SlowMist Monthly Security Report: July Estimated Losses at $147 Million

Major Security Incidents

CoinDCX

On July 19, 2025, on-chain investigator ZachXBT posted on his channel:

“Looks like the India centralized exchange ‘CoinDCX’ was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community.”

Shortly after, CoinDCX co-founder Sumit Gupta responded on X, stating that the compromised wallet was an internal operations account used solely for providing liquidity. He emphasized that customer funds were stored securely in cold wallets and were not affected. Trading and withdrawals would resume shortly, and all losses incurred from the attack would be covered by CoinDCX’s reserves.

On July 31, FinanceFeeds reported that a software engineer from CoinDCX was arrested for assisting in the attack. The attacker had tricked the engineer into installing malware on their computer under the pretense of a part-time job with high pay. The malware, a sophisticated keylogger, allowed the attacker to obtain login credentials and access CoinDCX’s internal systems, ultimately leading to the incident.

GMX

On July 9, 2025, SlowMist’s MistEye security monitoring system detected an exploit targeting the decentralized exchange GMX, resulting in losses of over $42 million. According to the SlowMist security team, the attacker exploited two design flaws:

1. The Keeper system enables leverage during order execution.
2. The global average short price is updated on short positions but not updated when covering shorts.

Through a reentrancy attack, the attacker created large short positions and manipulated the global average short price and global short open interest. This artificially inflated the GLP price, enabling the attacker to redeem for profit. Full technical analysis: Inside the GMX Hack: $42 Million Vanishes in an Instant.

BigONE

On July 16, 2025, SlowMist security team detected a supply chain attack on the cryptocurrency exchange BigONE, resulting in losses of over $27 million. The attacker breached the production network and modified server logic related to accounts and risk control, enabling unauthorized fund transfers. On July 24, BigONE posted an update on X stating that no private keys were leaked and that all losses would be fully covered by the platform.

WOO X

On July 24, 2025, centralized exchange WOO X paused withdrawals due to a security vulnerability. Nine user accounts suffered unauthorized withdrawals totaling around $14 million. According to the official disclosure, the root cause was a targeted phishing attack on a team member. The attacker gained limited access to the platform’s development environment via the compromised device, bypassed certain security controls, and coordinated unauthorized withdrawals from the affected accounts.

ZKSwap

On July 9, 2025, Ethereum Layer 1 cross-chain bridge ZKSwap suffered an exploit, resulting in losses of approximately $5 million. The attacker exploited the bridge’s emergency withdrawal mechanism. Analysis showed that the mechanism responsible for verifying zero-knowledge proofs failed to perform actual verification. This critical oversight allowed the attacker to forge withdrawal proofs and bypass the bridge’s core security mechanism.

Attack Patterns and Security Recommendations

In July, smart contract vulnerabilities remained the dominant attack vector, with centralized and decentralized exchanges being the primary targets. Notably, centralized exchanges accounted for $85.2 million in losses — 60.8% of the total losses for the month.

The SlowMist security team advises that when integrating complex features like leverage and oracles, DeFi protocols must pay special attention to global state consistency and thorough boundary condition validation to prevent systemic risks arising from flawed interaction logic. Centralized exchanges, on the other hand, should further elevate their audit standards, enhance system transparency, and reinforce overall security defenses.

Beyond on-chain attacks, security risks in everyday use cases should not be overlooked:

• This month, another case was reported where a user lost assets after purchasing a hardware wallet through unofficial channels. The victim lost 4.35 BTC. The SlowMist team previously detailed this type of scam in the Beginner’s Guide to Web3 Security: Common Hardware Wallet Pitfalls, which is recommended reading.
• Fake Zoom phishing scams have also been rampant recently. In these scams, users join a fake Zoom meeting via a malicious link. The video feed appears normal, but there is no sound. When users seek help from the attacker posing as tech support, they are instructed to download a “fix tool,” which results in asset theft.
  The Web3 phishing simulation platform Unphishable (https://unphishable.io/) has launched a new level themed around “fake Zoom meeting phishing.” Users can test their awareness and improve security skills through interactive scenarios.

In conclusion, the events covered in this article represent the major security incidents of the month. For more blockchain security incidents, please visit the SlowMist Hacked database (https://hacked.slowmist.io).

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.