Balancer Labs shutting down
On November 3, 2025, in 30 minutes, an attacker withdrew $128 million from Balancer V2 pools on six blockchains.
Mechanism
Mechanism
- Vulnerability in _upscaleArray: with balances around 8–9 wei, rounding gave up to 10% error per operation.
- 65+ micro-swaps in a single batchSwap transaction accumulated rounding errors.
- Artificially lowering BPT price enabled arbitrage profit extraction.
Interestingly, the malicious contract contained console.log — a typical sign that code was written with AI assistance.
Consequences
Consequences
- BAL crashed 91% year-over-year (to $0.17); TVL dropped 18%.
- Berachain conducted an emergency hard fork to freeze stolen funds; Polygon validators censored attacker transactions.
- On March 24, 2026 — Balancer Labs announced shutdown as a legal entity. The protocol transitions to DAO.
12. Upbit — ~$30 million (November 2025)
12. Upbit — ~$30 million (November 2025)
Parameter
- Type
- Country
- Status
Value
- Theft from Solana hot wallet
- South Korea
- Users fully reimbursed
On November 27, 2025, South Korea's largest exchange lost 44.5 billion won from a Solana wallet — exactly 6 years after the previous hack of $50 million (November 27, 2019). Initial losses were estimated at 54 billion won (~$36 million), later corrected to 44.5 billion won (~$30 million).
Key facts
Key facts
- Stolen items included SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, PYTH, and other Solana tokens.
- The attack is attributed to Lazarus Group — the date coincidence is seen as a "message."
- Cause: vulnerability in Upbit's digital signature algorithm — nonce leakage from Solana transactions allowed calculation of the private key.
- Upbit fully reimbursed 38.6 billion won of client funds from reserves.
- The exchange's corporate losses — 5.9 billion won (~$4 million).
- 2.3 billion won was frozen through blockchain tracking.
Summary table: All key incidents
Summary table: All key incidents
General analysis: Key trends of the period
General analysis: Key trends of the period
According to Dmitry Machihin, founder and CEO of BitOK, analysis of incidents in 2025–2026 shows a fundamental shift in the attack vector in the crypto industry.
The expert noted that while on-chain security has improved, overall losses are growing. By his observations, many incidents occurred due to Web2-level operational failures rather than code vulnerabilities.
According to Dmitry Machihin, the main threats today are private key compromise (UPCX, CoinDCX, BtcTurk, Nobitex), insider bribery, social engineering with AI voice cloning, and phishing.
BitOK's CEO emphasizes the industrialization of theft by Lazarus Group: over $2 billion withdrawn in 2025 (3 times more than in 2024), over $6 billion since 2017. Tactics have shifted from bridges to mega-attacks on CEXs, targets increasingly targeting wealthy individuals.
Meanwhile, it is centralized exchanges that suffered the heaviest losses — over $1.8 billion for the year. In DeFi, the share of exploits declined, but they became more sophisticated.
The industry is learning to respond: $162 million frozen in Sui/Cetus, $40.5 million returned in GMX, Berachain hard fork, swift Upbit reimbursement prove the point. According to BitOK, by February 2026, about 30% of stolen funds were frozen or recovered.
Dmitry Machihin concluded that the era of simple code breaches is ending. Security is now comprehensive protection of people, processes, and keys. Whoever adapts to this shift first will gain a decisive advantage.
The expert noted that while on-chain security has improved, overall losses are growing. By his observations, many incidents occurred due to Web2-level operational failures rather than code vulnerabilities.
According to Dmitry Machihin, the main threats today are private key compromise (UPCX, CoinDCX, BtcTurk, Nobitex), insider bribery, social engineering with AI voice cloning, and phishing.
BitOK's CEO emphasizes the industrialization of theft by Lazarus Group: over $2 billion withdrawn in 2025 (3 times more than in 2024), over $6 billion since 2017. Tactics have shifted from bridges to mega-attacks on CEXs, targets increasingly targeting wealthy individuals.
Meanwhile, it is centralized exchanges that suffered the heaviest losses — over $1.8 billion for the year. In DeFi, the share of exploits declined, but they became more sophisticated.
The industry is learning to respond: $162 million frozen in Sui/Cetus, $40.5 million returned in GMX, Berachain hard fork, swift Upbit reimbursement prove the point. According to BitOK, by February 2026, about 30% of stolen funds were frozen or recovered.
Dmitry Machihin concluded that the era of simple code breaches is ending. Security is now comprehensive protection of people, processes, and keys. Whoever adapts to this shift first will gain a decisive advantage.
