- SBI Crypto was breached, losing $21 million in assets through an apparent laundering operation.
- A phishing scam targeting GMGN tricked 107 users into approving fraudulent transactions.
- Honeypot token scams rose 600% month-over-month, with more than 2,100 tokens detected.
Web3 has entered a new phase of cyber threats, where attackers increasingly leverage artificial intelligence, automation tools, and advanced social engineering to exploit users across decentralized networks.
According to GoPlus Security, more than $45.84 million was lost in October alone due to a wave of scams, phishing campaigns, token exploits, and wallet hacks.
The data highlights how fraudsters are refining their techniques and deploying highly effective exploits that have impacted thousands of users and platforms across Ethereum, Binance Smart Chain, and Base.
Hackers use AI and automation to scale phishing campaigns
GoPlus observed a sharp rise in phishing attacks that resulted in more than $3.5 million in losses.
An increasing share of these scams are powered by “Phishing-as-a-Service” platforms, where threat actors use AI tools to quickly generate fake websites and launch large-scale campaigns at lower operational cost.
One of the largest phishing incidents targeted broker GMGN.
In that case, 107 users were duped by a counterfeit third-party site into approving malicious transactions, resulting in losses exceeding $700,000.
The phishing scam replicated legitimate wallet interactions and tricked victims into signing approval requests that gave attackers control over their funds.
In another incident a trader approved a malicious “increaseAllowance” command, losing $325,000 in Coinbase Wrapped Bitcoin.
Separately, a different user lost $440,000 after signing a fraudulent “approval” transaction.
Both exploits underline the rise of deceptive contract approvals, often enabled by misleading interfaces that mimic trusted apps.
Sophisticated exploits tied to state-style laundering tactics
The largest single exploit involved SBI Crypto, which suffered a breach that drained digital assets valued at $21 million. The losses included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash.
While SBI Crypto did not officially confirm the breach’s origin, a joint analysis by ZachXBT and Cyvers identified patterns similar to those used by North Korean hacking groups.
Attackers are reported to have funneled funds through Tornado Cash, a well-known crypto mixer that has been sanctioned for its role in laundering state-sponsored thefts.
This laundering technique closely mirrors activity associated with the Lazarus group, although the report emphasizes that the connection has not been definitively verified.
Web3 platforms targeted by honeypot tokens
Alongside phishing and direct exploits, the report found a dramatic uptick in honeypot tokens.
Honeypot tokens are malicious smart contracts that allow users to buy tokens but prevent them from selling or withdrawing funds.
Honeypot detections rose 600% last month, reaching 2,189 identified tokens — still far fewer than the roughly 40,000 recorded in June 2025.
Source: GoPlus Security
Binance Smart Chain accounted for the bulk of these tokens with 1,780, followed by 216 on Ethereum and 131 on Base.
These tokens embed hidden restrictions that block transactions, leaving investors’ funds stranded in illiquid assets.
Their rise signals a shift toward embedded contract-level scams that can evade basic security tools.
Tokens and social accounts compromised in broader exploits
The broader ecosystem also suffered losses from social media takeovers and platform-level intrusions.
Astra Nova’s official social account was hijacked, triggering a large-scale sell-off of its native RVV token and causing roughly $10.3 million in losses.
In a separate incident, the decentralized finance platform Garden Finance was hit by a vulnerability that cost users about $10.8 million, according to ZachXBT.
These incidents reflect a wide attack surface that encompasses both user-facing interfaces and server-side contract code.