In May 2025, four incidents incurred losses of over $1 million each, for a total loss of approximately $238 million. However, social engineering campaigns targeting Coinbase users incurred additional losses and a $20 million bounty on the attackers.
Biggest DeFi Hacks of May 2025
Four DeFi hacks in May 2025 broke the $1 million threshold, including:
Mobius: The Mobius DAO smart contract contained a mathematical bug in its minting function, where price data was accidentally multiplied by 10^18 twice, rather than the single time needed for decimal conversions. As a result, the attacker was able to deposit 0.1 BNB into the smart contract and mint 9.73 quadrillion MBU to steal an estimated $2.15 million from the project.
LND: In May 2025, LND, a Sonic-based Aave fork, was the victim of a $1.18 million hack. A malicious developer introduced a malicious change to the protocol’s internal access controls, permitting them to call the transferUnderlyingTo function to drain the value held by the protocol. This incident was part of a recent trend where DPRK IT workers are hired as remote developers and use their access to attack protocols.
Cetus: Cetus, Sui’s largest DEX, was the victim of an estimated $223 million hack in May 2025. The attacker took advantage of an error in the project’s overflow-checking code introduced when the code was forked to Sui. The attacker exploited the vulnerability using a value selected to cause an overflow and pass the check while allowing them to pay a single token to receive enough liquidity to drain the value stored within the smart contract.
Cork Protocol: Cork Protocol, a tokenized risk protocol, suffered a $12 million hack in May 2025. The attacker deployed a fake market and tricked the protocol into transferring tokens it owned to the attacker.
Attackers Targeting Coinbase Users
Coinbase users have been the target of sustained phishing campaigns designed to access and drain the value from wallets held by the exchange. In one week of May, attackers stole an estimated $45 million from the exchange’s users.
The exchange also reported a targeted social engineering campaign in which cybercriminals bribed some remote customer service workers to hand over customer data collected from its customer service system for use in phishing attacks. Instead of paying the demanded $20 million to cover up the incident, Coinbase declared a $20 million bounty on information leading to the attackers behind the incident.
Lessons Learned from the Attacks
Unusually for 2025, all of the biggest DeFi hacks of May 2025 involved smart contract vulnerabilities. Mobius and Cetus fell prey to mathematical errors within their smart contracts, while a malicious developer introduced and exploited an access control vulnerability within LND’s smart contracts. The Cork Protocol hack exploited how the protocol’s exchange rate code handled fake tokens.
The LND hack and the phishing campaigns targeting Coinbase users also demonstrate the significant risks of off-chain, social engineering attacks. The LND hack involved a malicious developer, and the Coinbase attacks involved a combination of social engineering and insider threats.
Protecting against the top threats to DeFi protocols requires a mix of on-chain and off-chain security controls and best practices. For help designing a holistic security program for your project, reach out to Halborn.