Cetus Breach and North Korea Theft Led to $244 Million

Introduction to May 2025’s Crypto Losses

The cryptocurrency industry faced a turbulent May 2025, with over $244 million lost to hacks and scams, according to blockchain security firm PeckShield. The most significant blow came from a $223 million exploit of Cetus Protocol, a decentralized exchange (DEX) on the Sui blockchain, alongside a $5.2 million theft tied to North Korean hackers. While total losses dropped 39% from April’s $402 million, the incidents highlight persistent vulnerabilities in decentralized finance (DeFi) and the growing threat of state-sponsored cyberattacks. This article explores the Cetus breach, North Korea’s role, recovery efforts, and the broader implications for crypto security in 2025.

The Cetus Protocol Hack: A $223 Million Blow

On May 22, 2025, Cetus Protocol, a leading DEX and liquidity provider on the Sui and Aptos blockchains, suffered the largest crypto hack of the month, losing approximately $223 million. The attack, described as a “catastrophic” breach, targeted the platform’s liquidity pools, particularly the SUI/USDC pair, causing a 75%+ price drop in the CETUS token and cascading losses across Sui-based tokens like LOFI (down 76%) and HIPPO (down 81%).

How the Hack Happened

According to blockchain security firm Dedaub, the attacker exploited a flaw in Cetus’ most significant bits (MSB) check mechanism within its smart contracts. This vulnerability allowed the hacker to manipulate liquidity parameters, creating disproportionately large positions with minimal effort. The attacker sent spoof tokens with no market value, tricking the protocol into treating them as valuable, which skewed price data and drained liquidity pools. Approximately $60 million was bridged to Ethereum and converted to USDC, while $162 million remained on the Sui network.

Cetus’ Response and Recovery

Cetus acted swiftly, pausing its smart contracts to prevent further losses and engaging Sui validators to freeze $162 million (71%) of the stolen funds. On May 24, Sui validators approved an on-chain vote to reclaim these frozen assets, marking a significant recovery milestone. Cetus also:

• Offered a $5 million bounty for information leading to the hacker’s identification.

• Proposed a “whitehat settlement,” allowing the attacker to keep $6 million if the remaining funds were returned.

• Identified the attacker’s Sui and Ethereum wallet addresses, working with law enforcement and analytics firms like Elliptic to trace the $60 million still at large.

Cetus is now upgrading its smart contracts, restoring liquidity, and planning a platform relaunch, with support from the Sui Foundation and Binance founder CZ, who vowed to aid recovery efforts. Despite the recovery of $162 million, the $60 million bridged to Ethereum remains a challenge, complicating full restitution.

North Korea’s $5.2 Million Crypto Heist

In addition to the Cetus breach, a $5.2 million theft in May 2025 was attributed to North Korean hackers, part of a broader wave of state-sponsored crypto attacks. According to PeckShield, this incident aligns with North Korea’s escalating cybercrime activities, which stole $1.34 billion across 47 incidents in 2024 alone, per Chainalysis. The May attack targeted an unspecified protocol, leveraging advanced malware and social engineering tactics associated with the Lazarus Group.

North Korea’s Growing Threat

North Korean hackers, including groups like Lazarus, Kimsuky, and BlueNoroff, are notorious for funding Pyongyang’s weapons programs through crypto thefts. Notable 2025 incidents include:

• The $1.5 billion Bybit hack in February, linked to the “TraderTraitor” campaign.

• A $235 million theft from India’s WazirX exchange in July 2024.

The May 2025 heist, while smaller, underscores North Korea’s persistent targeting of DeFi platforms, exploiting vulnerabilities to bypass international sanctions. Security experts warn that hackers are now framing victims to mislead investigators, adding complexity to attribution efforts.

Other Notable Hacks in May 2025

Beyond Cetus and the North Korean theft, May saw several smaller but significant exploits:

• Cork Protocol: A $12 million loss on Ethereum’s Wrapped Staked Ethereum (wstETH) and Wrapped Ethereum (weETH) markets, prompting a full audit and platform pause.

• MBU Token: A $2.2 million exploit affecting its liquidity mechanisms.

• MapleStory Universe: A $1.2 million breach, rounding out the top five incidents.

These attacks, combined with Cetus and North Korea’s heist, contributed to the $244.1 million total, with code vulnerabilities accounting for $229 million, per CertiK’s June 2 report. The 20 major incidents in May reflect a 4,483% surge in code-related losses from April, highlighting DeFi’s ongoing security challenges.

Implications for DeFi and Crypto Security

The Cetus breach and North Korean thefts expose critical vulnerabilities in the crypto ecosystem:

1. Smart Contract Risks: The Cetus hack, caused by an open-source library flaw, underscores the need for rigorous smart contract audits. Similar issues led to the $1.4 billion Bybit hack in February 2025, which exploited a free storage software flaw.

2. State-Sponsored Threats: North Korea’s $1.34 billion in 2024 thefts and continued attacks in 2025 highlight the geopolitical risks facing crypto platforms, requiring global coordination to counter.

3. Recovery Innovations: Cetus’ 71% recovery rate via Sui validator coordination sets a precedent for on-chain governance in mitigating losses, a model other protocols may adopt.

4. Regulatory Pressure: The SEC’s Crypto Task Force and FATF guidelines are pushing for stricter anti-money laundering measures, which could impact DeFi platforms’ operations.

X posts reflect community concern, with @CryptoXpresso noting the “scary” scale of the Cetus hack, while @Web3Watcher praised Sui’s recovery efforts as a “game-changer for DeFi security.”

What’s Next for Cetus and the Crypto Industry?

Cetus is focused on recovery and relaunch, with plans to:

• Upgrade smart contracts to patch vulnerabilities.

• Restore liquidity pools to stabilize token prices.

• Collaborate with law enforcement to recover the $60 million on Ethereum.

The broader crypto industry is responding with heightened security measures:

• Audits and Bug Bounties: Platforms like Cork and Cetus are investing in audits and bounties to preempt exploits.

• Cross-Chain Collaboration: Sui’s validator model shows how ecosystems can unite to freeze stolen funds, a strategy Ethereum and Aptos may emulate.

• User Education: CertiK’s report emphasizes phishing ($47 million in May losses) as a growing threat, urging users to secure private keys and verify transactions.

Conclusion

The $244 million in crypto losses in May 2025, driven by the $223 million Cetus Protocol hack and a $5.2 million North Korean theft, highlight the persistent risks in DeFi. While Cetus’ recovery of 71% of stolen funds and Sui’s on-chain governance offer hope, the incidents underscore the need for robust smart contract audits, user vigilance, and global cooperation against state-sponsored hackers. As the crypto market navigates a bullish 2025, strengthening security will be critical to sustaining investor confidence. Stay informed with the latest crypto news by following our blog and joining the conversation on X