$162M of the $257M hackers stole in May was either frozen or recovered

Hackers ramped up their activity in May, stealing a total of $257M in several high-profile attacks. About $162M of the stolen funds were intercepted, with the potential of reimbursing holders. 

SlowMist counted 15 major hacking incidents in May, with a total haul of $257M. The major hack for the month was the Cetus Protocol DEX exploit, losing $230M due to flawed smart contracts. 

The hack also led to a fast vote to freeze over $160M on the SUI blockchain, then claw back the funds from the hacker wallets. The SlowMist report counted a higher end sum for all exploits, compared to PeckShield’s estimates of $244M for the past month.

Cork Protocol lost $12M due to flawed validation of user-supplied data, allowing the hacker to make use of flawed pricing. 

The third-biggest hack was added at the last moment. The Taiwanese BitoPro exchange admitted outflows of $11.5M in a multi-chain hack, with ongoing transactions. However, BitoPro did not announce the hacks immediately, and only admitted the losses when ZachXBT noted the suspicious transactions. 

DPRK hackers join the attack on retail and small wallets  

Two smaller hacks involved Demex, with a loss of $950K due to oracle manipulation, and Zunami Protocol, losing $500K from a still unclear exploit. According to SlowMist, smart contract flaws were the main cause of losses in 95% of hacking cases. 

For the past month, a total of six social media accounts were compromised, leading to losses from meme token shilling or social engineering. Hijacked X accounts have slowed down lately, but are still a vector for reaching potential targets.

Individual phishing scams were also active in the past month. A total of $9.6M was stolen from 7,164 victims. According to SlowMist, Lazarus Group is now targeting individuals with large wallets, taking up to $5.2M from a single victim through malware. 

The exploit targeted a merchant with a notable crypto wallet.

SlowMist issued a warning to merchants accepting crypto to avoid exposure of their main wallets. The other potential victim class are retail buyers involved with on-chain merchants. 

Marinade Finance led to SOL reward losses

Although not explicitly a hack, Marinade Finance was also a source of losses in May, due to protocol flaws. The project allowed validators to only bid with dust amounts of SOL while receiving disproportionate rewards. 

As a result, validators took more SOL than they deposited, leading to losses for mSOL holders that staked with Marinade Finance. Marinade Finance allowed validators to bid high for block production, but then drop their bid and only deposit dust.

Despite this, Marinade Finance still allowed the release of rewards for security and block production. This meant that malicious validators could gain significant passive income with minimal investments.

Based on rough estimates, those validators took as much as 3.4M SOL, which was once again staked and received additional rewards. The main reason was that the Marinade Finance code did not in fact remove low bidders as promised. The exploit ran for 126 Solana epochs, or more than three months, before the potential for unfair gains was noticed.

KEY Difference Wire helps crypto brands break through and dominate headlines fast