January 2025 Web3 Security Incident Review: Total Loss Approximately $98.19 Million

Author: SlowMist Security Team

Overview

In January 2025, the total loss from Web3 security incidents was approximately $98.19 million. Among them, according to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), there were 40 hacking incidents resulting in losses of about $87.94 million, with $1.47 million recovered. The causes of these incidents included contract vulnerabilities, account hacks, and private key leaks. Additionally, according to the Web3 anti-fraud platform Scam Sniffer, there were 9,220 victims of phishing incidents this month, with losses amounting to $10.25 million.

(https://dune.com/scam-sniffer/january-scam-sniffer-2025-scam-report)

Major Security Incidents

Phemex

On January 23, 2025, the hot wallet of Phemex, a cryptocurrency exchange based in Singapore, was attacked, resulting in a loss of approximately $70 million. Phemex CEO Federico Variola stated on the X platform: "Hello everyone, we are investigating reports regarding a hot wallet. Please rest assured that the cold wallet is still safe, and anyone can verify it. We will provide more updates as soon as possible."

(https://x.com/MistTrack_io/status/1882412516518789500)

NoOnes

On January 1, 2025, the P2P trading platform NoOnes was attacked, with its hot wallet experiencing hundreds of suspicious outgoing transactions on Ethereum, Tron, Solana, and BSC, resulting in a loss of approximately $7.2 million. CEO Ray Youssef explained that the incident was due to the exploitation of its Solana bridge.

(https://x.com/ray_noOnes/status/1882744360812306885)

AdsPower

On January 24, 2025, AdsPower's security team discovered an intrusion incident where hackers spread malicious code that led to the tampering of some third-party browser extensions, resulting in over $4.7 million being stolen. The SlowMist security team has intervened for analysis. If users have used AdsPower and installed extension wallets or manually updated extension wallets between January 21, 18:00 and January 24, 18:00 (UTC+8), their extension wallets on AdsPower may be backdoored (with mnemonic phrases/private keys at risk of being stolen). Please transfer the assets in related wallets as soon as possible.

(https://x.com/AdsPowerBrowser/status/1882983731419570220)

Moby

On January 8, 2025, attackers gained control of the private keys used to authorize Moby's core contract upgrades, compromising the protocol. This attack exposed 3.77 wBTC, 207.76 wETH, and 1,500,351.5 USDC in the sOLP and mOLP liquidity pools to risk. Moby, with the assistance of the Seal911 team, has recovered approximately 1.47 million USDC.

(https://medium.com/moby-trade/moby-post-mortem-report-growth-plan-504ad5b0dd35)

Orange Finance

On January 8, 2025, the liquidity management project Orange Finance, based on Arbitrum, was exploited due to a multi-signature configuration error, resulting in the theft of assets worth $830,000. The attacker gained ownership of each vault, modified their implementations, and extracted deposited assets as well as over-authorized funds. Approximately 94% of the total loss (about $780,000) came from deposited assets, while the remaining 6% (about $47,000) was due to over-authorization.

(https://mirror.xyz/0x6FA2aF9a4d6fFe654361F713780963C10412e7c3/gN17YMrLhKKg9YT9a391U74pWr9IhqBUDWUqDyDamjE)

Feature Analysis and Security Recommendations

Recently, there has been a surge in account theft incidents. According to the SlowMist Blockchain Hacked Archive, there were 21 account theft incidents in January, accounting for about half of the total incidents, with accounts related to political figures or political content being particularly prominent. Hackers or malicious actors use social media to promote meme coins, leveraging users' FOMO emotions to attract funds and then absconding with the money. For example, the X account @TrumpDailyPosts posted 4 tweets promoting meme coins, which were quickly deleted within minutes, resulting in a theft of approximately $1.25 million. Therefore, users are advised to remain vigilant, verify the source of information before purchasing tokens, and not to trust sudden announcements on social media, especially those involving meme coins related to political figures, well-known institutions, or celebrities, to avoid falling into scams.

Additionally, the SlowMist security team has noted that many recent requests for help from victims are related to the "fake Safeguard" scam on Telegram. The related malicious tactics and countermeasures can be found in New Tactics | Telegram Fake Safeguard Scam .