Cyber ​​Threats in DeFi: How Standards Vulnerabilities, Social Engineering, and Mixers Like Tornado Cash Are Undermining Crypto Platform Security and User Trust

ByWallet

JUL 14, 2025

The hacker who exploited the decentralized finance protocol Voltage Finance in 2022 for $4.67 million has been active again, moving 100 ETH (approximately $182,000 at the current rate) through the Tornado Cash mixer. This fact was recorded by blockchain security company CertiK on May 6, 2025, and confirmed by an analysis of transactions on the blockchain 1 3 5 .

Description of the 2022 incident

In March 2022, an attacker exploited a vulnerability in the ERC-677 token standard — a built-in callback function — to conduct a reentrancy attack. This attack allowed the hacker to repeatedly withdraw funds from the Voltage Finance lending pool before the balance was updated, resulting in the theft of significant amounts of various cryptocurrencies, including Ethereum, stablecoins USD Coin (USDC), Binance USD (BUSD), Wrapped Bitcoin (WBTC), and other tokens 1 3 5 .

Hacker’s actions after hacking

Following the exploit, the attacker’s address was flagged on Etherscan and exchanges were advised to block any transactions from the address. Voltage Finance attempted to contact the hacker and offered a reward for the return of the stolen funds 1 .

The address from which the 100 ETH were transferred to Tornado Cash has been dormant since November 2024, with the last transaction occurring 166 days ago. This suggests that the hacker did not use the stolen assets for some time and then decided to partially move them through a mixer to make tracking more difficult 1 .

The Importance of Tornado Cash in Operation

Tornado Cash is a crypto mixer that obfuscates the origins of cryptocurrency by mixing assets from different wallets, making them difficult to trace. The protocol has been used by hackers to launder stolen funds. In 2022, Tornado Cash was sanctioned by the US Treasury Department because it was used by the North Korean hacker group Lazarus to hide traces of a $625 million hack of Axie Infinity 4 .

The use of Tornado Cash by the Voltage Finance hacker follows a typical money laundering scheme, where after a long period of inactivity, the stolen tokens are transferred to a mixer to make it more difficult to trace them back and withdraw them 1 4 .

Context and implications

In 2024–2025, the number of major crypto thefts increased significantly. In April 2024, the total amount of stolen funds increased by 1163%, which was due to several large-scale attacks, including the theft of 3,520 BTC (about $330 million) from an elderly US citizen using social engineering. At the same time, cases of return of stolen funds were also recorded in the same month, for example, the exploit of the decentralized exchange KiloEx for $7.5 million was fully compensated four days after the attack 1 .

Voltage Finance also suffered a second attack in March 2024, when $322,000 was stolen from Simple Staking pools. In response, the protocol offered a $50,000 reward for the funds to be returned and initiated cooperation with law enforcement 1 .

What measures are law enforcement taking to track funds moved through Tornado Cash?

The movement of 100 ETH to Tornado Cash more than two years after the hack suggests that the hacker is still using the stolen assets while attempting to hide their origin. This case highlights the importance of ongoing monitoring and analysis of blockchain transactions to detect and combat criminal activity in decentralized finance.

The Voltage Finance incident is thus a shining example of the security challenges in DeFi, where smart contract vulnerabilities are leading to multi-million dollar losses and attackers are using sophisticated methods to hide their tracks using mixers like Tornado Cash 1 3 5 .

Law enforcement agencies use a range of measures and modern technologies to track funds moved through the Tornado Cash mixer, despite the high degree of anonymity that this protocol provides.

Basic measures and methods of monitoring

• Blockchain transaction and behavioral pattern analysis. Crypto forensics experts study transaction chains, identify the regularity of transfers, grouping of addresses, and intermediate wallets through which funds pass. For example, when investigating the Harmony Bridge attack, analysts identified 857 transactions at regular intervals, distributed across multiple addresses, which helped deanonymize some of the output addresses after Tornado Cash 3 .
• Use of specialized AML services and blockchain analytics. Companies such as HAPI Explorer, Chainalysis, Elliptic and others use machine learning algorithms and big data analysis to identify suspicious transactions and connections between wallets. They form databases of “dirty” addresses and help exchanges and law enforcement freeze funds and block transactions with them 4 .
• Sanctions and legal pressure. In August 2022, the US Treasury Department added Tornado Cash to the sanctions list, recognizing the mixer as a tool for laundering more than $7 billion, including funds stolen by the Lazarus hacker group. Tornado Cash smart contracts were recognized as “property” and blocked, and the co-founders of the service were arrested and charged with facilitating money laundering. This allowed law enforcement agencies to restrict access to the service and conduct investigations using legal mechanisms 2 5 6 .
• Cooperation with crypto exchanges and the blockchain community. Law enforcement agencies exchange information with exchanges and analytical companies to quickly identify and block suspicious addresses, as well as track attempts to withdraw funds after using a mixer. Exchanges require users to confirm the legality of the origin of funds, which reduces the risk of laundering through centralized platforms 4 .
• Operational and investigative measures. As part of criminal cases, law enforcement officers conduct investigations, establish the identities of those involved, including developers and operators of mixers, and cooperate with international partners to suppress the activities of criminal schemes 10 6 .

Technical limitations and challenges

Tornado Cash uses zero-knowledge proofs (zk-SNARKs) that break the connection between deposits and withdrawals, making it difficult to directly link transactions. However, complex analysis of behavioral patterns, time intervals, and related transactions allows partial restoration of asset movement chains.

How ERC677 Standards Affect Security of Decentralized Protocols

Law enforcement and analytics companies are using a combination of technical blockchain analysis methods, legal measures, and international cooperation to detect and prevent money laundering through Tornado Cash. Despite the high degree of anonymity, modern crypto forensics tools can successfully track a significant portion of illegal transactions and facilitate the recovery of stolen assets.

The use of the ERC-677 standard in decentralized protocols has both positive and potentially negative impacts on security due to the specifics of its functionality.

Features of the ERC-677 standard

ERC-677 extends the base ERC-20 standard by adding a transferAndCall function that allows a single transaction to simultaneously transfer tokens and call a function on the recipient smart contract. This simplifies interactions between tokens and contracts by eliminating the need for two separate transactions (transfer and call), reducing gas costs and improving usability 2 4 .

Impact on safety

• Advantages:
• Reduced transaction count and gas costs: Simultaneous transmission and function invocation reduces the likelihood of errors due to inconsistency between two transactions, which increases the overall reliability of operations.
• Automation and integration. The ability to call a contract function immediately after token transfer allows for more complex and secure interaction scenarios, such as atomic purchases or automatic participation in staking without additional user actions 1 2 .
• Risks and Vulnerabilities:
• Reentrancy attacks. As demonstrated by the Voltage Finance exploit, the built-in callback function implemented in ERC-677 can be used by attackers to perform reentrancy attacks, where the called contract re-initiates the transfer function before the previous operation has completed. This allows an attacker to repeatedly withdraw funds from the protocol if the smart contract is not sufficiently secured 1 .
• Complexity of implementation. The expansion of functionality increases the complexity of smart contracts, which requires more thorough auditing and testing. Errors in the implementation of callback functions can lead to critical vulnerabilities.
• Dependency on correct call handling. If the receiving contract does not handle the call correctly, this may result in blocked tokens or unexpected errors.

What implications could hacks like this have for trust in DeFi platforms?

The ERC-677 standard increases the functionality and ease of interaction of tokens with other smart contracts, which facilitates the development of decentralized applications and improves the user experience. However, the expanded capabilities of callback functions require increased attention to security when developing protocols. Insufficient protection against reentrancy attacks and other exploits can lead to serious financial losses, as happened in the case of Voltage Finance.

Therefore, when using ERC-677, developers need to implement proven security patterns such as the checks-effects-interactions pattern and conduct deep auditing of smart contracts to minimize the risks of exploitation of vulnerabilities associated with the extended functionality of the standard 1 2 7 .

Hacks in decentralized finance (DeFi) platforms like the one on Voltage Finance have a serious negative impact on user and investor trust in such protocols, which has a number of important implications.

Key implications for trust and the DeFi ecosystem

• Deterioration of platform reputation and user base. Hacking attacks and large-scale thefts of funds make users fear for the safety of their assets, leading to an outflow of liquidity and a decrease in activity on the affected platforms. This reduces the attractiveness of DeFi for new and existing users 1 5 .
• Growing risk perception and investor caution. Hack losses, smart contract vulnerabilities, and high crypto asset volatility are increasing the perception of instability and unpredictability in DeFi, especially among institutional investors and conservative market participants. This is limiting the inflow of large capital and slowing the development of the sector 3 6 .
• Increased security and auditing requirements: Following high-profile breaches, there is increased pressure on projects to conduct deep code audits, implement multi-layered security measures, and engage cybersecurity experts. This increases development costs and timelines, but is necessary to restore trust 7 8 .
• Regulatory attention and possible restrictions. Large-scale incidents attract the attention of regulators, which can lead to tighter regulations and control over DeFi platforms. In the absence of clear regulations, this creates additional uncertainty and risks for market participants 6 7 .
• Anti-fraud technologies are evolving. In response to threats, DeFi is actively implementing AI and blockchain analytics solutions to help identify suspicious activity and prevent attacks, which over time helps build user trust 2 .

What is the role of blockchain security companies like CertiK in preventing such attacks?

Hacks and exploits in DeFi undermine trust in decentralized protocols, causing financial losses and slowing the growth of the industry. However, they also stimulate the development of better security mechanisms, higher audit standards, and a better regulatory framework. Transparency, developer accountability, and the active adoption of innovative security technologies remain key to restoring and strengthening trust.

Thus, security and reliability remain the main challenges for the sustainable development of DeFi, and successfully overcoming these risks will determine the future of decentralized finance.

Blockchain security companies like CertiK play a key role in preventing attacks on decentralized protocols and securing the Web3 ecosystem. Their activities cover several important areas:

1. Audit and formal verification of smart contracts

CertiK conducts deep audits of smart contract code , identifying vulnerabilities and errors before protocols are launched to the network. Using formal verification methods , the company mathematically proves the correctness of contracts, which significantly reduces the risk of exploits such as reentrancy attacks, which were used in the case of Voltage Finance 1 2 .

2. Use of artificial intelligence and automation

CertiK uses advanced artificial intelligence (AI) technologies to automatically scan and monitor protocols in real time. This allows you to quickly detect suspicious activity, anomalies and potential threats, preventing attacks at an early stage 1 2 .

3. Continuous monitoring and alerts

The CertiK platform includes tools such as Skynet that provide continuous monitoring of blockchain projects and instant notification of potential security incidents. This helps developers and users quickly respond to threats and minimize damage 2 .

4. Educational and consulting support

CertiK provides guidance on security best practices, helps project teams implement effective security measures and raise awareness of Web3 risks. This contributes to the formation of a security culture and the reduction of vulnerabilities 2 5 .

5. Rebuilding trust and collaborating with industry

The company helps restore trust in decentralized platforms by providing transparency and proven security. CertiK works closely with crypto exchanges, developers, and law enforcement agencies to help identify and block suspicious transactions, as well as facilitate incident investigations 1 5 .

What social engineering techniques do attackers use to commit large-scale cryptocurrency thefts?

The role of CertiK and similar companies is to comprehensively protect the blockchain ecosystem through auditing, formal verification, automated monitoring, and educational support. Their work significantly reduces the likelihood of successful attacks on DeFi protocols, facilitates timely detection of threats, and strengthens the trust of users and investors in decentralized platforms.

Attackers who commit large-scale cryptocurrency thefts widely use social engineering techniques aimed at deceiving and manipulating victims in order to obtain confidential information, access to accounts and funds. The main methods include:

• Phishing is the sending of fake emails or messages that imitate official notifications from exchanges, wallets or services, with the aim of forcing the user to follow a malicious link, enter a login, password or private keys 1 2 3 4 .
• Impersonation — the attacker poses as a bank employee, support service, law enforcement agency employee, or company executive in order to gain trust and obtain the necessary information or access 1 2 7 .
• Pretexting is the creation of a plausible pretext for contacting a victim, such as offering help with a software update or participation in a rewards program, to trick the user into revealing data or installing malware 1 2 4 .
• Use of internal slang and terminology — To increase trust, attackers study the corporate language and specifics of the organization’s work in order to appear more convincing 1 6 .
• Keylogging and malware — sending attachments containing viruses, trojans or keyloggers that record keystrokes and transmit the data to attackers 1 2 .
• Shoulder surfing is the physical observation of the entry of passwords or other sensitive information, for example, over the victim’s shoulder 1 8 .
• Use of anonymous and replaceable communication channels — attackers use IP address changes, spoofing of phone numbers, instant messengers and “bookmarks” to transfer stolen funds, which makes them difficult to track 5 .
• Long-term trust-building and multi-stage schemes — attacks can last for months, including correspondence, calls and even personal meetings until the victim takes the desired action (transfers data, installs software) 2 3 .
• Using fear, urgency and promises — Attackers create pressure, for example by threatening to block an account or promising prizes, to force the victim to respond quickly and disclose information 6 .
• Involvement of insiders and informants — criminal groups may have “spies” in banks or telecommunications services who provide information about customers and security systems 5 .

These social engineering techniques allow hackers to bypass technical barriers and gain direct access to users’ crypto wallets and accounts, making them one of the most effective tools for committing large-scale cryptocurrency thefts. Therefore, the most important protection measure remains raising user awareness and implementing multi-factor authentication, as well as regular training of employees of organizations 1 2 5 .

What specific social engineering schemes do attackers use to steal cryptocurrency?

Cryptocurrency attackers employ a variety of specific social engineering schemes aimed at manipulating victims into stealing their funds. The main ones include:

1. Phishing and fake sites

Fraudsters create exact copies of popular cryptocurrency exchanges, wallets or DeFi platforms to trick users into entering logins, passwords and private keys. Often, fake links are used with minor changes to the website address that are difficult to notice 1 5 6 .

2. Imitation of support service and famous people

Attackers pose as support staff from MetaMask, Binance, or other services, as well as crypto influencers or community managers. They copy profiles, names, and even verification badges to gain the victim’s trust and convince them to disclose sensitive information 1 5 .

3. Divorce via email and instant messengers

The victim receives a letter or message with a story about an account being hacked, the need for urgent recovery or security update. The scammer offers to “help” with generating a new seed phrase, while asking to provide the old one, which gives full control over the wallet 2 .

4. Fake apps and extensions

Fake versions of popular crypto wallets (for example, MetaMask, Trust Wallet) are created, which steal private keys and user funds when installed 5 6 .

5. Fake sweepstakes and investment offers

Scammers organize fake contests, airdrops or investment projects with promises of high profits to force users to transfer funds or reveal keys 5 .

6. Multi-stage personalized attacks

Before the attack, the attackers collect information about the victim from social networks (X, Discord, Telegram, Reddit), identify newcomers bragging about their income or NFTs, and develop a customized deception scenario. They establish a trusting relationship using real data and gradually push the victim to hand over access 1 5 7 .

7. Using a sense of urgency and fear

Fraudsters create pressure by threatening to block an account or lose funds so that the victim acts quickly and without verification, for example, by clicking on a malicious link or entering secret data 1 7 .

8. Pig Butchering

This is a long-term scheme where scammers establish a trusting relationship with the victim, often through instant messaging or social media, creating the illusion of a romantic or business relationship to convince the victim to invest large sums in fictitious projects, who then disappear with the money 10 .

Conclusion

Attackers use a combination of technical and psychological manipulation techniques, from phishing and fake sites to multi-stage, personalized attacks that build trust and create a sense of urgency. To protect yourself, it’s important to remain vigilant, verify sources of information, not reveal private keys, and use multi-factor authentication.

What psychological tricks do scammers use to create a sense of urgency in crypto attacks?

Fraudsters in crypto attacks actively use psychological techniques to create a sense of urgency in the victim , which makes them act quickly and impulsively, without including critical thinking. The main methods for creating this effect include:

• Emotional pressure and stress . Fraudsters create a tense dialogue during which a person absorbs only a small part of the information (about 15%), which leads to emotional overload and a decrease in the ability to rationally assess the situation. This prevents the victim from making informed decisions and contributes to rash actions 1 .
• Artificial time constraints . Attackers set strict time limits for making a decision, such as “confirm the data within 10 minutes” or “transfer funds within 5 minutes.” This forces the victim to focus on urgency rather than analyzing the situation, which reduces critical perception and increases the likelihood of error 1 2 3 .
• Creating an atmosphere of fear and threat of harm . Fraudsters hint at or directly talk about possible negative consequences — account blocking, loss of funds, arrest or fines if the victim does not comply with their demands immediately. Such manipulation distracts attention from the details and increases pressure 1 6 .
• Appeal to authority . Posing as employees of banks, law enforcement agencies, or well-known companies, scammers use an official tone and professional jargon to convince the victim of the need for urgent action 5 6 .
• Playing on pity and sympathy . Sometimes the urgency is reinforced by emotional stories about the misfortune of loved ones or those in need, which further pushes the victim to quickly transfer funds 2 5 .

Final conclusion

Creating a sense of urgency is a classic and effective scam technique that shifts the victim’s thinking from rational to emotional, forcing them to make decisions based on fear or impulse. To resist such manipulation, it is important to remain calm, resist time pressure, verify information through official channels, and not disclose sensitive data under the threat of urgency.

The modern decentralized finance (DeFi) ecosystem continues to grow rapidly, opening up new opportunities for users and investors. However, as popularity and volumes of funds grow, so do the security threats. Incidents such as the Voltage Finance attack demonstrate how vulnerable protocols can be due to technical features, such as the use of the ERC-677 standard, which, despite its convenience and advanced functionality, creates additional risks, in particular those related to reentrancy attacks.

In addition to technical vulnerabilities, social engineering methods that attackers actively use to steal cryptocurrencies pose a significant threat. Phishing, imitation of support services, creating a sense of urgency, and multi-stage personalized schemes allow criminals to bypass even the most advanced technical barriers by directly influencing the human factor — the weakest element in the security chain.

In response to these challenges, blockchain security companies like CertiK play a critical role. Not only do they conduct deep audits and formal verification of smart contracts, identifying and remediating vulnerabilities before they are exploited, but they also provide ongoing monitoring, prompt alerts on suspicious activity, and educational support for developers and users. Together with law enforcement and analytics companies, they help track and block illicit transactions, including those that go through anonymizing services like Tornado Cash.

However, despite technical and organizational measures, restoring and strengthening trust in DeFi platforms remains a challenge. Every major hack undermines user and investor confidence, slowing down the development of the industry and attracting the attention of regulators. Therefore, key factors for sustainable growth are not only improving security technologies and legal regulation, but also raising awareness among all market participants about the risks of social engineering and the need for responsible behavior.

Ultimately, security in DeFi is a complex task that requires a synergy of technical innovation, sound risk management, and continuous interaction between developers, users, security companies, and law enforcement agencies. Only such an approach will minimize threats, increase the sustainability of the ecosystem, and ensure long-term trust in decentralized financial platforms.

Safeheron Brings New Levels of Web3 Security and Privacy: The First Open Intel SGX TEE Framework for Ethereum and Decentralized Finance

ByWallet

JUL 14, 2025

Safeheron, a Singapore-based digital asset infrastructure provider, on May 8, 2025, launched the world’s first open-source Trusted Execution Environment (TEE) framework built on top of the native Intel SGX SDK and developed in the modern object-oriented programming language C++ 1 2 3 8 . The solution aims to improve security and privacy in the Web3 ecosystem, including key areas such as decentralized finance (DeFi), payment services, and decentralized autonomous organizations (DAOs) 1 2 9 .

Description of the technology and its importance

Trusted Execution Environment (TEE) is a technology for creating secure, isolated areas (enclaves) within a processor in which programs can run while being protected from external attacks, including threats from the hardware itself 2 3 8 . The technology enables the secure processing of critical data such as cryptographic keys and user personal information, which is especially relevant for Web3, where security and privacy are of paramount importance.

Safeheron built this framework using the native Intel SGX SDK , a set of tools for developing applications with support for Intel Software Guard Extensions, and wrote it in modern C++ , which provides high performance and versatility for systems programming and computational tasks 1 3 8 .

Open Source as a Response to Industry Challenges

The company decided to open source the framework , citing growing concerns in the industry about closed and opaque systems that slow down innovation and increase security risks 1 2 3 8 . Safeheron CEO Wade Wang emphasized that the company is not afraid of competition, but is concerned about slow development due to closed technologies 1 3 .

Applications and Clients

The Safeheron framework enables customers to create enclaves across Intel SGX-enabled cloud services, including public clouds 2 3 9 , making the technology accessible to a wide range of developers and companies working in the Web3 space.

Safeheron already serves over 100 clients, including payment providers, OTC trading platforms, trading firms, and wallet providers. Notable clients include MetaMask, Doo Group, and Amber Group. The total volume of transfers through Safeheron’s infrastructure has exceeded $100 billion, demonstrating the trust and scale of the technology’s use 3 9 .

Context and development prospects

The importance of TEEs is also highlighted in the Ethereum roadmap, where co-founder Vitalik Buterin proposed using TEEs to improve user privacy, protect wallet keys, and ensure secure communication with RPC nodes 3 . TEEs are also seen as a means of protecting against vulnerabilities in cryptographic systems such as SNARKs, as supported by research from Imperial College London 3 .

What Open Source Benefits Does Safeheron TEE Provide for Web3 Technologies?

Safeheron makes a significant contribution to the development of a secure and transparent Web3 infrastructure with its open Intel SGX TEE framework. With its openness, use of advanced technologies, and support from large customers, this framework can become the foundation for new generations of decentralized applications with enhanced data protection and user privacy 1 2 3 8 .

Safeheron thus represents an innovative solution that addresses the pressing security challenges of Web3, paving the way for a more transparent, secure and scalable digital asset ecosystem.

Using the open source Safeheron TEE brings several key benefits to Web3 technologies:

• Transparency and trust. Open source code allows the community and experts to verify the security and correctness of the framework implementation, which reduces the risk of hidden vulnerabilities and increases the trust of users and developers.
• Accelerate innovation: With the code available, any developer or company can make improvements, customize solutions, and create new features, stimulating rapid development and adoption of cutting-edge technologies in Web3.
• Reduced reliance on closed systems. Openness eliminates monopolies on technology, reducing the risks associated with closed, opaque systems that can hinder development and create potential security threats.
• Improved security: Collaborative auditing and community participation in code development help quickly identify and fix vulnerabilities, which is especially important for protecting critical data and operations in decentralized applications.
• Flexibility and Scalability: The open framework allows Safeheron TEE to be integrated with various cloud services and infrastructures, making it easy to scale and adapt to a variety of Web3 use cases.

Thus, Safeheron TEE open source contributes to the creation of a more secure, transparent and innovative Web3 ecosystem, which meets the pressing needs of the industry and users.

How Intel SGX SDK Implementation Impacts Security of Decentralized Financial Platforms

The introduction of the Intel SGX SDK significantly improves the security of decentralized finance (DeFi) platforms by creating protected, isolated memory areas — enclaves — where critical code is executed and sensitive data is processed. Key aspects of the impact of Intel SGX on DeFi security:

• Isolation and data protection. Intel SGX allocates a protected memory area (Processor Reserved Memory) in the processor, where code and data are located that are inaccessible to the operating system, hypervisor, and even the server administrator. This eliminates the possibility of unauthorized access to private keys and secrets, which is critical for financial transactions 1 5 .
• Memory encryption. Data in the enclave is encrypted in hardware using the Memory Encryption Engine (MEE), and is only decrypted within the processor core. This ensures confidentiality and integrity of information even when attacked at the hardware or software level with elevated privileges 1 5 .
• Resilience to external and internal threats. Through isolation and hardware protection, Intel SGX reduces the risk of attacks from both the outside (e.g. through OS or cloud infrastructure vulnerabilities) and the inside (e.g. from malware or attackers with access to the server) 1 5 .
• Increased trust in cloud solutions: Using SGX allows financial platforms to operate securely in public clouds, which increases scalability and reduces costs without compromising security 1 5 .
• Remote attestation and trust verification. SGX supports a remote attestation mechanism that allows customers and partners to verify that code is running in a trusted enclave and that data has not been tampered with or leaked 4 .

However, it is worth considering that the technology is not completely invulnerable: researchers have identified potential methods to bypass the protection, for example, using return-oriented programming (ROP), which requires constant updating and improvement of security mechanisms 3 .

Overall, the implementation of the Intel SGX SDK in DeFi platforms provides a qualitatively new level of protection for private keys, transactions and user data , which is critical for the trust and sustainability of decentralized financial services.

What are the potential risks associated with using cloud services to create enclaves?

Using cloud services to create enclaves, including Intel SGX TEE, comes with a number of potential risks that impact the security and resilience of systems:

• Data privacy risks. Since processing occurs on the cloud provider’s equipment, there is a risk of unauthorized access to confidential information, including databases, keys, and secrets. Misconfigurations of cloud services, such as open databases or public access to cloud management, can lead to leaks 1 5 .
• Configuration errors and access control: Improperly configured access rights and accounts (e.g. excessive permissions, weak or reused passwords) create vulnerabilities that attackers can exploit to compromise infrastructure and steal data 5 6 .
• Insider threats: Employees or administrators with excessive privileges may abuse access, increasing the risk of data leaks or corruption 5 .
• API and interface vulnerabilities: Cloud services often use multiple APIs, which, if not properly secured, can become entry points for attacks 5 6 .
• DDoS attacks and availability. Cloud services are susceptible to distributed denial of service attacks, which can disrupt enclaves and services 5 .
• Social engineering and phishing: Lack of awareness of security threats among users and employees increases the risk of credentials being compromised through fraudulent methods 2 .
• Provider Dependency and Risk of Data Loss: Cloud providers may change terms, stop supporting, or experience technical failures, which may compromise the availability and security of data 8 .
• Lack of full control. Physical access and infrastructure management remain with the provider, which limits the customer’s ability to directly control security 1 .

Thus, despite the hardware protection of Intel SGX enclaves, the use of cloud services requires strict security management, proper configuration, access control, and personnel training to minimize the risks associated with operating cloud infrastructure to create secure environments.

What makes Safeheron unique compared to other TEE solutions in the industry?

Safeheron’s development in the Trusted Execution Environment (TEE) area is unique in several key aspects that distinguish it from other solutions in the industry:

• The first open framework based on the proprietary Intel SGX SDK. Safeheron has created a TEE framework that is entirely based on the proprietary Intel SGX SDK and developed in modern C++, which ensures high performance and flexibility. At the same time, the company has made the source code completely open, which is unique in a segment where most solutions remain closed and opaque.
• Openness and transparency as a strategic choice. Unlike many competitors, Safeheron has consciously abandoned closed systems, citing the need to accelerate innovation and increase trust in the industry. Open source code allows the community and experts to test security, make improvements, and adapt the technology to different scenarios.
• Broad cloud compatibility. Safeheron supports enclave creation on any cloud platform that uses Intel SGX servers, including public clouds. This provides high flexibility and scalability, facilitating integration into existing customer infrastructure.
• Focus on Web3 and Digital Assets. Safeheron is focused on the needs of the fast-growing Web3 sectors — DeFi, payment services, and decentralized autonomous organizations, offering solutions tailored to the specifics and requirements of these industries.
• Large Client Support and Scalability: The company already serves over 100 clients, including such well-known players as MetaMask, Doo Group and Amber Group, and the total volume of transfers through its infrastructure has exceeded $100 billion, which confirms the reliability and efficiency of the solution.
• Focus on security and innovation. Safeheron actively responds to industry challenges, including growing security incidents, and offers technology that protects not only data and keys, but also complex cryptographic schemes such as SNARKs, which is an important advantage for modern blockchain systems.

Safeheron’s uniqueness lies in its combination of openness, technological advancement, flexibility and focus on the real needs of Web3 , making it one of the most promising and innovative solutions in the TEE space.

How Adding TEE to the Ethereum Ecosystem Could Change the Way We Approach User Privacy

The addition of Trusted Execution Environment (TEE) to the Ethereum ecosystem could dramatically change the way users approach privacy due to the following key factors:

• Hardware isolation and data protection. TEE creates secure enclaves inside the processor where critical operations can be performed and users’ personal data can be processed in an isolated environment, inaccessible to external attacks and even the operating system. This significantly reduces the risk of leaking private information when interacting with Ethereum nodes.
• Increased privacy when interacting with RPC nodes. As proposed by Vitalik Buterin, TEE will allow users to securely access remote Ethereum nodes while being assured that their personal data is not being collected or analyzed, improving privacy and reducing the risk of surveillance.
• Integration with zero-knowledge (ZK) proof technologies. The Ethereum roadmap envisions TEE as part of a hybrid verification system that combines zero-knowledge proofs and TEE hardware guarantees. This will allow transactions and interactions to be verified faster and more securely while maintaining privacy.
• Key and wallet protection. TEE can be used to store and process users’ private keys in an isolated manner, significantly reducing the likelihood of wallet compromise and increasing the security of digital assets.
• Regulatory and GDPR Compliance: When combined with other privacy-enhancing technologies (such as homomorphic encryption and multi-party computation), TEE helps build an Ethereum architecture that is compliant with privacy requirements by minimizing the disclosure and storage of sensitive information.
• Modular and scalable design. The implementation of TEE supports a modular approach to Ethereum development, allowing for the integration of different privacy technologies and ensuring their compatibility, which accelerates the adoption and adaptation of new solutions in the ecosystem.

Ultimately, the addition of TEE to Ethereum creates a new layer of hardware privacy protection that, when combined with cryptographic methods and a modular architecture, will allow users to interact with the network more securely and anonymously, reducing the risk of data leakage and increasing trust in decentralized applications. This is an important step towards building a more private and scalable blockchain of the future 1 2 3 .

What are the benefits of TEE for enhancing privacy in Ethereum

The addition of Trusted Execution Environment (TEE) to the Ethereum ecosystem provides a number of important benefits for enhancing user privacy:

• Hardware-based isolation of sensitive data. TEE creates secure enclaves within the processor where personal information and private keys can be computed securely, isolating them from the rest of the system and potential attackers 1 .
• Reducing Metadata Exposure: Vitalik Buterin’s Ethereum roadmap envisions TEE as a tool that allows users to interact with RPC nodes without revealing their personal data and reducing the risks of surveillance and behavioral analysis 2 3 .
• Balance between security and performance. Unlike purely cryptographic methods (e.g. ZKP or MPC), TEE provides high data processing speed with relatively low computational costs, which is important for scalable Ethereum applications 1 .
• Protecting private keys and wallets. TEE can be used to securely store and process keys, reducing the likelihood of their compromise and increasing the overall security of users 2 3 .
• Support for private smart contracts. Similar to other projects using TEE (such as Phala Network), Ethereum will be able to run private smart contracts, providing protection for inputs and outputs, which will enhance the capabilities of decentralized applications with increased privacy 5 .
• Integration with other privacy technologies: TEE complements zero-proof proofs (ZKP), homomorphic encryption, and multi-party computation (MPC) methods to create a comprehensive approach to data protection on Ethereum 1 .

Thus, the implementation of TEE in Ethereum will create a hardware-protected environment for confidential computing that will increase user privacy, improve the protection of keys and data, and allow for the scaling and development of more private and secure decentralized applications.

What specific hardware components make TEE efficient in Ethereum

The effectiveness of the Trusted Execution Environment (TEE) in the Ethereum ecosystem is ensured by a number of key hardware components that create a secure environment for confidential computing:

• Processors with support for Intel SGX (Software Guard Extensions). These are specialized hardware extensions built into modern Intel processors that create isolated, protected memory areas called enclaves. In these enclaves, code and data are processed in complete isolation from the rest of the system, including the operating system and hypervisor 1 3 .
• Hardware memory encryption. Intel SGX implements the Memory Encryption Engine (MEE), which encrypts data in the enclave when stored in RAM, ensuring its confidentiality and integrity even if physical access to the memory is possible 1 .
• Remote attestation mechanisms: Hardware components allow the authenticity and integrity of the enclave to be verified by remote parties, which is important for user trust and interaction with Ethereum nodes, ensuring that the code is executed in a secure environment 1 .
• Computation and data isolation: The hardware architecture provides isolation of code and data within the processor, preventing access by malware, system administrators, or other external attacks 1 .

Thus, it is the hardware capabilities of processors with Intel SGX, including isolation, hardware encryption and remote attestation, that create a reliable and efficient platform for implementing TEE in Ethereum , ensuring a high level of privacy and security for users when executing smart contracts and processing sensitive data.

Final conclusion

The development of Safeheron, the industry’s first open-source Trusted Execution Environment (TEE) framework based on the Intel SGX SDK, marks a major security and privacy breakthrough for the Web3 ecosystem, particularly decentralized finance (DeFi), payment services, and decentralized autonomous organizations (DAOs). Open-sourcing not only increases transparency and trust in the technology, but also drives faster innovation by allowing the community and companies to collaborate to improve solutions and adapt them to a variety of use cases.

Using Intel SGX hardware capabilities such as isolated enclaves, hardware-based memory encryption, and remote attestation mechanisms, critical data and computations are protected at a high level. This is especially important for Ethereum, where the implementation of TEEs can fundamentally change approaches to user privacy — reducing the risk of personal data leakage, ensuring secure storage of private keys, and supporting private smart contracts.

At the same time, integrating TEE into public cloud services expands scalability and flexibility, but requires careful security management and access control to minimize associated risks. Safeheron has already proven the effectiveness of its solution by serving large clients and processing transactions worth hundreds of billions of dollars, which confirms the reliability and demand for the technology.

Overall, the Safeheron framework sets a new standard for security and privacy in Web3 by combining hardware innovation, openness, and practicality. This opens the door to more secure, transparent, and scalable decentralized applications that can meet the growing demands of users and industry in the era of digital transformation.

Social Engineering and Crypto Fraud: Unique Threats to Coinbase and the Need for a Unified Defense

ByWallet

JUL 14, 2025

In recent months, cryptocurrency exchange Coinbase has been hit by a massive wave of social engineering scams, causing users to lose a lot of money. Renowned on-chain detective and security analyst ZachXBT has revealed that in the last week alone, attackers have stolen around $45 million from Coinbase customers through complex social engineering schemes 5 7 .

The essence of the problem and the scale of losses

ZachXBT notes that over the past few months, Coinbase users have been losing more than $300 million annually to such scams , which is a unique problem for this exchange, while other major crypto exchanges do not face such large-scale attacks 1 7 . The scammers use sophisticated methods of deception, including:

• Gaining access to users’ personal data from hacked databases.
• Sending fake emails and creating exact copies of the Coinbase website for phishing purposes.
• Manipulating victims by posing as Coinbase support staff.
• Convincing users to transfer funds to external wallets or add addresses to a whitelist to bypass protections 1 2 5 .

How attacks happen

In December 2024, criminals bribed Coinbase customer service employees overseas, allowing them to access sensitive information about about 70,000 customers — including names, addresses, phone numbers, recent social security numbers, bank details, and images of ID cards 4 8 . This data was used to deceive users through calls and emails in which the scammers posed as Coinbase security employees and asked them to transfer funds to “secure” wallets 4 5 .

It is important to note that the attackers did not gain access to passwords and private keys, but the information they had was sufficient to carry out successful social engineering attacks 4 .

Coinbase and Law Enforcement React

Coinbase has officially acknowledged the incidents and announced its intention to compensate affected users for losses, estimating the costs of remediation and payments in the range of $180 million to $400 million 3 8 . The company has fired the customer service employees involved and has contacted law enforcement agencies in the United States and other countries to investigate and prosecute those responsible 3 8 .

In August and September 2024, the US Federal Bureau of Investigation (FBI) issued warnings about social engineering scams targeting cryptocurrency exchange users, including fake job offers and malware masquerading as tests and job applications[source request].

Call for improved protection

Coinbase’s head of security, Philip Martin, has proposed creating a single, unified structure or repository for tracking and combating fraud, which will allow for more effective threat analysis and user protection 7 . ZachXBT has also proposed a number of security enhancements, including simplifying verification and creating special accounts with restrictions for newcomers 1 .

What security measures can reduce the risk of social engineering on crypto exchanges

The Coinbase case demonstrates that the human factor remains the most vulnerable link in the cryptocurrency ecosystem , and social engineering scams are becoming increasingly sophisticated and widespread. Despite technical protection measures, attackers successfully exploit user trust and internal vulnerabilities of the exchange, which leads to multi-million dollar losses. To counter such threats, comprehensive security measures, transparency and active cooperation between exchanges, law enforcement agencies and the user community are needed.

To reduce the risk of social engineering fraud on crypto exchanges, a comprehensive approach is needed that includes technical, organizational, and educational security measures. Key recommendations include:

1. Education and awareness raising for users and employees

• Regular training to recognize signs of social engineering, such as artificial urgency, suspicious requests, grammatical errors, and unsolicited contacts. Practical simulations of phishing attacks increase the effectiveness of recognition by up to 70% 1 9 .
• Create a security culture where employees and users are comfortable asking questions and reporting suspicious messages and errors 3 .

2. Technical protection measures

• Mandatory use of two-factor authentication (2FA) for all accounts, preferably via authenticator apps or hardware keys rather than SMS, to make it more difficult for attackers to gain access even if their password is compromised 2 4 6 8 .
• Regularly update your software and antivirus protection to prevent malware from being installed through phishing links 4 .
• Set up email filters to block emails without correct DKIM, SPF and DMARC records, and mark external emails to increase user attention 3 .
• Using multi-signature wallets and diversifying storage of funds to reduce the risk of losing all assets if one key is compromised 2 .

3. Procedural and organizational measures

• Implementing strict internal policies, such as a mandatory 24-hour delay for unusual withdrawal requests, to reduce the risk of hasty decisions under pressure from scammers 1 .
• Verification and auditing of all official communications with users, including cryptographic signatures and posting of announcements on multiple channels to confirm authenticity 1 .
• Conduct regular penetration testing using social engineering techniques to assess vulnerabilities of employees and processes 3 9 .
• Creating a single database or repository for collecting and analyzing data on fraudulent attacks, which will allow for faster identification and blocking of new fraudulent schemes [from the context of the news].

4. Individual recommendations for users

• Be skeptical of unwanted messages and calls, especially if they require confidential information or transfer funds. Always verify the authenticity of the request through official channels 6 .
• Check URLs before clicking links to avoid phishing sites 6 .
• Using hardware wallets to store crypto assets as they provide a higher level of security compared to exchange or software wallets 6 .
• Keeping passwords secure, using unique passwords for different services and changing them regularly 4 7 .

Taken together, these measures significantly reduce the likelihood of a successful social engineering attack on crypto exchanges and help protect both users and the exchange itself from financial losses and reputational risks.

What New Methods Are Attackers Using to Trick Coinbase Users?

Attackers targeting Coinbase users have recently adopted a number of new and improved social engineering techniques that make their attacks particularly effective and widespread. The main ones are:

Method of attackDescription and detailsBribery of support staffThe scammers bribed overseas Coinbase support staff, who gained access to internal tools and customer databases. This allowed them to collect personal data on about 70,000 users — names, addresses, phone numbers, latest social security numbers, bank details, images of documents, and transaction history. Based on this data, the scammers disguise themselves as Coinbase representatives to deceive users 1 3 7 .Disguised as support staffUsing the stolen data, the scammers call and text customers posing as Coinbase security staff. They convince victims to transfer cryptocurrency to “specially secured wallets” or add addresses to a whitelist, which allows them to withdraw funds from the account 3 5 .Creation of exact copies of the site and phishing mailingsFraudsters create nearly identical copies of the official Coinbase website and send phishing emails with fake ticket numbers to convince users that the request is legitimate. The emails ask victims to transfer funds or disclose confidential information 6 .Phishing emails offering transfers to external walletsIn March 2025, a surge in phishing emails was recorded, imitating official Coinbase messages with offers to transfer assets to new external wallets using pre-generated seed phrases 5 .Use of fake job offers and malwareAccording to the FBI, scammers are distributing malware under the guise of tests and job applications to gain access to users’ devices and their data. This is indirectly related to attacks on users of crypto exchanges, including Coinbase 8 .SIM Swapping ScamAttackers use SIM swapping techniques to gain control of a victim’s phone number and bypass two-factor authentication, allowing them to access user accounts 4 .

What New Phishing Schemes Are Attackers Using for Coinbase?

These methods demonstrate that attackers combine technical hacks with psychological manipulation, using stolen personal data and insider information to create trust in victims. This approach allows them to bypass traditional security measures and trick users into paying large sums of money — about $45 million was stolen in a week alone 5 .

Coinbase has already fired the employees involved and strengthened security measures, but experts and analysts like ZachXBT are calling for further security improvements and the creation of a single registry of scams to better combat these threats 6 7 .

Attackers targeting Coinbase users in 2024–2025 are using several new and improved phishing schemes that make their attacks particularly dangerous and successful. The main ones are:

1. Phishing with substitution of wallet addresses

Fraudsters create crypto wallet addresses that are visually very similar to real ones, using symbol substitution techniques (for example, replacing letters with similar-shaped ones from other alphabets). Users inattentively transfer funds to fake addresses, which leads to the irretrievable loss of cryptocurrency. In March 2025, such attacks led to the theft of over $46 million from Coinbase customers 1 6 .

2. Phishing emails with fake instructions for transferring to new wallets

In early 2025, there was a surge in emails from Coinbase asking users to “move assets” to new external wallets, ostensibly due to legal proceedings or security updates. The emails contained pre-generated seed phrases that, if entered by the user, gave the scammers full access to the funds. Coinbase has repeatedly warned that it never sends such phrases 5 .

3. Disguising as a support service and bribing employees

The attackers bribed Coinbase support staff overseas, gaining access to the personal data of tens of thousands of customers. Using this data, they called and wrote to victims, posing as exchange employees and convincing them to transfer funds to “safe” wallets 8 4 .

4. Phishing through hacking email marketing services

In 2024, the MailerLite service was hacked, through which phishing emails with links to fake Coinbase sites were sent. This allowed the scammers to reach a wider audience and increase user trust in the emails 2 .

5. Phishing through search engines

Scammers use “search engine phishing” where they create sites with similar domains and use advertising or SEO to trick users into landing on fake Coinbase pages when searching, rather than the official site 3 .

6. Pig Butchering Technique

This is a long-term scheme where scammers build trust with the victim, gradually convincing them to invest more and more funds, and then withdraw everything without leaving anything behind. Such schemes lead to billions of dollars in losses in the crypto industry and affect Coinbase users 6 .

What Makes Coinbase’s Problems Unique Compared to Other Exchanges

New Coinbase phishing schemes are characterized by high technological sophistication and the use of stolen data to create trust. The main threats are the substitution of wallet addresses, sending fraudulent emails with fake instructions for transferring funds, and insider attacks by bribing support staff. Coinbase is actively warning users and conducting investigations, but users are advised to exercise extreme caution and never enter seed phrases, do not click on suspicious links, and do not trust calls or emails that require urgent transfers or confidential information.

What makes Coinbase’s problems unique compared to other cryptocurrency exchanges is that it is the platform that experiences social engineering attacks on a much larger scale and more systematic basis, resulting in multi-million dollar losses for its users. According to on-chain detective ZachXBT, Coinbase users have been robbed of around $330 million a year in recent months through social engineering scams, a level of problems not seen at other major exchanges [from original request].

The main reasons why Coinbase’s problems are unique are:

• Bribery and compromise of customer support staff: Fraudsters gained access to internal tools and databases by bribing overseas Coinbase employees, allowing them to use the personal data of tens of thousands of customers to conduct targeted attacks. Other exchanges have not seen this level of insider threats [from original request].
• High vulnerability to social engineering attacks: Coinbase, unlike its competitors, has problems specifically with social engineering, where attackers trick users by posing as customer service representatives and convincing them to transfer funds to fraudulent wallets. According to ZachXBT, no other major exchange has this problem on such a scale [from the original request].
• Customer support features: Coinbase has been criticized for its slow and not always effective support — responses to queries can take 1–3 days and are too general, which makes it difficult to quickly respond to incidents and increases risks for users 1 . While other exchanges, such as Binance, try to provide support in several languages ​​and more quickly.
• Focus on beginners and simplicity: Coinbase is aimed at beginners with a user-friendly interface and fiat support, but it has less advanced tools for experienced traders and higher fees 2 5 . This makes it attractive to a wider audience, but also increases risks due to a lack of advanced security and user awareness.

Thus, the uniqueness of Coinbase’s problems is due to a combination of internal vulnerabilities (employee bribery), high vulnerability to social attacks, and shortcomings in customer support, which together lead to more serious user losses compared to other major crypto exchanges.

How a Unified Reporting System Will Help Combat Cybercrime in the Cryptosphere

The creation of a unified system for reporting and exchanging information on cybercrimes in the cryptosphere contributes to a more effective fight against cybercrime in several key areas:

• Early detection and prevention of crimes
  The unified system allows for the detection of suspicious activities and fraudulent schemes even before victims file complaints. This is achieved through automated data analysis and centralized monitoring, which reduces the response time of law enforcement agencies and companies 1 .
• Coordination and collaboration between agencies and organizations
  Combining the efforts of various law enforcement agencies, financial institutions, regulators, and crypto exchanges within a single platform ensures more coordinated investigations and evidence sharing. Such integration reduces bureaucratic barriers and speeds up the process of identifying and prosecuting criminals 1 2 .
• Establishing uniform standards and procedures
  Establishing standardized protocols for collecting, storing and transmitting electronic evidence improves the quality of investigations and protects users’ rights, while maintaining a balance between efficiency and confidentiality. It also promotes legislative harmonization and international cooperation 2 .
• Increased transparency and trust
  A unified reporting system promotes transparency in anti-fraud and anti-cybercrime measures, which increases user confidence in crypto exchanges and the financial system as a whole. This is important for the development of the industry and attracting new investors 2 .
• Using modern technologies
  Integrating analytical tools, artificial intelligence and blockchain technologies into a single system allows for more efficient tracking of transactions, identification of suspicious patterns and linking of criminal activities 3 5 .
• International cooperation
  A unified system facilitates the exchange of information and electronic evidence between countries, which is critical to combating transnational cybercrime. Modern international conventions and agreements support the creation of such platforms, taking into account digital sovereignty and the protection of rights 2 .

Thus, the creation of a unified reporting and monitoring system in the cryptosphere is an important step to improve the effectiveness of combating cybercrime, minimizing financial losses of users and strengthening the security of the entire digital asset industry.

What standards and practices can be developed to unify the fight against cryptocurrency crime

To effectively unify the fight against cryptocurrency crime, experts and law enforcement agencies propose developing and implementing a set of standards and practices that cover legal, technical and organizational aspects. The main areas include:

DirectionDescription and Key Practices1. Legal regulation and unification of standards — Development of uniform international legal norms and standards for the classification of crimes using cryptocurrency, including the seizure and confiscation of digital assets.
— Implementation of mandatory KYC (Know Your Customer) and AML (Anti-Money Laundering) procedures for crypto exchanges and exchange services.
— Creation of mechanisms for the liability of legal entities for participation in crimes involving cryptocurrency.
— Application of the experience of international projects, such as the Swiss “Aximetria”, to regulate digital financial transactions and the storage of seized assets 1 2 5 .2. Organization of international cooperation — Formation of new interstate formats of legal assistance and exchange of information on criminal cases related to cryptocrimes.
— Creation of coordination systems and joint working groups between law enforcement agencies of different countries to investigate transnational crimes 2 .3. Technical standards and infrastructure — Development of a unified information infrastructure for collecting, storing and analyzing data on crypto transactions with legal significance.
— Implementation of monitoring and analytics systems based on blockchain technologies and artificial intelligence to identify suspicious transactions and fraud patterns.
— Creation of a single electronic crypto wallet under the control of law enforcement agencies to store seized assets and prevent their further movement 1 5 .4. Procedural standards of investigation — Implementation of unified methods for investigating thefts and frauds involving cryptocurrency, including investigative tactics and forensic examination.
— Providing access to forensically significant information from foreign sources and exchanging it between countries 2 .5. Transparency and accountability — Creation of a unified reporting system and repository of data on fraud and cybercrime in the cryptosphere for the prompt exchange of information between market participants and law enforcement agencies.
— Introduction of mandatory requirements for crypto platforms to disclose information on controlling persons and transactions 5 .6. Educational and preventive measures — Development of standards for training and advanced training of crypto exchange and law enforcement employees on cybersecurity and countering social engineering.
— Informing users about risks and methods of protection against fraud.

Summary and conclusion

Unification of standards and practices in combating cryptocurrency crime will improve the effectiveness of investigations, ensure legal certainty and international cooperation, and create a technological and organizational infrastructure for the timely detection and prevention of crimes. This is critically important in the context of the rapid development of the crypto industry and the growth of cyber threats.

The modern crypto industry faces serious challenges related to social engineering scams, and in this context, a unique situation has developed around the cryptocurrency exchange Coinbase. In recent months, it was the users of this platform who became victims of large-scale and sophisticated attacks, as a result of which hundreds of millions of dollars were stolen. What is unique about Coinbase’s problems is not only the size of the financial losses, but also the fact that the attackers gained access to internal data by bribing support staff, which significantly increased the effectiveness of their fraudulent schemes.

Attackers are using new phishing and social engineering techniques, including creating exact copies of websites, sending fake emails with instructions to transfer funds, and using insider information to gain users’ trust. These schemes demonstrate that technical security measures such as two-factor authentication are important but insufficient without a comprehensive approach that includes organizational and educational measures.

To effectively counter such threats, it is necessary to create a unified system for reporting and exchanging information on cybercrimes in the cryptosphere. Such a system will significantly speed up the detection of fraudulent schemes, improve coordination between law enforcement agencies and crypto exchanges, and increase transparency and trust on the part of users. An important step will be the development and implementation of international standards and practices covering legal norms, technical solutions, investigation procedures and educational programs.

Ultimately, combating social engineering and cybercrime in the crypto industry requires coordinated efforts from all market participants — from exchanges and regulators to users and law enforcement. Only a comprehensive and systematic approach will minimize risks, protect digital assets, and ensure sustainable development of the cryptocurrency ecosystem in the context of an ever-changing threat landscape.

Massive Coinbase Data Leak: Causes, Consequences, and New Standards for Cybersecurity in the Crypto Industry

ByWallet

JUL 14, 2025

Coinbase Hack: A Deep Dive into the Crypto Industry’s Biggest Data Leak

Chronology and scale of the incident

In December 2024, the largest American cryptocurrency exchange Coinbase suffered a large-scale attack, the consequences of which became known only almost six months later, in May 2025. According to an official notice filed with the Maine Attorney General’s office, 69,461 users, including 217 Maine residents, fell victim to the leak. The incident went undetected from December 26, 2024, to May 11, 2025, allowing the attackers to use the obtained data for a long time 1 2 3 .

How the leak happened

The attack was carried out using social engineering and insider manipulation. The cybercriminals bribed a group of overseas Coinbase support staff, primarily from India, to gain access to internal systems and sensitive customer information. As a result, the following was stolen:

• Full names, home addresses, telephone numbers and email addresses of users
• Dates of birth, nationalities, partially masked bank account and social security numbers
• Scanned copies of identification documents (driver’s license, passport)
• Balance, transaction history and account creation date details

It is important to note that passwords, private keys, two-factor authentication codes and user funds were not compromised. The institutional platform Coinbase Prime also remained out of the risk zone 2 4 5 .

Extortion Attempt and Coinbase’s Response

After gaining access to the data, the attackers launched an extortion attempt: on May 11, 2025, the company received an email demanding a ransom of $20 million for non-disclosure of the stolen information. Coinbase refused to negotiate with the criminals and instead announced a $20 million reward fund for help in catching the culprits. The exchange also fired all contractors involved in the leak and promised to compensate all affected customers for losses, as well as provide a free year of credit monitoring and identity protection services 6 4 7 8 .

Financial and legal implications

Coinbase’s total losses are estimated at between $180 million and $400 million, including direct customer losses, remediation costs, compensation, and potential fines from regulators. The exchange is facing a wave of class-action lawsuits from affected users who believe the company failed to notify them of the security breach in a timely manner. Additionally, Coinbase shares fell 7% after news of the hack and extortion attempt was published 9 8 10 .

Investigation and regulatory response

The US Department of Justice (DOJ) has launched an investigation into the incident, focusing on identifying and prosecuting the direct perpetrators and organizers of the attack. Coinbase is actively cooperating with law enforcement, but the company itself is not the subject of the investigation 11 12 13 14 .

Ethical and industry implications

The incident has sparked a wider debate about the ethics of storing personal data under Know Your Customer (KYC) policies. Many experts point out that such requirements, while intended to combat money laundering, increase the risks for cryptocurrency holders, making them targets for extortion, kidnapping, and other crimes. The Coinbase data breach is one of the most high-profile events in a series of growing cyber threats to the crypto industry, highlighting the vulnerability of even the largest players in the market 15 5 .

Known Victims and Impact on Industry

Among those affected was Roelof Botha, a partner at venture capital firm Sequoia Capital, indicating that the leak affected not only ordinary users but also members of the investment community. Experts warn that such incidents undermine trust in centralized exchanges and could lead to tighter regulation of the industry.

Measures to protect users

Coinbase has strengthened its internal security protocols, moved some of its customer support to the US, and restricted access to critical data. The exchange is also urging users to be especially alert to phishing and fraudulent attempts that could follow a personal data breach 1 16 5 .

What Cybersecurity Measures Does Coinbase Plan to Implement Following Data Leak

The Coinbase hack is the biggest test yet for the digital asset industry, demonstrating that even the largest and most technologically advanced companies are vulnerable to social engineering and insider attacks. The incident has prompted a rethink of how we store and protect personal data, and a discussion of the balance between regulatory requirements and user security 1 2 5 .

Following the data breach, Coinbase is planning and has already begun implementing a set of cybersecurity measures aimed at preventing similar incidents in the future. Key measures include:

• Tightening access controls and implementing a Zero Trust architecture , which limits employee and contractor access to data to the minimum necessary level — the principle of least privilege. This reduces the risk of internal abuse of authority 5 .
• Real-time monitoring using AI and machine learning to detect suspicious communications, bribery attempts, unauthorized access to data, and anomalies in the behavior of support staff 5 10 .
• Raising awareness and training employees , including regular security training, phishing attack simulations and creating a security culture within the company 5 10 .
• Improved screening and control of contractors and external employees to minimize the risks associated with using third parties that have been involved in leaks in the past 1 5 .
• Create internal channels for reporting suspicious activity , encouraging employees to report any anomalies or social engineering attempts 5 .
• Using audit trails and automated logs based on blockchain technologies to transparently and immutably record all requests and operations with user data 5 .
• Collaborate with law enforcement agencies and other crypto exchanges to share information on new threats and attack trends, allowing for rapid response to emerging risks 1 5 .

Additionally, Coinbase is offering affected users free credit monitoring and identity protection for a year, and has set up a $20 million fund to reward information about the perpetrators and compensate customers for losses 1 4 .

These measures are aimed not only at technically strengthening security systems, but also at reducing the human factor, which was a key link in the leak that occurred 5 . In general, Coinbase aims to improve the level of data protection in order to restore customer trust and minimize the risks of future cyberattacks.

How Ethical Aspects of KYC Data Collection Can Affect User Trust in Cryptocurrency Platforms

The ethical aspects of data collection as part of the KYC (Know Your Customer) procedure have a significant impact on user trust in cryptocurrency platforms. On the one hand, KYC is necessary to improve security, prevent fraud, money laundering and terrorist financing, and comply with regulatory requirements, which contributes to the formation of trust and reputation of the platform 1 5 . Reliable verification of user identities helps crypto exchanges create a safer financial ecosystem and ensures transparency of operations, which is important for attracting and retaining customers 1 5 .

On the other hand, collecting and storing large amounts of personal data raises serious concerns about privacy and security. Users fear data leaks, loss of anonymity, and a violation of the principles of decentralization that are fundamental to the cryptocurrency community 1 5 7 . Leak incidents like the Coinbase hack exacerbate these concerns and could undermine trust in centralized platforms if effective security measures are not taken.

In addition, lengthy and complex KYC procedures can discourage users, reducing the convenience and speed of access to services, which negatively affects the user experience and competitiveness of the platform 3 . Erroneous blocking and excessive strictness of checks can also cause customer dissatisfaction 6 .

As a result, cryptocurrency platforms are faced with the need to balance security with ethical privacy standards. To this end, innovative solutions are being developed, such as the use of smart contracts, zero-knowledge proofs, and distributed encrypted data storage systems, which help minimize the risk of leaks and preserve user privacy while complying with KYC requirements 1 7 .

Thus, the ethical aspects of KYC affect user trust in crypto platforms through a combination of increased security and, at the same time, challenges related to privacy and convenience. The success of a platform largely depends on how effectively it can ensure data protection and transparency of processes, while maintaining respect for customer privacy.

What Legal Consequences Could Coinbase Face for Delaying Notification of Hack

The legal implications for Coinbase for delaying the breach notification could be serious and multifaceted:

• Lawsuits from affected users . Within 48 hours of the hack and extortion attempt being announced, at least six federal lawsuits were filed, accusing Coinbase of negligence, inadequate internal controls, and failure to promptly inform customers of the breach. The plaintiffs say the delay in notification made the breach worse and allowed the attackers to exploit the stolen data longer 1 .
• Regulatory pressure and investigations . Coinbase is under the supervision of the U.S. Securities and Exchange Commission (SEC), which may initiate additional investigations and impose fines for violations of data protection and timely notification of customers and regulators. Failure to comply with cyber incident disclosure rules may result in sanctions and stricter scrutiny 1 5 .
• Allegations of systemic security flaws . The lawsuits highlight the existence of vulnerabilities in Coinbase’s security infrastructure that allowed attackers to bribe support staff and gain unauthorized access to data. This could result in demands for the company to improve its security systems and pay damages 1 .
• Reputational Risks and Further Litigation : The delay in notification and the scale of the leak increase negative perceptions of the company among customers and investors, which could lead to further lawsuits, including class action lawsuits, and loss of confidence and market value of the stock.
• Potential Criminal Investigations : If violations of privacy and cybersecurity laws are found, or if management negligence is proven, criminal cases or administrative investigations may be initiated against Coinbase.

As such, the delay in notifying Coinbase of the breach exposes the company to significant legal risks, including lawsuits, regulatory sanctions, and reputational damage, requiring the company to actively cooperate with authorities and take steps to compensate affected customers 1 5 .

What is the role of external contractors in an incident and how does it affect the company’s security?

The role of external contractors in the Coinbase data breach incident was key and had a serious negative impact on the company’s security. During the hack, the attackers were able to bribe several Coinbase customer service representatives who were contractors in order to gain access to sensitive user information. This indicates that it was through external contractors that the internal security was compromised.

This involvement of contractors created a number of vulnerabilities:

• Insufficient control and monitoring of contractors. External contractors are often not fully integrated into the company’s security processes, making it difficult to monitor their actions and prevent abuse. In the case of Coinbase, contractors had access to sensitive information, but there was insufficient control over their actions.
• Human Factor Risks: Contractors, being outside the corporate culture and subject to different rules, may be more vulnerable to social manipulation, bribery, or errors, increasing the likelihood of insider threats.
• Lack of or inadequate legal and technical measures: Often, contractors do not sign strict non-disclosure agreements (NDAs) or undergo comprehensive security checks, increasing the risk of data leakage.
• Security management challenges when outsourcing. Transferring critical functions to external organizations requires careful monitoring, regular audits, and transparent reporting, otherwise there may be delays in identifying and responding to incidents.

The impact on a company’s security is that using external contractors without proper oversight and integration into the corporate security system creates additional entry points for attackers and increases the likelihood of internal leaks. In the case of Coinbase, it was through contractors that attackers gained access to data, which led to a large-scale leak and serious reputational and financial losses.

To improve the company’s security it is necessary:

• Implement strict procedures for the selection, training and monitoring of contractors.
• Conduct regular internal and external security audits with a focus on working with contractors.
• Restrict contractor access to critical data using the principle of least privilege.
• Provide transparency and monitoring of all contractor activities in real time.
• Sign legally binding confidentiality and liability agreements.

The role of external contractors in the Coinbase incident thus highlights the importance of comprehensive outsourcing risk management and the need to integrate contractors into the overall corporate security system.

What lessons can be learned from this case for the cryptocurrency industry and user data protection?

There are several key lessons that can be drawn from the Coinbase data breach and other major cyberattacks in the crypto industry that are important for the entire cryptocurrency industry and the protection of user data:

Lessons from the incidentSignificance for the industryMulti-layered security and the principle of least privilegeComprehensive security systems, including multi-signature wallets, strict access control, and restriction of employee and contractor privileges, must be implemented to minimize the risks of internal and external attacks 1 .Continuous monitoring and anomaly detectionIt is important to use real-time monitoring tools using AI and machine learning to detect suspicious activity, phishing attempts and system anomalies 1 2 .Training and awareness raising for employees and usersRegular training and attack simulations help improve preparedness for social engineering and phishing attacks, which remain one of the main vulnerabilities 1 2 .Comprehensive security auditThe audit should cover not only smart contracts and blockchain algorithms, but also infrastructure, development processes, supply chains and interactions with contractors 1 .Outsourcing Risk ManagementStrict controls and transparency in dealing with external contractors, including legal obligations and technical monitoring, are necessary to prevent insider leaks 1 .Transparency and timely informationDelays in reporting breaches undermine user trust and increase legal risks. Prompt disclosure and support for affected customers strengthens reputation 1 .Creation of insurance and compensation fundsThe formation of insurance funds to protect user funds and compensate for losses reduces the financial risks of clients and increases trust in platforms 1 .Balancing KYC and PrivacyThere is a need to find solutions that ensure compliance with regulations while minimizing the risks of personal data leaks while maintaining user privacy 5 .Regularly check and update security systemsTechnologies and attack methods are constantly evolving, so crypto platforms must regularly update their security protocols and conduct stress tests 1 2 .

Overall, these lessons highlight that protecting cryptocurrency platforms and user data requires a comprehensive approach that combines technical measures, human factor management, and transparent communications. Adopting these principles will help reduce the risk of cyberattacks, increase user trust, and ensure the sustainable development of the crypto industry.

What vulnerability assessment methods help prevent crypto incidents

To prevent crypto incidents and improve the cybersecurity of cryptocurrency platforms, various vulnerability assessment methods are used to identify weak points in systems before they are exploited by attackers. Key methods and approaches include:

• Automated vulnerability assessment (Vulnerability Assessment) is a regular scan of the entire IT infrastructure (networks, servers, applications, cloud services) using specialized tools (e.g. Nessus, Qualys, OpenVAS). This method helps to identify incorrectly configured systems, outdated software, weak passwords and other vulnerabilities, as well as rank them by risk level 1 .
• Penetration Testing is a simulation of real attacks with the aim of exploiting the identified vulnerabilities. Pentests are performed by experienced professionals (ethical hackers) who check how deeply an attacker can penetrate a system and what consequences this may have for the business 1 .
• Static and dynamic application testing (SAST and DAST) are the analysis of source code and running applications to detect vulnerabilities at the software level. SAST identifies errors in the code before launch, DAST identifies vulnerabilities while the application is running 3 .
• Software composition analysis (SCA) and component trust assessment (SCS) — checks the external libraries and components used for known vulnerabilities and licensing risks. This helps prevent vulnerable or insecure software from getting into the product 3 .
• Prioritizing vulnerabilities by risk level — after identifying vulnerabilities, they are classified by their level of criticality (low, medium, high risk). This allows resources to be focused on eliminating the most dangerous vulnerabilities first 1 2 .
• Using risk assessment models and statistical analysis helps to determine which parts of the system are most vulnerable and require increased attention, as well as to predict potential threats 1 4 .
• Implementation of machine learning and artificial intelligence — modern methods such as support vector machines (SVM) are used to automatically identify and predict vulnerabilities based on the analysis of big data and system behavior 8 .
• Regular security audits and real-time monitoring — Continuous monitoring of your security posture, including log and event analysis, allows you to quickly respond to new threats and prevent attacks at an early stage 1 .
• Additional protection methods: Red Team, Purple Team, Bug Bounty — complex approaches that include attack simulations and the involvement of external specialists and the community to search for vulnerabilities 7 .

An effective combination of these methods allows cryptocurrency platforms to promptly identify and eliminate security vulnerabilities, reducing the risk of data leaks, hacks, and financial losses. Regular and systematic vulnerability assessments, as well as prioritization based on business risks, are key factors in successfully protecting digital assets and user data.

Summary and Conclusions on the Coinbase Data Leak Incident and Its Impact on the Crypto Industry

The Coinbase hack was one of the most high-profile events in the history of the cryptocurrency industry, demonstrating the vulnerabilities of even the largest and most technologically advanced platforms. The incident highlighted critical issues related to cybersecurity management, especially in terms of control over external contractors and the protection of users’ personal data.

The delay in detecting and reporting the breach compounded the impact, triggering a wave of lawsuits and attracting the attention of regulators. This underscored the importance of transparency and prompt communication with customers and government agencies to maintain user trust and minimize legal risks.

The incident also raised ethical questions about KYC procedures: the need to collect large amounts of personal data to comply with regulations is faced with the risk of leaks and privacy compromise. Balancing security, compliance, and respect for privacy is becoming a major challenge for crypto platforms.

There are important lessons for the entire industry to learn from what happened:

• A comprehensive and multi-layered approach to security is required, including strict access controls, real-time monitoring and employee training.
• Particular attention should be paid to managing risks associated with outsourcing and contractors to minimize internal threats.
• Regular audits, penetration tests and the use of modern vulnerability assessment technologies help to promptly identify and eliminate weaknesses.
• Establishing compensation funds and reward programs for information about bad actors helps build trust and accountability.
• It is important to develop innovative KYC solutions that ensure data protection and user privacy while meeting regulatory requirements.

Overall, the Coinbase incident has become a signal to the entire crypto industry about the need for continuous improvement of security systems and ethical standards. Only a comprehensive, transparent and responsible approach will ensure the protection of digital assets, maintain user trust and ensure the sustainable development of the cryptocurrency market in the context of ever-growing cyber threats.

$220 Million Cetus Hack: Security Challenges, Sui Validators’ Response, and Lessons for Trust in Web3 Ecosystems

ByWallet

JUL 14, 2025

On May 22, 2025, Cetus, a decentralized crypto exchange running on the Sui blockchain network, suffered a massive hack that resulted in the attackers withdrawing approximately $223 million in user funds 1 2 3 . The incident was one of the largest DeFi exploits in the first half of 2025 and had major consequences for the Sui ecosystem and the crypto market as a whole.

Hacking mechanism and attack details

The hackers exploited a vulnerability in Cetus smart contracts , specifically in the pricing mechanism and token validation. They injected fake tokens (such as BULLA) into liquidity pools, which distorted reserve calculations and allowed them to manipulate asset prices. Using flash loans and price curve distortion, the attacker emptied 46 liquidity pairs by exchanging worthless tokens for real assets, including SUI and USDC 1 2 3 5 .

Some of the stolen funds, about $63 million , were transferred to the Ethereum network, where the attackers converted them into about 20,000 ETH , worth about $53 million. The attacker’s Ethereum wallet address, ending in “AF16,” is known to have been used to launder these funds 1 2 .

Response and measures to freeze funds

The Sui network validators responded quickly to the incident: they froze about $162 million of the stolen assets, blocking transactions from the attackers’ addresses. This was done to prevent further withdrawals and preserve the ability to return them to users 7 9 .

The Sui Foundation and the Cetus team are working with other organizations in the ecosystem to recover the remaining funds and return them to those affected. To do this, a vote among Sui network participants is proposed , which will allow the adoption of a protocol update necessary to unlock and return the frozen assets. This approach emphasizes the importance of decentralized governance and transparency in the recovery process 7 .

Appeal to hackers

The Cetus team has publicly approached the attackers with a “white deal” proposal: return about 20,920 ETH and all frozen assets on the Sui network in exchange for keeping 2,324 ETH (approximately $6 million) and protection from lawsuits. This proposal is aimed at minimizing damage to the community and incentivizing the return of funds 1 .

Consequences for the ecosystem and the crypto market

The Cetus hack caused a sharp drop in the value of Sui ecosystem tokens, with the CETUS token falling by more than 40% and SUI by about 15% to around $3.81. Some less liquid tokens lost up to 96% of their value, which seriously affected investors and DEX liquidity 1 3 .

The incident once again highlighted the vulnerability of cryptocurrency projects to cyberattacks and the need for stronger security measures. Discussions arose in the crypto community about the balance between decentralization and the ability of validators to intervene to protect users. Some participants expressed concern that the ability of validators to freeze funds undermines the censorship resistance of the Sui network 1 .

Results and Prospects

• The Cetus hack has exposed critical security flaws in DeFi platforms, especially in new ecosystems like Sui 1 3 .
• The quick response of the validators and the freezing of funds made it possible to prevent the loss of most of the stolen assets and begin the process of their return 7 9 .
• The proposed protocol upgrade vote demonstrates a commitment to decentralized and transparent crisis management, which is important to restore community trust 7 .
• Cetus and the Sui Foundation have announced a $5 million reward for information leading to the identification and arrest of the attackers 5 7 .
• The Cetus hack has become a serious warning to the entire crypto industry about the need to strengthen cybersecurity and self-organization in the face of growing threats 1 3 .

Thus, the Cetus incident is not only a major theft of funds, but also an important lesson for the entire DeFi ecosystem, highlighting the need for a balance between innovation, security, and decentralization.

What measures have Sui validators taken to freeze funds and how much does this affect the decentralization of the network?

The Sui network validators have taken steps to freeze funds stolen in the Cetus decentralized exchange hack by ignoring and blocking transactions from addresses associated with the exploit . They identified the addresses to which the stolen assets were transferred and, until further notice, refused to process any transactions from those addresses, effectively freezing approximately $162 million of the more than $220 million in stolen funds 7 1 .

This measure was implemented at the level of validators, which in the Sui network constitute a relatively small number — only about 114 participants. They agreed and approved a plan for the recovery of funds, which allowed for the prompt halting of further movement of the stolen tokens and the beginning of the process of their return to the affected users 1 3 .

Impact on network decentralization

The validators’ actions have sparked intense debate in the crypto community, as the ability to freeze wallets and block transactions calls into question the censorship-resistant and decentralized nature of the Sui network . Critics point out that if fewer than 120 validators can single-handedly block addresses and interfere with transactions, this means centralized control, which is contrary to the ideals of fully decentralized blockchains 7 .

Supporters point out that in the face of serious cyberattacks and security threats, such measures are necessary to protect users and maintain trust in the ecosystem. At the same time, Sui provides for public consensus and voting mechanisms that allow decisions to be made on recovery and refunds, which partially offsets the risks of centralization 1 3 .

Thus, the freezing of funds by Sui validators is a trade-off between security and decentralization . It demonstrates that in modern blockchain networks, especially in new ecosystems, the balance between complete censorship resistance and rapid response to threats has not yet been achieved and is controversial among market participants 1 7 .

Briefly:

• Sui validators block transactions from the attackers’ addresses, freezing $162 million in stolen funds.
• To do this, they ignore transactions with suspicious addresses until the community makes a decision.
• There are only 114 validators in the network, which raises questions about the degree of decentralization.
• The measures provide security, but reduce censorship resistance and call into question Sui’s decentralization.
• Decisions are made through voting, which partially preserves elements of decentralized governance.

How Attackers Exploited a Cetus Code Vulnerability to Steal $220M and What It Means for DeFi Security

Attackers exploited a vulnerability in the Cetus DEX smart contract pricing mechanism on the Sui blockchain , allowing them to conduct a sophisticated attack and steal approximately $220–260 million . The main exploit method was as follows:

• Hackers injected fake tokens into liquidity pools, distorting reserve calculations and asset prices in the protocol.
• By exploiting a vulnerability in the validation and pricing algorithms, attackers were able to manipulate prices, creating artificially high or low liquidity values.
• This made it possible to withdraw real assets from major pools such as SUI/USDC by exchanging them for fake tokens with inflated value.
• The attack utilized flash loans , which allowed large amounts of liquidity to be obtained for a short period of time without collateral, increasing the scale and speed of the exploit.
• Over the course of approximately 47 minutes, the attackers conducted a series of coordinated transactions, draining at least 12 liquidity pools and transferring some of the stolen funds to the Ethereum network for further laundering.

What does this mean for DeFi security?

The Cetus hack, one of the largest of 2025, highlights several important issues and lessons for the decentralized finance industry:

• Vulnerabilities in smart contracts and pricing mechanisms remain a major risk point for DeFi protocols, especially for new and fast-growing ecosystems.
• Complex automated market makers (AMM) algorithms and liquidity pool management require careful auditing and ongoing monitoring to prevent manipulation.
• The use of flash loans gives attackers the ability to conduct large-scale attacks without upfront investment, making it difficult to defend against.
• The incident highlights the need for stronger security measures , including open source code, bounty programs for white hat hackers, and more stringent smart contract checks and updates.
• The hack caused the ecosystem’s token prices to drop, liquidity to decline, and assets to freeze, demonstrating how vulnerabilities can lead to cascading effects in the market.
• For new blockchains like Sui, this case was a wake-up call that massive growth and popularity should not come at the expense of security and decentralization.

Overall, the Cetus hack shows that security in DeFi requires continuous improvement of technologies and security mechanisms , as well as active interaction between developers, validators and the community to prevent similar incidents in the future 1 2 3 5 6 .

Why the community is criticizing the ability of validators to block wallets and how this affects censorship in the Sui network

The community’s criticism of the ability of Sui network validators to block malicious wallets is related to the fact that such a practice creates risks for censorship resistance and undermines the principles of decentralization . The main arguments and consequences are as follows:

• Censorship resistance is a key principle of decentralized blockchains , meaning that no one can arbitrarily block or reverse transactions. The ability of validators to ignore transactions from certain addresses effectively introduces centralized control, which is contrary to the ideals of the Sui network and many other crypto projects 1 3 .
• There are only about 114 validators on the Sui network, and their consensus decision to freeze funds means that a relatively small number of participants can influence the availability of users’ assets. This raises concerns that in the future, such measures could be used not only in emergency situations, but also for political or commercial reasons 3 .
• Similar situations have already been observed in other blockchains, such as Ethereum, where validators refused to process transactions from sanctioned addresses, leading to discussions about the network’s vulnerability to external pressure and censorship 1 .
• Proponents of such measures point to the need to protect users from theft and fraud , especially in the face of large-scale hacks and attacks, when prompt intervention can save significant funds. However, this creates a dilemma between security and freedom of transactions 1 3 .
• Technically, the Sui network uses the Mysticeti consensus mechanism, which provides high throughput and censorship resistance due to parallel block proposals by multiple validators. However, the ability to collectively decide on blocking addresses reduces this level of censorship resistance 4 .
• Overall, the criticism reflects a broader problem in the cryptocurrency industry: how to maintain decentralization while effectively combating scammers and attackers without turning the network into a centralized structure with the ability to censor 1 3 5 .

Thus, the ability of Sui validators to block malicious wallets is controversial because it ensures security and refunds, but at the same time compromises the fundamental principles of decentralization and freedom of transactions, increasing the risk of censorship on the network.

What steps is the Cetus team taking to recover stolen funds and possibly return assets to users?

The Cetus team is taking comprehensive steps to recover stolen funds and return assets to users after a hack worth approximately $220 million. Key measures include:

• Updating the Sui protocol and transferring frozen funds to a multi-signature (multisig) Cetus wallet, the keys to which will be jointly controlled by the Cetus team, the audit firm OtterSec and the Sui Foundation. This will allow centralized management of the returned assets and ensure their security 1 .
• An upgrade to the CLMM (Concentrated Liquidity Market Maker) smart contract , which has been audited and is designed to provide emergency recovery for liquidity pools affected by the hack 1 .
• Data recovery and calculation of liquidity losses in each attacked pool, which will allow us to accurately determine the damage and the amount of compensation required 1 .
• Asset conversion as some tokens have been corrupted or altered due to the attacker’s actions. The team plans to perform this conversion with minimal impact on the market and liquidity 1 5 .
• Developing a compensation contract that will cover the remaining losses of users. This contract is being audited and will become a tool for compensating losses 1 .
• Updating peripheral products and modules for the new contract, which will ensure full restoration of DEX functionality and access to liquidity for providers 1 .
• Cetus protocol relaunch , scheduled for approximately one week after the plan is approved by the community, with full functionality restored and LPs accessing 1 5 .
• Working with the Sui ecosystem and law enforcement to pursue the attackers and recover the remaining funds. Cetus offered the hacker a “white deal” to return most of the stolen assets in exchange for keeping some of the funds and protection from lawsuits, but there was no response 5 8 .
• Conducting a community and validator vote on Sui , in which over 90% of participants supported an emergency protocol update that allows frozen funds to be returned without the need for a hacker’s signature, which became a unique solution in the blockchain industry 1 7 .
• A plan to reward white hat hackers and move to open source to improve protocol security and encourage collective contributions to secure the network 5 .
• Setting aside a portion of CETUS tokens to compensate affected users: 15% of the protocol’s own token supply is allocated for this purpose, with a gradual release over the course of the year 5 .

As such, the Cetus team is implementing a strategy that combines technical upgrades, community coordination, and legal action to restore the DEX to its full functionality and return the stolen funds to users as efficiently as possible.

How hacks like these affect trust in Web3 ecosystems and what lessons can be learned from this incident

Hacks of major DeFi projects like Cetus have a significant impact on trust in Web3 ecosystems and highlight existing security risks in the industry. The main implications and lessons learned from such incidents are:

Impact on Web3 Trust

• Growing concerns among users and investors due to large-scale losses of funds reduce the attractiveness of decentralized finance and blockchain projects for a wider audience. The loss of hundreds of millions of dollars undermines the reputation of both specific protocols and the entire Web3 ecosystem.
• Such incidents are causing increased regulatory pressure as governments see them as a threat to financial stability and consumer safety, which could lead to tighter controls and restrictions on innovation.
• The hacks demonstrate that decentralization does not automatically guarantee security . Code errors, insufficient auditing, and weak security mechanisms remain the main vulnerabilities.
• The community and investors are becoming more cautious, which slows down the growth and adoption of new projects, especially if they do not demonstrate a high level of security and transparency.

Lessons to Learn from the Cetus Incident and Other Attacks

• The need for comprehensive auditing of smart contracts and infrastructure — regular, deep code and security reviews should become standard for all Web3 projects.
• Implement real-time monitoring and analytics to quickly detect anomalies and potential attacks so you can respond quickly and minimize damage.
• Developing and implementing multi-level security systems , including multi-signature wallets, asset freezing mechanisms, and other tools that can help prevent or limit the impact of hacks.
• Raise awareness and educate developers and users on cybersecurity techniques, including recognizing phishing attacks and social engineering.
• Balance between decentralization and security — it is necessary to find compromises that will preserve the principles of openness and censorship resistance, but at the same time ensure that users are protected from major losses.
• Active communication and coordination within the ecosystem — joint efforts between developers, validators, auditing companies and the community are important for rapid recovery from incidents and increased protocol resilience.
• Transparency and openness in communication with users and investors help maintain trust, even in the event of serious crises.

How Web3 Hacks Affect User Trust in Ecosystem Security

The Cetus hack and similar incidents serve as an important warning to the entire Web3 industry: security must be a priority at all stages of project development and operation . Only a systematic approach to security, continuous improvement of technology, and active community participation can build trust and ensure sustainable growth of decentralized finance and blockchain ecosystems in the future 1 2 3 .

Hacking in Web3 ecosystems has a significant negative impact on user trust in the security of these platforms . Despite the fundamental benefits of blockchain — transparency, decentralization, and control over one’s own data — frequent thefts and vulnerabilities highlight the risks and limit mass adoption of the technology.

How hacks affect user trust

• Growing concerns about the security of assets and personal data. Users see that even large and technically advanced projects are susceptible to attacks, which reduces confidence in the reliability of Web3 products and leads to caution when investing and using services 1 4 .
• Deterioration of the ecosystem’s reputation and loss of interest. Large-scale losses of funds cause panic and negative feedback, which can slow down the development and implementation of new projects, especially among less technically savvy users 2 .
• Increased regulatory pressure: Frequent incidents attract the attention of government agencies, which begin to demand stricter controls and security standards, which can limit decentralization and user freedom 1 .
• Highlighting vulnerabilities not only in the blockchain but also in Web2 integrations. Many attacks occur through exploits of Web2 components (e.g. frontend, tag management), which demonstrates the need for a comprehensive approach to security 5 .

Lessons and tips for increasing trust

• Mandatory and regular auditing of smart contracts and infrastructure , including penetration testing and real-time monitoring, to promptly identify and fix vulnerabilities 1 3 .
• Comprehensive security that covers both Web3 and Web2 layers , as attacks often exploit weaknesses in integrations and supporting services 5 .
• Implementation of multi-layered security measures such as multi-signature wallets, access rights restrictions, two-factor authentication and anomaly monitoring systems 5 6 .
• Transparency and openness of projects , which allows the community and “white hat” hackers to discover and report issues faster, increasing the overall level of security 6 .
• Educating users and developers on cybersecurity practices and risk awareness to help reduce the number of successful attacks and fraud.

Summary and conclusion

The hack of the Cetus decentralized exchange on the Sui blockchain, which resulted in the theft of over $220 million, has become a serious test for the entire Web3 ecosystem and demonstrated how vulnerable even the most modern DeFi projects are to cyberattacks. By exploiting a vulnerability in smart contracts and pricing mechanisms, attackers were able to withdraw huge amounts of assets in minutes, highlighting the importance of comprehensive auditing and ongoing security monitoring of protocols.

While Web3 offers new opportunities for managing digital assets and data, hacks and vulnerabilities remain a major obstacle to user trust . Only a systematic and comprehensive approach to security that combines technical measures, transparency, and education can build trust and ensure the sustainability of Web3 ecosystems in the future 1 3 5 .

The response of Sui validators — promptly freezing a significant portion of the stolen funds — was an important step in preventing further losses and beginning the process of returning assets to users. However, this measure has sparked intense debate in the community, as the ability to block wallets calls into question the basic principles of decentralization and censorship resistance of the network. This trade-off between security and freedom of transactions reflects the complexity of managing modern blockchain networks, where the balance between protecting users and maintaining a decentralized structure remains a hotly debated issue.

The Cetus team, together with the Sui ecosystem, is taking comprehensive steps to restore the protocol and compensate users for their losses — from updating smart contracts and transferring frozen assets to multi-signature wallets to organizing community votes and proposing “white-hat deals” with the hackers. These efforts demonstrate the importance of coordination between developers, validators, and the community in combating the consequences of attacks and building trust.

Overall, this incident has become a wake-up call for the entire Web3 industry, highlighting the need for increased security, transparency, and user education. Only a systemic and multi-layered approach to security, consistent with the principles of decentralization, can ensure the sustainable development of decentralized finance and strengthen trust in the ecosystems of the future.