The highlights of Zero Hour Technology's monthly security incidents have begun! According to incomplete statistics, in May 2025, the cryptocurrency field lost about $ 182 million due to hacker attacks, fraud and vulnerability exploits, a decrease of about 49% from the previous month (April). Among them, "phishing attacks" and "authorization hijacking" accounted for the highest proportion (42%, about $76 million), and the attack methods continued to escalate, such as the EIP-7702 abuse incident. The North Korean hacker group (Lazarus Group) turned to target individual investors, with a maximum loss of $5.2 million in a single attack. "Cross-chain protocols" and "DeFi vulnerabilities" are still the hardest hit areas, with a total of 13 major security incidents, with an average single loss of more than $ 7 million.

What is worth noting this month is that institutional-level attacks have decreased, but sophisticated phishing strategies targeting ordinary users (such as forged MetaMask transactions) have increased significantly, and security protection needs to focus more on user education.

Hacker attacks

5 typical safety incidents

• Coinbase hacked

Loss Amount: Estimated losses range from $180 million to $400 million.

Details of the incident: On May 15, Coinbase, the world's largest cryptocurrency exchange, revealed that hackers had stolen 97,000 users' biometric information and transaction data by bribing overseas customer service staff. The attackers used this information to pretend to be Coinbase officials and tricked users into transferring cryptocurrencies into fraudulent wallets.

• DeGods founder’s wallet was stolen

Amount of loss: More than $19,000.

Event details: On May 16, the Solana wallet of Frank, the founder of the NFT project DeGods, was hacked, 16 DeGods NFTs were sold, and the loss was about 108 SOL (US$19,000)

• Cetus DeFi protocol hacked

Amount of loss: More than $260 million.

Event details: On the evening of May 22, the largest DEX exchange Cetus protocol on the Sui blockchain was hacked. The attacker used fake tokens to manipulate the price curve and reserve calculations, manipulated the internal LP status by adding near-zero liquidity, and then extracted real assets such as SUI and USDC. Within 10 hours of the attack, the Sui validator network responded quickly and successfully froze $162 million of the stolen funds.

• A user was suspected to be attacked by North Korean hackers

Amount of loss: More than $5.2 million.

Details of the incident: On May 24, a victim was hacked by North Korean (DPRK) hackers suspected of malware and lost more than $5.2 million. The victim's wallet funds flowed out from multiple multi-signature accounts, ordinary wallets (EOA) and exchange accounts and were sold at market prices. 1,000 ETH were transferred to Tornado Cash for mixing.

• Cork Protocol stolen

Amount of loss: $12.08 million.

Details of the incident: On May 28, suspicious on-chain activities suspected to be related to Cork Protocol were detected, and more than $10 million was stolen. The project has received investment from a16z CSX. Cork Protocol co-founder Phil Fogel said that he is investigating and has suspended all contracts. Hacker address: 0xEA...da98, 4,530.6 ETH stolen, worth about $12.08 million.

Rug Pull / Phishing Scam

6 typical safety incidents

(1) On May 10, the address starting with 0xbCe2 lost tokens worth $859,063 due to signing multiple phishing signatures.

(2) On May 13, the address starting with 0x0ba5 lost $3.13M of WBTC due to signing a phishing signature.

(3) On May 23, the address starting with 0x8606 lost $210,297 in liquid ETH due to signing a phishing signature.

(4) On May 24, the phishing organization Inferno Drainer recently used the Ethereum EIP-7702 upgrade feature to launch a new attack, which has caused a single loss of approximately US$150,000. EIP-7702 allows EOA to temporarily have smart contract functions, and the attacker used the authorized MetaMask to mislead users.

(5) On May 24, a user of a trading platform received a withdrawal verification code SMS. After calling back, he encountered a professional scam. The scammer pretended to be the platform customer service and lured the victim to contact the fake "Ledger" company on the grounds of "security vulnerability". In the end, he defrauded $1.1 million through a phishing website.

(6) On May 26, we detected an “address poisoning” scam targeting a specific address, involving a zero-transfer phishing attack. The victim’s address transferred a total of approximately 2.6 million USDT to the same scam address twice.

Summarize

Although the total amount of losses has decreased compared to April, the attackers' strategies have become more professional and covert:

• Technology abuse upgrades: For example, EIP-7702 is used maliciously to bypass traditional risk controls;

• Target shift: North Korean hackers shifted from institutions to high-net-worth individuals to evade regulatory tracking;

• Low recovery rate: Only about 15% of stolen funds are frozen or recovered, and mixers (such as Tornado Cash) are frequently used.

Suggestions: The Zero Hour Technology security team recommends that project owners strengthen smart contract audits and real-time monitoring. Users should be wary of "high-imitation" transaction authorizations and regularly check wallet permissions. Security is a continuous battle, and Zero Hour Technology will continue to track threat dynamics.