June 2025 delivered a brutal reminder that the most devastating crypto exploits do not always stem from complex smart contract vulnerabilities. According to the De.Fi REKT Report, a total of $114.8 million was lost across 11 separate attacks during the month, with access control failures accounting for the vast majority of damages. The pattern is clear: the basics of key management, permission structures, and internal safeguards remain the weakest link in both centralized and decentralized platforms.
The Threat Landscape
The single most damaging event in June 2025 was the $82 million breach of Nobitex, a centralized Iranian exchange, on June 18. The attack was claimed by the hacktivist group Gonjeshke Darande, which exploited weak internal permissions to drain hot wallets across multiple blockchains, including $49.3 million on Tron, $24.3 million on EVM-compatible chains, $2 million on Bitcoin, $6.7 million in Dogecoin, and additional losses on the TON network.
Other significant incidents included the $16.1 million AlexLab exploit on June 6, where a Bitcoin Layer 2 protocol was drained through a fake token listing mechanism, and the $3.7 million Nervos Network ForceBridge breach on June 2, where unauthorized control of bridge contracts led to the theft of USDT, USDC, ETH, DAI, and WBTC.
On June 25, Silo Finance lost $545,000 through a testing-phase smart contract exploit, while Resupply Protocol was hit for $9.5 million on June 26 through manipulation of its wstUSR collateral handling logic. Notably, zero funds were recovered across all 11 incidents during the month.
Core Principles
Access control vulnerabilities dominated June’s losses, with four access control-related incidents collectively draining $87.95 million. These attacks typically exploit one or more of the following weaknesses:
Private key compromise: Attackers gain control of administrative keys through social engineering, insider threats, or poor key storage practices. Once a private key is compromised, the attacker inherits all permissions associated with that key.
Weak multisig logic: Multi-signature wallets are only as strong as their configuration. Poorly designed multisig setups with insufficient signatories or no time-lock mechanisms can be exploited just as easily as single-key systems.
Excessive internal permissions: Many platforms grant overly broad access to internal systems, creating lateral movement opportunities for attackers who breach even a single access point.
Tooling and Setup
Protecting against access control failures requires a layered security approach. Hardware security modules (HSMs) should be mandatory for any platform managing user funds. Time-locked multisig wallets with a minimum of three signatories and a 24-hour delay on large transactions provide critical breathing room for detecting unauthorized transfers.
Real-time monitoring tools like Hypernative Labs, which detected the Silo Finance exploit over three minutes before execution, represent a growing category of proactive defense systems. Platforms should integrate such tools to establish automated alerting and response mechanisms.
For individual users, the principles remain similar. Cold storage for the majority of holdings, hardware wallets for any significant transactions, and never sharing private keys or seed phrases regardless of the apparent legitimacy of the request. With Bitcoin hovering around $107,361 and Ethereum near $2,419 in late June, even a single compromised wallet can result in devastating losses.
Ongoing Vigilance
The June 2025 data reveals a troubling trend: centralized platforms remain disproportionately vulnerable to access control attacks, with the Nobitex breach alone representing over 70% of total monthly losses. This contradicts the narrative that decentralization inherently increases risk. In fact, the data shows that centralized custodial systems with concentrated access points are often easier targets for sophisticated attackers.
Regular security audits should be supplemented by continuous monitoring, penetration testing, and incident response drills. The seven smart contract exploits in June, contributing $26.8 million in losses, demonstrate that on-chain logic vulnerabilities remain a persistent threat alongside the more headline-grabbing access control failures.
Cross-chain security also demands attention. The Nervos ForceBridge exploit involved assets on both Ethereum and BNB Chain, with stolen funds quickly swapped to ETH and laundered through Tornado Cash. As the multi-chain ecosystem expands, bridge security and cross-chain access controls will only grow in importance.
Final Takeaway
June 2025’s $114.8 million in losses could have been significantly reduced with better access control hygiene. The technology to prevent most of these attacks already exists. What is missing is consistent implementation, rigorous testing of permission structures, and the organizational discipline to maintain security standards as platforms scale. Whether you are a DeFi protocol or a centralized exchange, the fundamentals of access control remain the foundation upon which all other security measures are built.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research and practice proper security hygiene with your digital assets.
zero funds recovered across 11 incidents is the real stat. the permanent loss rate in crypto exploits is approaching 90%. insurance cant keep up with that math
4 access control incidents = $87.95M. the basics keep failing. not smart contract bugs, just bad permission management
It’s honestly mind-blowing that we’re still seeing such massive losses due to basic access control failures in 2025. You’d think after the last few years of exploits, these protocols would prioritize multi-sig setups and stricter permissioning. $114 million is no small change, and it really highlights why institutional investors are still hesitant to jump into DeFi full-throttle without better security standards.
Nobitex at $82M and zero funds recovered across all 11 incidents in June. the permanent loss rate is what should scare everyone
Ouch, June was definitely a rough month for the space. These reports are always a sobering reminder that ‘not your keys, not your coins’ applies to the devs just as much as the users. We really need to push for more transparent security audits and maybe some standardized frameworks for access management. Stay safe out there and double-check those permissions before you bridge!
DeFi_Dan multi-sig is table stakes. the real gap is key rotation procedures. most teams set up multi-sig once and never rotate signers. thats how you get $82M drained
key rotation and multi-sig are both table stakes. the gap is emergency procedures. most teams have never drilled a real key compromise scenario. when it happens they freeze