Web3 Threat Alert: SlowMist Warns of Permission Hijack Attack

SlowMist has released its 2025 Blockchain Security and AML Annual Report, revealing a dramatic surge in cryptocurrency losses despite fewer security incidents. The blockchain security firm documented 200 attacks resulting in approximately $2.935 billion in losses this year.

🚨 SlowMist just released the 2025 Blockchain Security & AML Annual Report!

1/ In 2025, blockchain faced growing complexity: professionalized hacker groups (including DPRK-linked), DeFi exploits, RaaS/MaaS attacks, and evolving underground money laundering. Regulatory… pic.twitter.com/UkE8AHK0F0

— SlowMist (@SlowMist_Team) December 30, 2025

This figure represents a staggering 45% increase in financial damage compared to 2024. Last year recorded 410 incidents causing $2.013 billion in losses. The data excludes individual user losses and unreported cases, suggesting actual damages may be higher.

Ethereum-based projects suffered the most ecosystem losses at $183.25 million. Solana followed with $17.45 million, while Arbitrum recorded $17.10 million in damages. Centralized exchanges faced catastrophic hits despite fewer incidents.

The Bybit hack alone accounted for $1.46 billion, pushing total CEX losses to $1.809 billion across 22 incidents. DeFi protocols experienced 126 separate attacks totaling $649 million in losses. Smart contract exploits and account compromises emerged as dominant attack vectors.

Threat Alert: State-Backed Hackers and Industrial-Scale Crime

North Korea-linked hacker groups have evolved significantly according to the report. These threat actors transitioned from single-point attacks to highly organized operations targeting centralized services.

The groups now employ industrialized laundering processes to obscure stolen funds. Some operations use IT outsourcing arrangements to mask illicit fund flows across borders.

Drainer attacks affected 106,106 victims with total losses of approximately $83.85 million. This represents an 83% decrease in stolen amounts and 68% fewer victims compared to 2024. The largest single drainer theft reached $6.5 million through a Permit signature exploit.

New malicious signature types emerged following the Pectra upgrade. EIP-7702 signatures now pose fresh threats to unsuspecting users. The Huione Group expanded its platforms and services while facing cross-border enforcement pressure.

Ransomware and malware attacks benefited from Malware-as-a-Service and Ransomware-as-a-Service commercialization. These models lowered entry barriers for attackers, fueling cybercrime supply chain growth. Law enforcement achieved notable takedowns of LockBit and LummaC2 operations.

According to the report, Phishing attacks evolved into multi-stage hybrid operations during 2025. Attackers now trick users into unknowingly completing thefts themselves through techniques like Clickfix and Fake Safeguard schemes.

Social engineering tactics leverage identity spoofing and emotional manipulation. AI-assisted interactions enable convincing fake interviews and hardware wallet scams. Trust manipulation remains central to these operations.

Supply chain attacks and open-source poisoning compromised development libraries and tools. Malicious code embedded in these resources affected numerous downstream users. High-privilege browser extensions were exploited to steal data and assets.

AI-powered attacks produced realistic text, voice, images, and video at reduced costs. This technology makes deception significantly harder to detect. Ponzi schemes disguised themselves as blockchain finance or big data platforms.

These fraudulent operations leveraged stablecoin deposits and multi-level referral systems. DGCX emerged as a notable example of this trend. Scams have become industrialized and multi-layered, exploiting trust, technology, and human behavior simultaneously.

4/ 🕵️‍♂️ Cybercrime Orgs & Underground Ecosystem in 2025

🔺 DPRK-linked hackers evolved from single-point attacks → highly organized operations, targeting centralized services & using “industrialized” laundering processes. IT outsourcing sometimes masks illicit fund flows.

🔺… pic.twitter.com/dm1fchcacA

— SlowMist (@SlowMist_Team) December 30, 2025

Privacy and coin mixing tools remain key components in the money laundering ecosystem. Regulators in 2025 shifted from blanket crackdowns toward distinguishing privacy technology from money laundering behavior.

Coinbase Impersonation Scheme Exposed

Meanwhile, blockchain investigator ZachXBT exposed a Canadian individual who allegedly stole over $2 million through Coinbase impersonation. The suspect reportedly posed as customer support representatives throughout the past year.

1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. pic.twitter.com/bBqrV7GmPi

— ZachXBT (@zachxbt) December 29, 2025

The scheme relied on social engineering tactics to deceive Coinbase users. Victims believed they were communicating with legitimate exchange staff during the scam calls.

ZachXBT claimed the stolen cryptocurrency funded rare social media usernames, bottle service, and gambling activities. The investigation began after the suspect allegedly posted a screenshot in a Telegram group on December 30, 2024.

That image displayed a 21,000 XRP theft valued at approximately $44,000 from a Coinbase user. A leaked video shared by ZachXBT showed the alleged scammer providing fake customer support during a recorded call with a victim.