Cetus Breach and North Korea Theft Led to $244 Million Crypto Losses in May

The crypto industry lost over $244 million to hacks and scams in May 2025, according to blockchain security firm PeckShield.

While the figure remains substantial, it marks a 39% decline compared to April’s $402 million loss, signaling a temporary slowdown in malicious activity.

Crypto Hackers are Now Trying to Frame Victims

PeckShield’s data shows the attacks spanned various protocols, with some incidents resulting in minor breaches and others involving catastrophic losses.

The largest exploit involved Cetus Protocol, a decentralized exchange operating on the Sui blockchain, which lost roughly $223 million in a single attack.

Top Crypto Hacks and Exploits in May. Source: Peckshield

Following the breach, Cetus engaged with Sui validators to freeze some stolen assets, which amounted to roughly $162 million or about 71% of the stolen funds.

Cetus recently saw its proposal to reclaim the frozen funds approved by Sui validators. This marks the beginning of a broader recovery process that includes upgrading smart contracts, restoring liquidity, and preparing the platform for relaunch.

Meanwhile, another platform that saw a significant attack was the Ethereum-based Cork Protocol.

Attackers exploited the platform’s Wrapped Staked Ethereum (wstETH) and Wrapped Ethereum (weETH) markets, stealing around 3,761.8 wstETH, valued at nearly $12 million. Although other markets were not affected, Cork paused all operations to allow for a full audit.

The PeckShield’s report raised new concerns about the return of North Korea-linked hackers. According to the firm, these malicious actors allegedly stole $5.2 million from a single crypto trader.

The incident has reignited fears of state-sponsored attacks, following a lull after February’s $1.5 billion Bybit exploit.

Other incidents included a $2.2 million exploit on Mobius Token contracts on the BNB Chain. In this case, the attacker used a single smart contract to drain 28.5 million MBU tokens.

Amid the growing threats, Tornado Cash, an Ethereum-based crypto mixing tool, remains the preferred tool for laundering stolen funds.

Crypto Attackers’ Laundering Method. Source: Peckshield

Considering this, Yu Xian, co-founder of blockchain security firm SlowMist, urged victims to share their wallet addresses after an exploit. He suggested making them public or partially censored to support investigations and avoid being mistakenly identified as suspects.

According to him, hackers increasingly use different tactics to shift suspicion onto innocent users to complicate law enforcement agencies’ investigations.

“Some hackers nowadays like to frame others. You will not only suffer the pain of having your funds stolen, but also the subsequent cooperation with law enforcement investigations… It is not pleasant to be treated as a suspect,” he added.