Attackers Shift Tactics Toward Offchain Infrastructure in Sophisticated Exploits
Cybercriminals stole over $142 million from the crypto industry in July 2025, according to blockchain security firm PeckShield, marking a sharp uptick in malicious activity targeting exchanges and decentralized platforms. The firm tracked 17 separate incidents during the month, with the $44 million hack of CoinDCX emerging as the most significant.
#PeckShieldAlert In July 2025, ~17 major crypto hacks were recorded, resulting in total losses of $142M—a 27.2% increase (from $111.6M in June). Notably, the #GMX exploiter has returned ~$40.5M worth of cryptos, including 10K ETH and 10.5M $FRAX.#Top5 Hacks in July 2025:… pic.twitter.com/Y5VLUILq5Z
— PeckShieldAlert (@PeckShieldAlert) August 1, 2025
The July total represents a 27% increase from June’s $111 million in losses, though it remains 46% lower than the $266 million stolen in July 2024, when the $230 million WazirX hack dominated headlines.
CoinDCX Breach Tops July Losses
The largest single incident involved Indian cryptocurrency exchange CoinDCX, which lost $44 million in a server-level security breach on July 18. CoinDCX CEO Sumit Gupta called the incident a “sophisticated server breach,” and Indian authorities have since arrested a CoinDCX employee in connection with the attack.
The platform has reportedly taken steps to contain the breach and is working with law enforcement and forensic teams to recover the lost assets.
GMX Hacker Returns Funds After $40M Exploit
In another high-profile incident, the decentralized exchange GMX was exploited on July 11 for $40 million, making it the second-largest attack in July. However, the attacker later returned the stolen funds, according to PeckShield, reducing the net losses for the month.
This unusual restitution highlights a trend seen in several recent cases where attackers, sometimes labeled as “white hat hackers,” exploit vulnerabilities only to return the funds after negotiating bug bounties or seeking notoriety.
BigONE and WOO X Round Out Top 3
Crypto exchange BigONE suffered a $27 million loss on July 16 after a third-party attack targeted its hot wallet infrastructure. The attack exploited a vendor integration, underscoring how interconnected systems can become entry points for hackers.
Just days later, on July 24, WOO X, a crypto trading platform, lost at least $14 million in a phishing attack that compromised a team member’s device.
According to Rob Behnke, chairman of blockchain security firm Halborn, the WOO X incident demonstrates how attackers are increasingly turning to social engineering to gain access to internal systems.
“The attacker used social engineering to compromise a team member’s computer,” Behnke explained. “From there, they could pivot to the development environment and exploit trust in the system to drain user accounts.”
The attacker was able to execute multiple malicious transactions over two hours before the suspicious activity was detected and withdrawals were halted.
Funds Stolen Across Multiple Chains
The July hacks affected multiple blockchain networks, including:
-
Bitcoin (BTC)
-
Ethereum (ETH)
-
BNB Chain (BNB)
-
Arbitrum (ARB)
WOO X later restored affected account balances using company treasury funds, minimizing the impact on end users.
Trend: Hackers Targeting Offchain Infrastructure
Behnke emphasized that attackers are increasingly bypassing traditional smart contract exploits and focusing instead on offchain infrastructure vulnerabilities.
“Instead of looking for exploitable smart contract bugs, attackers now focus on backend systems and operational processes,” he said.
These attacks exploit weaknesses in:
-
Server configurations
-
Employee devices
-
Vendor integrations
-
Authentication and access controls
The shift poses a new set of challenges for crypto firms that may already invest heavily in onchain auditing, but leave backend processes more exposed.
Recommendations: Strengthen Security Beyond Smart Contracts
In light of these developments, Behnke and other security experts urge Web3 projects to:
-
Implement multi-layered security controls
-
Conduct regular offchain infrastructure audits
-
Train staff to resist phishing and social engineering tactics
-
Use endpoint detection and response (EDR) tools
The evolving threat landscape indicates that even well-funded and established platforms are at risk if their internal and operational security isn’t airtight.
A Cautionary Month for Crypto
While July’s $142 million in losses is a stark reminder of the risks in the crypto ecosystem, it also highlights how attacker strategies are evolving. Rather than targeting only DeFi protocols or smart contracts, hackers are increasingly launching coordinated campaigns that blend social engineering, phishing, and backend manipulation.
With more than $2.5 trillion in crypto market capitalization and rising institutional participation, robust end-to-end security is now essential — not only onchain, but across the entire tech stack.
