$244 Million Lost to Crypto Hacks in May: Cetus Breach and North Korea Theft Dominate

The crypto industry losses in May 2025 exceeded $244 million due to hacks and scams. According to data from blockchain security firm PeckShield, while this figure represents a 39% decline compared to April’s $402 million. However, it underscores the ongoing vulnerabilities within decentralized protocols and the persistent threat of malicious actors. Among the most significant incidents were the Cetus Protocol breach and a theft linked to North Korea. These collectively accounted for the majority of the losses.

#PeckShieldAlert In May 2025, ~20 major crypto hacks were recorded, resulting in total losses of $244.1M—a 39.29% decrease from April. Notably, @CetusProtocol & #SUI have frozen a combined $157M of stolen funds (representing 71% recovery from the $220M theft). #Top 5 Hacks in… pic.twitter.com/ZJmGZvbthS

— PeckShieldAlert (@PeckShieldAlert) June 1, 2025

Cetus Protocol Loses $223 Million in Major Exploit

The largest exploit of the month targeted Cetus Protocol, a decentralized exchange operating on the Sui blockchain. Attackers made off with approximately $223 million. This marked one of the most severe breaches in recent months. Following the attack, Cetus collaborated with Sui validators to freeze roughly $162 million. This was about 71% of the stolen funds to mitigate further losses.

Recently, Cetus secured approval from Sui validators for a proposal to reclaim the frozen funds. This marks the beginning of a broader recovery process. The process includes upgrading smart contracts, restoring liquidity, and preparing the platform for relaunch.

Cork Protocol Exploited for $12 Million

Another significant attack occurred on the Ethereum-based Cork Protocol. Hackers exploited vulnerabilities in the platform’s Wrapped Staked Ethereum (wstETH) and Wrapped Ethereum (weETH) markets. The attackers stole approximately 3,761.8 wstETH, valued at nearly $12 million. Although other markets remained unaffected, Cork Protocol paused all operations. This was done to conduct a full audit and ensure system integrity.

North Korea-Linked Hackers Steal $5.2 Million

The PeckShield report highlighted renewed concerns about North Korea-linked hackers, who allegedly stole $5.2 million from a single crypto trader. This incident reignited fears of state-sponsored attacks, following a brief lull after February’s $1.5 billion Bybit exploit.

Such attacks underscore the continued threat posed by nation-state actors, who often use stolen funds to finance illicit activities. The resurgence of these attacks has prompted calls for heightened vigilance and improved security measures across the industry.

Smaller Incidents and Emerging Tactics

Other notable incidents included a $2.2 million exploit on Mobius Token contracts on the BNB Chain. In this case, the attacker used a single smart contract to drain 28.5 million MBU tokens. This incident highlighted the risks associated with poorly audited smart contracts.

Amid the growing threats, Tornado Cash, an Ethereum-based crypto mixing tool, remains a popular choice for laundering stolen funds. Blockchain security experts warn that hackers are increasingly employing tactics to shift suspicion onto innocent users.

Yu Xian, co-founder of SlowMist, emphasized the importance of transparency for victims:

一个安全建议，如果你资金被盗了，钱包地址最好可以公示出来（担心隐私的话可以适当隐去中间一些字符），或者至少学习下下面这个玩家，他公示了黑客地址。… pic.twitter.com/3iKoIKgkrJ

— Cos(余弦)😶‍🌫️ (@evilcos) June 1, 2025

“Some hackers nowadays like to frame others. You will not only suffer the pain of having your funds stolen, but also the subsequent cooperation with law enforcement investigations… It is not pleasant to be treated as a suspect…”

He urged victims to share their wallet addresses—either publicly or partially censored. This was to support investigations and avoid being mistakenly identified as suspects.

Final Thoughts

The crypto industry losses in May 2025 of $244 million highlight the persistent challenges facing the crypto industry. Despite a temporary slowdown in malicious activity, high-profile breaches like the Cetus Protocol exploit and North Korea-linked thefts demonstrate the need for robust security measures and proactive risk management.

As platforms like Cetus work to recover from these incidents, the broader industry must remain vigilant against evolving threats. By prioritizing transparency, collaboration, and innovation, the crypto ecosystem can better protect itself from future attacks.