September 2025 saw substantially more significant DeFi hacks than the previous months. In total, ten hacks included losses exceeding $1M for a total of about $110.9 million. This is significantly more major incidents than August, where four hacks resulted in about $65 million in losses.
Biggest DeFi Hacks of September 2025
The ten DeFi hacks of September 2025 with losses of over $1 million include:
Bunni: Bunni, a Uniswap v4 DEX was exploited via a rounding error within the protocol’s smart contracts. Exploiting this netted the attackers an estimated $8 million.
SwissBorg: SwissBorg lost $41.5 million in a supply chain attack. Kiln, a partner that operated one of the protocol’s staking programs, suffered an attack where malicious logic hidden in an unstaking transaction handed over control of SwissBorg’s staking accounts.
Nemo Protocol: The Sui-based Nemo Protocol lost $2.4 million in a September 2025 hack. The yield protocol’s Market pool was drained shortly before scheduled maintenance.
Shibarium Bridge: Shibarium Bridge connects Ethereum and Shibarium and was the victim of a $2.4 million hack in September 2025. A flashloan attack was used to gain a majority of the validator signing keys, allowing the exploiters to authorize a state update that drained value from the protocol.
Kame Aggregator: Kame Aggregator was the victim of a $1.3 million hack due to a smart contract vulnerability. The project’s swap function allowed arbitrary executor calls, which could be exploited to take advantage of DeFi approvals.
Yala: The Yala stablecoin protocol was the victim of a $7.6 million hack in September 2025. Using stolen deployment keys, the attacker took advantage of a cross-chain bridge deployment to create their own bridge and perform unauthorized token minting.
New Gold Protocol: New Gold Protocol suffered a $2 million hack shortly after launch. The flashloan attack took advantage of issues with the protocol’s price oracle and transfer logic.
Seedify: Seedify, a Web3 incubator and launchpad, was the target of a $1.7 million hack focused on one of its SFUND bridges. An attacker — allegedly associated with the DPRK — compromised a developer’s private key and used it to perform a minting attack.
UXLINK: UXLINK, an AI-powered Web3 social platform, suffered a hack with about $41 million in losses. The attacker stole private keys for the project’s multi-sig wallet and exploited a delegatecall to take control, allowing them to perform unauthorized minting of UXLINK tokens.
GriffinAI: GriffinAI suffered a $3 million hack in September 2025 due to compromised private keys and a misconfigured LayerZero bridge. The attackers minted 5 billion GAIN tokens on BSC, then swapped about 150 million of them.
Lessons Learned from the Attacks
The biggest DeFi hacks of September 2025 primarily included compromised private keys used to mint tokens and drain assets from platforms. This is a common trend in 2025 and demonstrates the importance of strong security practices and the use of private key security best practices.
For help with protecting your project against similar threats, get in touch.