Lunaray’s monthly security occurrence highlights have started! According to stats from several blockchain security surveillance platforms, the cryptocurrency market lost about $ 116 million in September 2025 due to hacking, fraud, and vulnerability exploits, a reduction of approximately 36 % from the previous month ($ 181 million in August). A total amount of 32 safety incidents took place, with framework vulnerability strikes making up the largest percentage (62 %, or roughly $ 71 9 million). Centralized exchanges and cross-chain protocols were the primary targets, with strike methods demonstrating a mix of “benefit hijacking, asset liquidation, and market capitalization destruction,” such as multi-sig exclusive vital leaks and token issuance strikes. The greatest single loss reached $ 44 7 million, resulting from the Bingx burglary on the Singapore exchange.
Cyberpunk assault
6 regular security incidents
• Bunni DEX Flash Finance Attack
Loss: Over $ 8 4 Million.
Incident Details: On September 2 nd, the Bunni DEX, based upon Uniswap v 4, was assaulted by a flash funding. The assailant made use of a rounding error vulnerability in the wise agreement to adjust rates through a 3 million USDT flash finance. The enemy after that diminished the liquidity swimming pool via 44 little withdrawals, inevitably profiting over $ 8 4 million. The job right away suspended the agreement and launched a spot, and BlockSec at the same time tracked the funds.
• Nemo Procedure Oracle Manipulation Case
Loss: About $ 2 4 Million.
Incident Details: On September 9 th, the cost oracle vulnerability of Nemo Procedure, a DeFi protocol on the Sui Chain, was manipulated. The enemy adjusted price information to achieve arbitrage, leading to the burglary of approximately $ 2 4 million in properties.
• Damp Token Flash Lending Arbitrage Strike
Loss: About $ 40, 000
Occurrence Information: On September 17 th, the damp Token on the BNB Smart Chain was assaulted via a flash lending. The assaulter borrowed 5 million BUSD from the Moolah platform and manipulated the WET/BUSD trading set price, making use of a susceptability in the target contract’s redemption feature to accomplish arbitrage, ultimately earning a profit of about $ 40, 000 The funds were then converted to BNB and transferred.
• Bingx Exchange Possession Theft Case
Loss: Over $ 44 7 Million USD.
Occurrence Information: On September 21 st, the warm budget of Singapore-based centralized exchange Bingx was hacked. At first, after spotting an unusual discharge of funds, the system urgently put on hold solutions and moved possessions. The system later introduced that it would utilize its very own funds to fully make up customers for their losses.
• UXLINK Multi-Sig Permission Hijacking Incident
Loss: Officially disclosed: $ 11 3 million (on-chain cashout: $ 28 1 million).
Event Facts: On September 23 rd, the decentralized social platform UXLINK’s multi-sig pocketbook was endangered. Cyberpunks moved 4 million USDT, 500, 000 USDC, and various other assets, issuing 10 trillion extra symbols and afterwards offering them for money. The token price plunged 80 %, eliminating over $ 100 million in market capitalization.
• SFUND Cross-Chain Bridge Property Burglary
Loss: Over $ 1 7 Million.
Case Particulars: On September 23 rd, the Seedify.fund cross-chain bridge safe on the Launch pad platform was drained pipes by hackers, with possessions worth over $ 1 7 million stolen. This caused the SFUND token to hit a new all-time low, with its market capitalization vaporizing by over $ 10 million.
• GAIN Token Cross-Chain Vulnerability Strike
Loss: Undisclosed (cyberpunks squandered roughly $ 1 2 million, market capitalization vaporized by over $ 120 million).
Occurrence Information: On September 25 th, GriffinAI’s token, GAIN, was attacked because of a vulnerability in the LayerZero cross-chain procedure. Cyberpunks built Ethereum contract nodes and illegally released 5 billion GAIN symbols, which they after that offered. Within an hour, the rate plummeted 98 % from $0. 163 to $0. 003 The hackers transformed the swiped funds into BNB and transferred them across the chain to Ethereum, inevitably ending up on the Twister Cash money mixing system. As of September 30 th, GriffinAI had not officially disclosed the system’s straight property losses, and traditional protection companies had actually not released clear on-chain fund tracking data. However, the token’s market capitalization vaporized by over $ 120 million, and some individuals had already experienced real losses as a result of the cost crash.
Carpet Pull/ Phishing Rip-off
6 Typical Safety And Security Events
(1 On September 2, a Venus individual was targeted by a phishing attack. He mistakenly clicked on a phony Zoom seminar link and ran destructive code, leading to the transfer of around $ 13 million in possessions. The Venus team recuperated the funds within 13 hours via a procedure suspension and required liquidation.
(2 On September 8, the address beginning with 0xB 860 lost $ 180, 390 after signing an “authorization” phishing deal.
(3 On September 18, the address beginning with 0x0d 18 lost $ 6 28 million worth of stETH and aEthWBTC after authorizing numerous phishing “license” signatures.
(4 On September 20, the address beginning with 0xA 4 Ce lost $ 80, 462 well worth of symbols after authorizing a harmful EIP- 7702 batch purchase.
(5 On September 23, the UXLINK opponent address appeared to authorize a destructive “increase limit” phishing agreement approval, causing roughly 542 million UXLINK being transferred to the phishing address.
(6 On September 28, the address beginning with 0x 380 cb lost $ 78, 187 because of a phishing approval signed 623 days earlier.
Sum up
September’s crypto security incidents showed three new characteristics: Initially, the attack targets ended up being stratified , targeting both central institutions like Bingx ($ 44 7 million in losses) and high-net-worth customers of the Venus Protocol ($ 13 million), influencing both private and institutional defenses.
Second, the kinds of technological vulnerabilities came to be extra focused. Bunni’s rounding mistake, GAIN’s cross-chain verification problem, UXLINK’s multi-sig susceptability, and WET Token’s price adjustment vulnerability made up 78 % of the total losses, with fundamental smart agreement logic imperfections coming to be the primary danger factor.
Third, phishing and carpet pull techniques evolved, with situations of cyberpunks being phished and after that being manipulated. Carpet pulls, which destroy proof with account cancellation, significantly boost their stealth.
Contrasted to August (21 occurrences, $ 181 million in losses), the number of cases in September boosted by 52 %, but the quantity of losses reduced by 36 %, reflecting a trend of “decentralization and enhanced regularity” in assaults. It is recommended that platforms reinforce wise contract fuzz testing and cross-chain node verification. Specific individuals ought to watch out for phony meeting links and authorizations from unidentified sources. Job celebrations should establish a real-time very early caution mechanism for possession modifications.
