SBI Crypto was breached, dropping $21 million in property through a suspected laundering operation.
A phishing rip-off focusing on GMGN tricked 107 customers into approving pretend transactions.
Honeypot token scams rose 600% month-on-month, with over 2,100 tokens detected.
Web3 has entered a brand new section of cyber threats, with attackers now leveraging synthetic intelligence, automation instruments, and complicated social engineering to take advantage of customers throughout decentralised networks.
In response to GoPlus Safety, over $45.84 million was misplaced in October alone from a surge of scams, phishing assaults, token exploits, and pockets hacks.
The information reveals how scammers are evolving their strategies, creating high-impact exploits which have affected hundreds of customers and platforms throughout Ethereum, Binance Good Chain, and Base.
Hackers use AI and automation to spice up phishing campaigns
GoPlus noticed a pointy enhance in phishing assaults that led to greater than $3.5 million in losses.
A rising variety of these scams are powered by “Phishing-as-a-Service” platforms, the place risk actors use AI instruments to quickly generate pretend web sites and deploy large-scale campaigns with decrease operational prices.
One of many largest phishing circumstances concerned the buying and selling platform GMGN.
On this incident, 107 customers had been misled by a pretend third-party web site into authorising dangerous transactions. Losses totalled greater than $700,000.
The phishing rip-off replicated legit pockets interactions, tricking victims into signing approval requests that gave attackers management over their funds.
In one other case, a dealer authorised a malicious “increaseAllowance” command, leading to a $325,000 loss in Coinbase Wrapped Bitcoin.
Individually, one other consumer was hit with a $440,000 loss after signing a fraudulent “allow” transaction.
Each exploits spotlight the rise in pretend contract approvals, usually enabled by misleading interfaces mimicking trusted apps.
Refined exploits linked to state-style laundering techniques
The only largest exploit got here from SBI Crypto, which suffered a breach that drained $21 million price of digital property. The losses included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Money.
Though SBI Crypto didn’t formally verify the supply of the breach, a joint investigation by ZachXBT and Cyvers recommended patterns much like these utilized by North Korean hacker teams.
The attackers allegedly funnelled funds by means of Twister Money, a recognized crypto mixer beforehand sanctioned for its function in laundering state-sponsored thefts.
This laundering methodology intently mirrors exercise linked to the Lazarus Group, although the report careworn that the connection stays unverified.
Web3 platforms beneath assault from honeypot tokens
Alongside phishing and exploits, the report discovered a dramatic spike in honeypot tokens.
These are malicious sensible contracts that enable customers to purchase tokens however stop them from promoting or withdrawing funds.
Honeypot tokens surged 600% final month, reaching 2,189 recognized tokens—although nonetheless far fewer than the 40,000 recorded in June 2025.
The Binance Good Chain accounted for the majority of those tokens at 1,780, adopted by 216 on Ethereum and 131 on Base.
These tokens are embedded with hidden restrictions that block transactions, stranding investor funds in illiquid property.
Their enhance underscores a shift towards embedded contract-level fraud, which may bypass primary safety instruments.
Tokens and socials compromised in wider exploits
The broader ecosystem additionally noticed losses from social media and platform-based breaches.
Astra Nova’s official social account was hijacked, triggering a large-scale sell-off of its native token RVV and inflicting losses of roughly $10.3 million.
In a separate exploit, decentralised finance platform Backyard Finance was hit with a vulnerability that value customers round $10.8 million, in keeping with ZachXBT.
These incidents mirror a widening floor of assault throughout each user-facing interfaces and backend contract code.
