Full Report
CertiK found $2.47bn in crypto was stolen in H1 2025, largely due to two major security incidents – ByBit and Cetus
Analysis Summary
# Incident Report: Major Cryptocurrency Theft Surge in H1 2025
## Executive Summary
The first half (H1) of 2025 saw cryptocurrency theft reach approximately \$2.47 billion from scams, hacks, and exploits, surpassing the total losses recorded for the entirety of 2024. This surge was dominated by two specific, high-impact incidents: the ByBit breach and the Cetus Protocol exploit, which accounted for 72% of the total losses. Despite these alarming figures, analysis suggests the broader base trend of crypto losses might be less severe if these two major events are excluded.
## Incident Details
- **Discovery Date:** Data collected across H1 2025 (January to June 2025).
- **Incident Date:** Incidents occurred throughout H1 2025, with major events in February and May 2025.
- **Affected Organization:** Multiple entities, primarily ByBit (exchange) and Cetus Protocol (DEX).
- **Sector:** Cryptocurrency/DeFi (Decentralized Finance).
- **Geography:** Incidents span multiple jurisdictions (e.g., ByBit is Dubai-based).
## Timeline of Events
### Initial Access
- **Date/Time:** February 2025 (ByBit); May 2025 (Cetus Protocol).
- **Vector:** Suspected sophisticated compromise (ByBit); Exploit targeting protocol vulnerabilities (Cetus Protocol).
- **Details:**
- **ByBit:** Attackers stole \$1.4 billion in cryptocurrency. The Lazarus Group (North Korean state actor) is suspected. This is noted as the largest crypto theft to date.
- **Cetus Protocol:** Attackers stole approximately \$225 million in digital assets from the DEX on the Sui blockchain.
### Lateral Movement
- Not specifically detailed, but implication exists for the ByBit breach targeting a major exchange infrastructure.
### Data Exfiltration/Impact
- **ByBit:** \$1.4 billion stolen.
- **Cetus Protocol:** \$225 million stolen, though \$162 million was subsequently frozen and marked for user repayment.
### Detection & Response
- **Detection:** Incidents tracked via security reporting data compiled by CertiK.
- **Response actions taken:** Sui validators executed a governance proposal to freeze and return \$162 million following the Cetus Protocol incident.
## Attack Methodology
*Note: Specific TTPs are not fully detailed in the source, but categorized based on the type of incident.*
- **Initial Access:** Exploitation of exchange infrastructure/smart contract vulnerabilities.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified, although large-scale exchange breaches often involve credential compromise or privileged key theft.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Direct transfer of digital assets.
- **Exfiltration:** Transfer of stolen cryptocurrency off the compromised platforms.
- **Impact:** Direct financial loss totaling \$1.78 billion from the top two incidents alone.
## Impact Assessment
- **Financial:** Total losses in H1 2025 reached approximately \$2.47 billion. The two major incidents cost \$1.78 billion. If excluded, H1 2025 losses would have been \$690 million.
- **Data Breach:** Financial assets (cryptocurrency) were the primary loss, not traditional "data."
- **Operational:** Significant disruption to the affected platforms (ByBit, Cetus Protocol) and loss of user trust.
- **Reputational:** Events heavily impact industry confidence, as evidenced by the need for user repayment proposals.
## Indicators of Compromise
*No specific IoCs (IPs, domains, hashes) were provided in the summary, as the source focuses on aggregate financial data.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Large-scale, suspicious movement of cryptocurrency assets tied to known major exploits.
## Response Actions
- **Containment measures:** Sui validators successfully froze \$162 million following the Cetus Protocol theft.
- **Eradication steps:** Not specified.
- **Recovery actions:** A governance proposal was initiated for user repayment regarding the recovered funds from the Cetus incident.
## Lessons Learned
- The cryptocurrency landscape remains highly vulnerable to catastrophic, singular security events (whale attacks), which disproportionately inflate loss figures.
- The speed of response in DeFi (governance proposals, asset freezing) can mitigate substantial losses, as demonstrated by the Cetus recovery.
- Despite high reported figures, the underlying security posture outside of major, targeted exploitation might be improving or stabilizing (\$690M baseline vs. 2024 total).
## Recommendations
- **Prevention measures for similar incidents:**
- Enhanced smart contract auditing and formal verification protocols, especially for high-value DeFi protocols.
- Increased scrutiny and monitoring for North Korean state-affiliated actors targeting major exchanges.
- Implementation of faster governance/emergency response mechanisms capable of freezing assets immediately following detected major exploits.
- Adoption of better multi-party computation (MPC) or decentralized key management solutions for centralized exchanges like ByBit.