Attacks on Atomic, Exodus and Major Crypto Exchange Wallets - The Era of New Threats in Cybersecurity, Cyberattacks on Crypto Wallets and Supply Chains 2025: Scale of Threats and New Fraud Methods

Users of cryptocurrency wallets Atomic Wallet and Exodus have fallen victim to a new, large-scale cyberattack campaign aimed at stealing their funds by infecting local installations with malicious code. The incident was discovered by researchers at ReversingLabs in early April 2025 and is an advanced form of software supply chain attack, where attackers disguise malicious elements as legitimate code packages in popular online npm repositories used by software developers.

The main tool of the attack was a malicious npm package called “pdf-to-office”, which was presented as a utility for converting PDF files into Microsoft Office documents. In fact, this package was intended to introduce Trojan patches into local versions of the Atomic Wallet (versions 2.90.6 and 2.91.5) and Exodus Wallet (versions 25.9.2 and 25.13.3) crypto wallet software. When installed, the package checked for the presence of target wallets in the system and replaced certain files (for example, app.asar for Atomic or src/app/ui/index.js for Exodus) with trojanized versions that retained all the functions of the original, but at the same time embedded fake addresses for cryptocurrency transfers, encrypted in Base64, into the interface. Thus, when the user tried to send funds, the recipient’s address was automatically replaced with the attackers’ address, and the money went to the scammers.

Attacks on Atomic, Exodus and Major Crypto Exchange Wallets - The Era of New Threats in Cybersecurity, Cyberattacks on Crypto Wallets and Supply Chains 2025: Scale of Threats and New Fraud Methods

The peculiarity of this attack is its high degree of sophistication and secrecy. The malicious code was injected into locally installed versions of wallets, which made the attack difficult to detect by antiviruses or code verification tools. The user interface remained familiar, and the victim might not suspect the address substitution due to the visual similarity. In addition, the attackers did not limit themselves to address substitution: archiving and sending data from the AnyDesk folder to an external server was recorded, which may indicate attempts to cover their tracks or prepare for larger-scale actions.

The attackers actively updated the “pdf-to-office” package: after the first version was removed, it was quickly re-released with minor changes, which allowed the campaign to remain active longer and be distributed via the npm repository. In total, the number of downloads reached several hundred in a short period of time.

This type of attack falls under the threat vector of “software supply chain attacks,” which are becoming increasingly popular among cybercriminals due to the trust in widely used open-source libraries and packages. Cryptocurrency applications are particularly vulnerable to such attacks, where stolen private keys and address substitution directly lead to financial losses.

In addition to these incidents, Hacken estimates that losses from hacks and exploits in the cryptocurrency industry in the first quarter of 2025 reached approximately $2 billion, with a notable $1.4 billion hack of the Bybit exchange in February 2025. Analysis by SafeWallet found that attackers gained access to the development environment through hijacked Amazon Web Services sessions, allowing them to inject malicious code into key projects. Among the numerous attacks, there are also cases of address poisoning, where fraudsters create addresses very similar to victims’ addresses, causing them to mistakenly transfer funds to fraudulent wallets. In March 2025, such attacks resulted in the theft of funds amounting to approximately $1.2 million.

This set of attacks and their losses indicate a constantly growing threat to users and developers of crypto communities. To protect against such exploits, experts advise:

Always use official wallet installation files from trusted sources;
Update your software regularly and monitor for reports of discovered vulnerabilities;
Be careful when sending funds, especially checking the recipient’s address completely;
Avoid installing untested packages from online repositories, especially unless strictly necessary.

The pdf-to-office incident proves that attackers are using increasingly sophisticated methods to infiltrate trusted software chains and steal digital assets, and addressing cybersecurity issues in the cryptosphere remains a top priority for the industry.

Crypto Hacks 2025: Full Report and Attack Timeline (BitOK)
- A detailed overview of hacks and exploits in the crypto industry for the first quarter of 2025. Includes cases of attacks on smart contracts, theft of private keys, attack vectors and their consequences.
- Example: Smart contract hack with liquidity theft and successful counterattack by white hat hackers.
- An overview of supply chain attack vectors and the use of malicious proxy contracts.bitok.org
Cyber Threats to the Financial Industry: Forecast for 2025–2026 (Positive Technologies)
- Analysis of threats in the financial sector, including API vulnerabilities and attacks on software providers. Considerable attention is paid to smart contract vulnerabilities affecting cryptocurrency projects.
- Examples of successful attacks using poor input validation and exploits in legacy software.ptsecurity.com
Current Cyber Threats: Q4 2024 – Q1 2025 (Positive Technologies)
- Describes supply chain attack trends, including the infection of popular libraries in the Python and npm repositories with malicious code for mining and data theft.
- The article discusses complex social engineering schemes and automated attacks relevant to the financial and crypto sectors.ptsecurity.com
Malicious code in Firefox: supply chain attack via npm (it-world.ru)
- A specific case in July 2025 was the discovery of fake npm packages containing malicious code designed to compromise users through the supply chain.it-world.ru
Cryptocurrency Thefts 2025: Growth, ByBit Hack, and Large-Scale Attacks (CISO Club)
- An article reviewing major crypto hacks, including the largest Bybit hack with billions of dollars in damages and the rise of attacks on personal wallets, which is directly related to the current trends of supply chain attacks.cisoclub.ru
7 Key Cyber Threats in 2025 and How to Deal with Them (FutureBy.info)
- An overview of the main types of threats, among which supply chain attacks occupy a leading place. Recommendations are given for protecting businesses and users from such threats.

This article complements your previous article well by providing a detailed analysis of modern supply chain attack methods in the crypto and financial industry in 2025, with examples of malicious npm packages, smart contracts, and complex hacking cases.

The financial sector will face a threatening increase in cyberattacks in 2025–2026, according to a forecast by Positive Technologies based on an analysis of incidents in recent years and current security trends.

The main cyber threats to the financial industry remain:

API vulnerabilities and attacks through suppliers and contractors. With the growth of digitalization, financial institutions are increasingly using APIs to exchange data and interact with external systems. However, the frequent lack of full verification of input data and weak control of partner channels create ample opportunities for attackers who exploit these vulnerabilities for unauthorized access and compromise of systems.
Ransomware attacks. In 67% of successful cyber attacks on financial institutions in the recent period, malware was used to steal data and then blackmail. This type of attack remains one of the most destructive, often leading to business shutdowns and significant financial losses.
Increase in social engineering and phishing. In more than half of the cases, attackers successfully deceived employees of financial companies using social engineering methods. The activation of generative artificial intelligence allows cybercriminals to create extremely convincing fake messages, exacerbating the problem.
QR code attacks and DDoS campaigns. Substitution of QR codes in payment and financial applications has already become a mass problem, allowing users to steal funds. DDoS attacks continue to disrupt the stability of services, while attackers use AI to improve the effectiveness and adaptability of these attacks.
Threats associated with the use of artificial intelligence. Despite the advantages of AI in defense, its insufficient control and use by attackers leads to new, more sophisticated attack variants and manipulations.
Attacks on blockchain infrastructure and crypto projects. In the financial sector, there is a growing activity of attacks on smart contracts, theft of decentralized currency and exploitation of bugs in the code of blockchain projects.

According to Positive Technologies, the financial sector remained among the most attacked sectors between 2024 and early 2025, with two-thirds of successful attacks resulting in the leakage of confidential data and blackmail, while the rest resulted in disruptions in operations or theft of funds.

To counter these threats, the company recommends creating a multi-level protection system, including:

Regular auditing and strengthening of API and partner channel security.
Train staff to increase awareness of social engineering techniques.
Implementation of multi-factor authentication and cryptographic security measures.
Active implementation and control of the use of AI in cyber defense systems.
Using comprehensive solutions to detect and mitigate ransomware and DDoS attacks.

Thus, the Positive Technologies forecast demonstrates that maintaining stable and secure operation of the financial industry in the coming years requires adaptation to new types of threats, intensive development of security technologies and increased awareness of all market participants. This is especially relevant against the backdrop of growing digitalization and integration of financial services with ecosystems, where vulnerabilities and attacks are becoming increasingly large-scale and complex.

The first quarter of 2025 in the crypto industry was marked by a series of large-scale and technically sophisticated cyberattacks that damaged both centralized crypto exchanges and decentralized financial protocols. BitOK’s detailed report provides a comprehensive overview of the key hacks and exploits that occurred during this period, focusing on the variety of attack vectors used, their consequences, and attempts to combat them.

One of the most high-profile incidents was the hack of crypto exchange Bybit in February 2025, in which the attackers, allegedly associated with the North Korean hacker group Lazarus, managed to steal about $1.5 billion in digital assets. The hack was accompanied by the use of a “hidden transaction” method, when the hackers reproduced the exact address data and verified URLs, which misled Bybit’s internal security team and allowed the funds to be withdrawn from important offline wallets without hindrance. Despite attempts to recover the stolen funds, the majority of the funds – about 27.5% – were irretrievably lost.bitok.org+1

The report also highlights a variety of attack vectors, including:

Smart contract attacks , including cases of liquidity theft through vulnerabilities in the logic of decentralized finance (DeFi) protocols, where attackers used reentrancy exploits and flash loans to withdraw funds;
Infrastructure hacks involving the compromise of private keys and seed phrases of crypto wallets, as well as the exploitation of vulnerabilities in user interfaces (frontend attacks), which allowed hackers to gain control over systems and mislead users;
Software supply chain attacks , where malicious code is injected into widely used libraries and packages, allowing applications to be surreptitiously infected and cryptographic keys and other data to be intercepted;
Account abuse and social engineering , including hacking of social media accounts and management systems, which was used to publish fraudulent data and deceive users.

Collectively, these methods resulted in financial losses of more than $2.1 billion in the first quarter, a significant increase from previous periods. However, about 80% of the stolen funds were related to infrastructure attacks, highlighting the vulnerability of the technical base of digital asset systems.investing.com+3

Despite the scale of the damage, the crypto industry is taking steps to improve security – the report describes both successful counter-attacks by “white hat” hackers and recommendations for strengthening protection, including multi-level authentication, regular security audits, the use of cold storage of funds, and constant monitoring of smart contracts and infrastructure.

Thus, the first quarter of 2025 revealed a set of critical threats in the cryptosphere, emphasizing the need for a comprehensive approach to security at all levels – from code and infrastructure to user interfaces and security practices. The final BitOK report not only informs about the incidents that have already occurred, but also serves as a basis for increasing the industry’s resilience to future attacks.

The main cyber threats to the financial industry remain:

API vulnerabilities and attacks through suppliers and contractors. With the growth of digitalization, financial institutions are increasingly using APIs to exchange data and interact with external systems. However, the frequent lack of full verification of input data and weak control of partner channels create ample opportunities for attackers who exploit these vulnerabilities for unauthorized access and compromise of systems.
Ransomware attacks. In 67% of successful cyber attacks on financial institutions in the recent period, malware was used to steal data and then blackmail. This type of attack remains one of the most destructive, often leading to business shutdowns and significant financial losses.
Increase in social engineering and phishing. In more than half of the cases, attackers successfully deceived employees of financial companies using social engineering methods. The activation of generative artificial intelligence allows cybercriminals to create extremely convincing fake messages, exacerbating the problem.
QR code attacks and DDoS campaigns. Substitution of QR codes in payment and financial applications has already become a mass problem, allowing users to steal funds. DDoS attacks continue to disrupt the stability of services, while attackers use AI to improve the effectiveness and adaptability of these attacks.
Threats associated with the use of artificial intelligence. Despite the advantages of AI in defense, its insufficient control and use by attackers leads to new, more sophisticated attack variants and manipulations.
Attacks on blockchain infrastructure and crypto projects. In the financial sector, there is a growing activity of attacks on smart contracts, theft of decentralized currency and exploitation of bugs in the code of blockchain projects.

To counter these threats, the company recommends creating a multi-level protection system, including:

Regular auditing and strengthening of API and partner channel security.
Train staff to increase awareness of social engineering techniques.
Implementation of multi-factor authentication and cryptographic security measures.
Active implementation and control of the use of AI in cyber defense systems.
Using comprehensive solutions to detect and mitigate ransomware and DDoS attacks.

The period from Q4 2024 to Q1 2025 saw a significant increase in cyber threats related to attacks on software supply chains, as confirmed by analyses by Positive Technologies and leading experts in the field of information security.

One of the key trends has been the infection of popular libraries in well-known Python (PyPI) and Node.js (npm) repositories with malicious code designed to mine cryptocurrency and steal sensitive data. For example, in late 2024 – early 2025, attackers managed to hack the repository of the Python library Ultralytics, widely used in computer vision. They posted malicious versions of the library using a vulnerability in GitHub Actions, which allowed them to publish malicious code on behalf of a legitimate developer.ptsecurity.com

Similarly, malicious packages were found in the Python and npm ecosystems, including well-known examples such as the Python package graphalgoand the npm package express-cookie-parser. These packages injected malicious code that allowed attackers to gain access to systems or run hidden mining processes, significantly reducing the performance of users’ devices and putting them at risk of data loss.xygeni.io

Additionally, in June 2025, a major attack on the npm platform was discovered, which compromised 17 popular packages from the Gluestack (@react-native-aria) family. The malicious JavaScript code, masked and obfuscated, functioned as a remote access trojan (RAT), giving attackers the ability to remotely execute commands, download and delete files on infected devices.itsec.ru

It is noted that attacks on software supply chains remain among the most dangerous and difficult to detect. Malicious packages are often published directly to official repositories on behalf of legitimate accounts, using phishing campaigns to capture developer access tokens. For example, attackers successfully carried out a phishing attack, imitating official npm emails, which allowed them to download malicious versions of popular packages such as eslint-config-prettier and eslint-plugin-prettier, which could run remote code on Windows devices.itsec.ru

Another feature of the attacks during the period under review is the high degree of automation and the use of complex social engineering schemes , which allows attackers to effectively distribute malware and bypass control systems.

Positive Technologies experts emphasize that the successful attacks were caused by shortcomings in development processes, in particular, in the security of the CI/CD pipeline — the environment in which automated testing and code deployment occurs. Vulnerabilities in such processes allowed attackers to insert malicious code through pull requests and use automatic publishing mechanisms without proper verification.ptsecurity.com+1

Based on this analysis, experts recommend that the financial and crypto sectors, as well as open source software developers, take the following measures:

Implementation of multi-level CI/CD security (e.g. application of SLSA and static code analysis (SAST) standards);
Raising awareness among developers and users about the risks of social engineering and phishing;
Use of multi-factor authentication and package publication monitoring systems;
Active use of early warning systems and dependency firewalls to detect malicious changes;
Regular security audits and timely vulnerability fixes, especially in build and release automation tasks.

Overall, the period from Q4 2024 to Q1 2025 revealed critical vulnerabilities in software supply chains, which creates serious risks for both the financial and crypto sectors, as well as for a wide range of open source software users. Only a comprehensive approach to security and constant control over the development and publication of software components can significantly reduce such threats and protect end users from losses and compromises.

This information is based on a Positive Technologies report and additional research into supply chain attacks in 2024–2025.ptsecurity.com+3

In July 2025, a major cybersecurity incident occurred involving an attack on the Firefox software supply chain via fake npm packages. Phylum and other security researchers discovered the publication of numerous malicious npm packages disguised as legitimate libraries and learning modules that were distributed to Firefox developers and users.securitymedia.org+1

Main details and course of attack:

The attackers placed 67 malicious packages in the npm repository, which were downloaded more than 17,000 times. These packages were presented as training modules and testing tools, which reduced the suspicions of developers.securitymedia.org+1
The key component of the malicious code was a downloader called XORIndex. It acts as a Trojan – collecting information about the operating system, IP address, browser data and configuration, and then sending this data to remote servers of the attackers for further control of the infected systems.securitymedia.org+1
The malware interacts with other malicious modules, such as BeaverTail, which steals browser and crypto wallet data, and InvisibleFerret, a backdoor for remote control of an infected device.securitymedia.org+1
The attack targeted the Mozilla Firefox supply chain, as malicious npm packages could be injected into browser extensions or dependent libraries, thereby compromising end users and developers.itspeaker.ru+1
The XORIndex malware loader has gone through several stages of evolution, starting from relatively simple prototypes in early 2025 and evolving into a sophisticated stealth version that uses encryption and command-and-control rotation to evade detection.securitymedia.org+1
The attackers, believed to be linked to Operation Contagious Interview and North Korean hacker groups, regularly published new versions of the malicious packages under different names, making them difficult to identify and remove.securitymedia.org+1
The attack also included elements of social engineering, where packages were disguised as educational projects, enticing developers to install and run code without proper verification.securitymedia.org

Consequences and recommendations:

The attack demonstrates the growing threat of software supply chain compromise, particularly in open source ecosystems such as npm, which is used by millions of developers worldwide.securitymedia.org+1
Compromising popular components such as Firefox extensions and their associated libraries could result in the leakage of sensitive data, including browser sessions, access tokens, and crypto wallets.
To protect against such threats, experts recommend strict security measures, including careful checking and monitoring of installed npm packages, raising developer awareness of the risks of phishing and social engineering, implementing multi-factor authentication for access to repositories and CI/CD systems, and using automated code analysis tools for malicious features.securitymedia.org+1

In summary, the July 2025 incident with malicious code in Firefox via the npm package supply chain is a prime example of a modern sophisticated cyberattack method that combines technical and social hacking techniques. It highlights the need for a comprehensive and proactive approach to security in the software development and distribution process, especially in critical and widely used products such as browsers.

Therefore, users and developers need to be selective and careful in managing dependencies and extensions, and employ modern cybersecurity measures to minimize the risks of compromise.

Why the npm supply chain attack is especially dangerous for Firefox users

An attack on the npm supply chain is particularly dangerous for Firefox users for several key reasons, which are rooted in the specifics of the development ecosystem, the prevalence of npm, and the browser’s architecture:

The npm ecosystem is one of the largest and most trusted development platforms : npm (Node Package Manager) is used by millions of developers worldwide to distribute libraries and tools. Attackers can inject malicious code into popular or essential packages, making attacks very large-scale and effective. In the case of Firefox, such packages can directly affect extensions and related components of the browser.comnews.ru+1
Malicious code in npm can penetrate Firefox extensions and libraries : Packages from npm are often used in the development of extensions and some internal components of Firefox. Malicious code there can be injected into extensions, capture user data (e.g. browser sessions, OAuth tokens), perform remote control through backdoors and steal crypto wallets.1275.ru+1
High level of trust in official packages and difficulty of detection : Attackers disguise packages as legitimate libraries or training modules, which reduces suspicion among developers and users. Malicious code is often obfuscated and uses methods to bypass detection. Some of these packages function as remote access trojans (RAT), which allow hackers to execute any commands on the infected device without being noticed.itsec.ru+2
Using social engineering to compromise developers : Hackers phishing attacks on npm developer accounts or using access token hijacking to publish malicious updates on behalf of legitimate authors. This makes it harder to combat because such packages appear legitimate in the repository and are distributed through official means.comnews.ru+1
Features of the Firefox browser and its architecture : Firefox makes heavy use of extensions and third-party components integrated through npm and other ecosystems. Infection at this level can lead to the theft of sensitive user data, bypass of security mechanisms, and covert remote control of infected machines – all of which puts the privacy and security of millions of Firefox users at risk.1275.ru+1
Evolution and scale of the attack : Firefox-related malware packages have undergone constant evolution, encryption elements have been introduced, command and control servers have been rotated, making them difficult to detect and clean up. The attackers regularly publish new versions under different names to achieve long-term activity and large-scale distribution.comnews.ru+1

In summary, a supply chain attack via npm for Firefox is a serious threat that combines technical complexity, widespread adoption, and a high level of trust in npm packages to allow attackers to bypass traditional security measures and compromise end users at scale.

To protect yourself, it is recommended to carefully check the packages you install, use multi-factor authentication for developer accounts, use automated code analysis, and raise awareness of social engineering risks.comnews.ru+1

In 2025, the crypto industry faced an unprecedented rise in large-scale cryptocurrency attacks and thefts, which caused billions of dollars in damage. One of the most high-profile incidents was the largest hack in cryptocurrency history, the Bybit exchange attack in February 2025, which caused around $1.5 billion in damages . This hack accounted for approximately 70-90% of all losses in the crypto sector in the first quarter and became a symbol of a new era of cyberwarfare in the crypto world.rbc.ru+3

How the Bybit Hack Happened

Hackers gained control over the so-called cold wallet — Ethereum storage used by the exchange to secure assets. To do this, they used complex cryptographic manipulation, changing the rules of the Safe{Wallet} multi-signature wallet. Thus, despite the visually correct interface and correct addresses, the signatories of the transactions actually authorized the change of the smart contract, allowing the withdrawal of funds to the attackers’ wallets. According to the investigation, the attack was linked to the North Korean hacker group Lazarus, which had previously committed similar actions on other crypto exchanges.rbc.ru+2

The scale and consequences of the attacks

During the first six months of 2025, there were approximately 75 hacks and exploits of crypto exchanges, decentralized protocols, and personal wallets, with total losses amounting to more than $2 billion .rbc.ru+1
The Bybit hack was the largest incident, costing the company and its users around $1.5 billion .rbc.ru+2
The damage was so extensive that the exchange offered a reward of up to 10% of the stolen funds, which in Bybit’s case could amount to around $140 million to catch the criminals.lenta.ru
Besides Bybit, other crypto platforms have also seen hacks worth millions of dollars, such as exploits and attacks on DeFi protocols, theft of private keys and seed phrases, which have contributed to the increase in the number of victims and the amount of funds lost.beincrypto.com+1

Current trends and connection to supply chain attacks

According to analysts, technological vulnerabilities and attack methods in 2025 are actively related to the compromise of software supply chains . Hackers are increasingly injecting malicious code into popular npm packages, libraries, and tools that are used in the infrastructure of crypto platforms and their user interfaces. This allows for hidden address substitution, theft of private keys and sessions, as well as infection of wallets and exchange backends, including large ones like Bybit.spark.ru

This approach increases the effectiveness of attacks by disguising malicious activity as a legitimate software update and bypassing security systems. The scale of the Bybit hack demonstrates that even large, technologically advanced organizations remain vulnerable to such advanced attacks.

Control measures and forecasts

In response to growing threats, crypto exchanges and security system developers are taking the following steps:

Strengthening multi-level authentication and access control to critical infrastructures.
Enhanced code monitoring and auditing, including checking all dependencies and npm packages.
Implementation of early warning systems for suspicious activity and compromise attempts.
Actively collaborates with law enforcement and cybersecurity experts to investigate and neutralize threats.

However, analysts warn of a steady increase in the number and complexity of attacks in the coming years, requiring market participants to continually improve their protection mechanisms and increase user awareness.

Thus, 2025 became a turning point in the history of crypto hacks, with record losses and the demonstration of new sophisticated attack methods, in particular through supply chains and exploitation of vulnerabilities in smart contracts and key infrastructure of major crypto market players such as Bybit. These events became a serious challenge for the industry and a clear example of the need for comprehensive improvement of cybersecurity within crypto services.

How the Bybit Crypto Exchange Hack Changed Cyber Threat Assessments in the Crypto Industry

The February 2025 hack of cryptocurrency exchange Bybit revolutionized the crypto industry’s cyber threat landscape, demonstrating the scale and sophistication of modern attacks and exposing critical vulnerabilities of both technical and operational nature.

Key Changes in Cyber Threat Perceptions Following the Bybit Hack

Threat Level Reaches New Scale
The Bybit hack was the largest in crypto history, with losses estimated at $1.4-$1.5 billion. The incident showed that large centralized crypto exchanges with significant security systems are still vulnerable to well-planned attacks, dramatically raising awareness of the risks for the entire industry.rbc.ru+2
The importance of comprehensive security is highlighted
The incident revealed that traditional smart contract auditing and basic protection of multi-sig wallets are insufficient. The hack was carried out by introducing malicious code into transaction approval procedures, bypassing existing controls. This highlighted the need for a broad, comprehensive audit of all technological processes, infrastructure and operational practices, and not just the “blockchain part”.hx.technology+2
Growing focus on human factors
The breach proved that the human factor – the negligence and lack of vigilance of employees – remains a key weak point. Phishing, social engineering, and exploitation of predictable transaction approval procedures played a key role in the attack. This has increased the need for ongoing training of staff and regular attack simulations to assess readiness.block-chain24.com+1
Rethinking Approaches to Monitoring and Response
Rapid withdrawals and transaction obfuscation have shown that exchanges need more effective real-time monitoring systems, automated alerts and immediate response protocols to prevent losses, and enhanced control over external tools and interfaces through which threats can penetrate.block-chain24.com
Increased focus on supply chains and third-party components
One entry point for attacks has been found to be vulnerabilities and malicious code in the supply chains of software used by exchanges, including npm packages and external libraries. This has given impetus to increased control and auditing of dependencies and suppliers used.hx.technology+1
Emergence of New Security Standards and Guidelines
Since the hack, the industry has been moving towards multi-layered security systems, stricter guidelines for multi-signature wallets, enhanced infrastructure auditing processes, and the development of more robust transaction and key access protocols. Projects to improve transparency and collaborate with law enforcement to combat cybercrime have also been noted.hx.technology+1
Impact on Market Sentiment and User Confidence
The hack caused significant volatility in the crypto market, reflecting increased uncertainty and investor concerns. The rapid decline in the price of Ethereum and other market reactions showed that such attacks can significantly affect the economic stability of crypto assets.binance.com

Conclusion

Thus, the Bybit hack in 2025 became a catalyst for rethinking cyber risks in the crypto industry. It demonstrated that even technologically advanced platforms and popular services remain vulnerable without a comprehensive approach to security that includes technical, organizational, and humanitarian measures.

Cryptocurrency exchanges and service developers have been forced to strengthen measures to protect against phishing and social engineering, conduct comprehensive code and infrastructure audits, and improve anomaly detection and response systems. Risk assessments now take into account not only technical vulnerabilities, but also human factors, supply chains, and the external security context.

What Impact Has the Massive $1.46 Billion Hack Had on the Industry?

The massive hack of crypto exchange Bybit worth approximately $1.46 billion that occurred in February 2025 had serious consequences for the entire crypto industry and the digital asset market.

The main consequences of a hack include:

Undermining trust in centralized crypto exchanges
The incident exposed the vulnerability of the largest and most technologically advanced platforms such as Bybit, which was the second-largest global crypto exchange by trading volume. Users became more cautious about storing funds on centralized services, which led to increased interest in decentralized solutions (DeFi) and hardware wallets.binance.com+1
Volatility and Ethereum Price Decline
After the hack, Ethereum price fell by more than 3-4%, which was due to investor panic and concerns about liquidity. At the same time, some of the stolen funds began to be quickly sold on the market, which further exacerbated the price decline.investing.com+1
Bybit’s Liquidity Surge
The exchange has seen its market makers leave and its share of global crypto liquidity drop by almost half, from 5% to 2.6%. Daily trading volume has fallen to $1.4 billion, significantly impacting the platform’s operational activity.itc.ua
Increased focus on software security and supply chains
The hack was carried out through a fake user interface that misled wallet signers, revealing vulnerabilities in transaction approval processes and multi-signature wallet management. The case highlights the need for a comprehensive audit of code, infrastructure, and supply chain management, including npm packages and other dependencies.investing.com+1
Strengthening Security Measures Across the Industry
In response to the hack, many crypto exchanges have begun implementing stronger multi-level authentication systems, improving access control to critical infrastructure, and upgrading staff skills to reduce the risks of social engineering and phishing.rbc.ru+1
Reward for assistance in the investigation
Bybit has announced a reward of 10% of the value of the stolen funds (approximately $140 million) to incentivize the search for and return of the stolen tokens.rbc.ru
Impact on Industry and Market Perception
The hack has damaged the reputation of the cryptocurrency industry, raising questions about the reliability and sustainability of the ecosystem as a whole. Although the Ethereum blockchain was not compromised, the incident highlighted the vulnerability of digital asset management processes, requiring a review of security standards.yellow.com+1
Recovery of funds and exchange operations
Bybit was able to recover most of the stolen funds by buying on the market and receiving compensation from partners. The exchange also announced that it had returned to full security of client funds, but the incident became a lesson for the entire market.rbc.ru

Ultimately, the $1.46 billion Bybit hack became a key wake-up call for the entire crypto industry, raising risk awareness, accelerating the development of new security measures, and changing the behavior of users and platform operators.

In 2025, cyber threats continue to become more complex and large-scale, significantly affecting the security of businesses and users around the world. According to analysts and experts, among the many types of attacks, supply chain attacks have become the most critical, becoming one of the most serious and difficult to detect threats.

Seven Key Cyber Threats in 2025

Supply Chain Attacks
2025 will see a sharp increase in attacks aimed at compromising trusted vendors, libraries, and packages integrated into companies’ software. Attackers use vulnerabilities and social engineering to inject malicious code into widely used components (such as npm packages), which can then infect millions of end users and business systems. These attacks are difficult to detect due to the high level of trust in vendors and components. According to CyberProof, such incidents have increased by more than 60% compared to the previous year.habr.com+2
Exploiting API and Public Service Vulnerabilities
The financial and technology industries are particularly vulnerable to attacks due to insufficient data validation and outdated infrastructure. API vulnerabilities provide entry points for fraudsters, leading to large-scale data leaks and service disruptions.ptnl.moscow
Ransomware-as-a-Service (RaaS)
This type of attack remains dominant and is evolving with the introduction of subscription attacks, where criminal groups sell malware kits to other attackers. RaaS leads to large-scale service outages and data loss, and the number of such attacks continues to increase.ptnl.moscow+1
Phishing attacks using modern technologies (deep fake, AI)
Social engineering is becoming more sophisticated thanks to artificial intelligence: automated creation of phishing messages, deep fake videos and voice fakes increases the number of successful attacks on users and company employees.ptnl.moscow+2
DDoS and infrastructure attacks
Numerous distributed denial of service attacks are aimed at disrupting service availability, and attackers are actively using AI to improve the effectiveness of such campaigns. Telecommunications and the financial sector are particularly vulnerable.ptnl.moscow+1
Threats Associated with Artificial Intelligence
AI is used to create sophisticated and adaptive attacks on one hand, and to develop defense systems on the other. However, insufficient control and abuse of AI lead to the emergence of new vectors of hacking and manipulation.ptnl.moscow+1
The rise of MaaS (Malware-as-a-Service) phishing and malware campaigns
The malware-as-a-service model allows criminals to deploy spyware and infostealers at minimal cost, making cyber threats more accessible and widespread. Malware is common in phishing campaigns, making up the majority of emails.cnews.ru

How to deal with these threats: basic recommendations

Multi-layered supply chain protection: strict audit of contractors and suppliers, security monitoring of used libraries and components, implementation of development security standards (e.g. SLSA) and control of CI/CD processes.ptnl.moscow+2
Constant updating and fixing of vulnerabilities: regular patching of systems, monitoring of zero-day vulnerabilities, application of virtual patches and timely response.ptnl.moscow
Raising awareness and training staff: training employees in methods of recognizing phishing messages, training in secure methods of working with services and data.ptnl.moscow+1
Use of multi-factor authentication and access control systems: restricting user rights, implementing strict authentication policies, control over developer accounts and access to repositories.ptsecurity.com+1
Automated code review and monitoring: Implementation of static security analysis tools (SAST), automated checks before publishing updates, and monitoring for suspicious activity.ptsecurity.com+1
Use of modern detection and response systems: XDR platforms, SIEM, early warning and response systems, and a proactive approach to incident management.f6.ru
Providing comprehensive infrastructure security: protecting public services, APIs, networks, and interactions with external systems.ptnl.moscow

2025 has highlighted the critical importance of supply chain protection and a comprehensive approach to cybersecurity for businesses and users.

The rise in attacks on these areas highlights the need for increased third-party vendor controls, improved technical measures, and increased organizational awareness. Security-focused organizations will be able to minimize risks by using advanced technologies and processes, which is the key to sustainability and trust in a rapidly changing digital world.

How the Use of Artificial Intelligence is Changing Attacker Tactics

The use of artificial intelligence (AI) is fundamentally changing the tactics of attackers, making cyberattacks more complex, large-scale, and sophisticated. Here are the key ways AI is impacting cybercriminal methods and strategies, as supported by cybersecurity research and analytics:

Automation and acceleration of attacks
AI allows attackers to automate many of the routine and exploratory stages of cyberattacks. Using generative models, criminals can quickly create malicious code, scripts, phishing emails, and even deepfake content. This significantly reduces the time to prepare and carry out attacks, increasing their scale.ptsecurity.com+2
Improving the accuracy and personalization of attacks
Machine learning methods are used to analyze big data about victims: their behavior, social networks, leaked password databases. This allows creating such convincing phishing messages and fakes that it significantly increases the chance of deceiving the user. AI algorithms take into account the psychological characteristics of the target, increasing the effectiveness of the attack.kurshub.ru+1
Intelligent vulnerability scanning
AI systems are capable of finding new vulnerabilities in software, including zero days and logical errors, several times faster and more accurately. This expands the attackers’ arsenal, allowing them to attack a wider range of targets with minimal manual effort.kurshub.ru+2
Semi-automated and future fully automated attacks
There are no confirmed cases of fully autonomous cyberattacks carried out solely by AI, but the trend of such systems is obvious. Cybercriminals are already using AI as a digital assistant to improve work efficiency, and attacks are expected to become as automated as possible in the coming years.ptsecurity.com+1
Strengthening distributed and large-scale campaigns
Thanks to AI, it has become possible to manage a huge number of fraudulent accounts, scale phishing mailings to tens of thousands of messages per day, and quickly adapt to changes in security systems.ptsecurity.com+2
Using AI to Create Complex Fakes
Attackers are using deep learning technologies to create fake voices, videos (deepfakes) and texts that are difficult to distinguish from the real thing, opening up new opportunities for fraud and social engineering.alphasystems.group
Bypassing security systems and adapting malware
Intelligent viruses and AI-based malware can analyze defense mechanisms, learn from them, and change their behavior to bypass detection, which complicates the work of anti-hacking services.alphasystems.group+1
Saving criminals’ resources
AI reduces the cost and time required to conduct cyberattacks, making crimes more accessible to a wider range of attackers and increasing the overall number of incidents.alphasystems.group

Ultimately, AI is becoming a powerful tool in the cybercriminal arsenal, transforming attack tactics from simple password guessing and mass phishing campaigns to complex, adaptive, and almost “smart” attacks. This creates new challenges for cybersecurity systems and requires the constant development of defense methods using AI and other advanced technologies.

Sources:

Positive Technologies, “Artificial Intelligence in Cyberattacks”ptsecurity.com
Kurshub, “How AI is changing the world of cybersecurity”kurshub.ru
OTUS, “How AI Agents Are Changing Credential-Based Attacks”habr.com
Gazinformservice, “AI: A New Tool in the Arsenal of Cybercriminals”trends.rbc.ru
AlphaSystems Group, “The Role of Artificial Intelligence in Vulnerability Management”alphasystems.group
Anti-Malware.ru, “The Dark Side of Artificial Intelligence: Threats and Protection”anti-malware.ru

Sources:
CyberProof – Global Threat Analysis Report 2025 habr.com
Positive Technologies — Cybersecurity in 2025: New Threats and Recommendations ptnl.moscow
Positive Technologies — Current Cyber Threats: Q4 2024 – Q1 2025 ptsecurity.com
F
F6 — The Main Cyber Threats of 2025
CNews — The Main Cyber Threats of 2025 for Russia Named cnews.ru
K
Kaspersky ICS CERT — Industrial Network Attack Forecasts 2025
VC VC.ru — Top 5 Cyber Threats of 2025
Forbes.ru — Cyber Risks for Business and Users in 2025 ics-cert.kaspersky.ru
X
Xygeni.io — Secure Software Supply Chain: Lessons and Predictions for 2025

Sources:

Investing.com, “Bybit Hacked: Over $1.46 Billion in Ethereum Stolen”investing.com
Binance, Bybit Hack Review and Its Aftermath binance.com
RBC, Analysis of Funds Recovery and Bybit’s Response rbc.ru
DTF.ru, consequences and impact on cryptoeconomics dtf.ru+1

Sources:

X-Technology: “Lessons from the Bybit Incident”hx.technology
Block-Chain24: “What the Bybit hack taught me”block-chain24.com
R
RBC: “Bybit hack was the largest in the history of the crypto market”
MoneyTimes: “Experts call for changes after the major Bybit hack”moneytimes.ru
Binance: “Lessons from the $1.5 billion Bybit hack”binance.com
Yellow.com: “Bybit Hacked for $1.5 Billion”yellow.com

Sources:
R
RBC, “Hackers stole $2 billion from crypto services in 2025”
Sparkark.ru, “Top 5 crypto hacks of 2025”
Iz.ru, “, “Exchange pocket: what will the largest crypto hack lead to”
TR TRM Labs, “Report on cryptocurrency thefts in 2025”
PeckeckShield, “Cryptocurrency hacks reached $1.6 billion in the first quarter of 2025”
L
Lenta.ru, “Bybit announced a reward for the capture of hackers”
TR TRM Labs, “Crypto hacks through seed phrases and frontend attacks”

Sources:
SecurityLab – Large-scale attack via npm packages itsec.ru
Socket Threat Research — Malicious Firefox Extensions and Token Theft 1275.ru
ComComnews.ru — detailed analysis of the attack on the supply chain via npm with the defeat of Firefox
IT-World.ru — analysis of malicious code in Firefox via npm packages it-world.ru

Sources:

Analysis by Phylum, Socket Threat Research and Positive Technologies experts on the investigation of the incident with malicious npm packages in July 2025.securitymedia.org+2