Cyber Incident Victim: Cetus
Date:
May 2025
Location:
—
Summary
We need to produce a concise incident summary (~45-180 words) as ONE paragraph (>=2 sentences). Rules: (1) No calendar dates or years. (2) No headings, labels, bullets, or intro phrases. (3) Plain factual narrative only—no recommendations or speculation. (4) Avoid repeating the victim name more than once. (5) If multiple impacts, synthesize succinctly. Output ONLY the paragraph—no quotes, no prefix, no suffix.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 22, 2025, pseudonymous Web3 researcher COMDARE3 posted on X that users were reporting an exploit affecting the Sui-based decentralized exchange Cetus, accompanied by a screenshot showing many assets losing over half their value in the previous 24 hours. Hacken’s onchain monitoring tool Extractor confirmed that at least $63 million had already been bridged to Ethereum, with a single transaction moving 20,000 ETH to a fresh wallet. Cetus protocol data indicated that the exchange processed $2.9 billion worth of transactions on May 22, a sharp increase from the $320 million recorded on May 21, which the team attributed to funds being siphoned out of the protocol. A Cetus representative later stated that an attacker had stolen approximately $223 million from the protocol, of which $162 million had been frozen.
The exploit caused severe price declines for several tokens traded on Cetus, with Lombard Staked BTC (LBTC) and AXOLcoin (AXOL) losing most of their value and the top 15 losers each shedding more than three‑quarters of their price. As a knock‑on effect, the Sui‑based money market Scallop halted all borrowing on its platform, announcing that a further update would be provided when operations resume while assuring users that funds remained safe. Outside the Cetus ecosystem, LBTC gained over 4 % in value over the last day according to CoinMarketCap, whereas AXOL fell nearly 99.5 % over the same period. The attacker’s address was found to hold nearly $52 million in Sui tokens, $4.9 million in Haedal Staked SUI (HASUI), over $19.5 million in Toilet (TOILET), nearly $19.5 million in wrapped USDt and various other assets.
Following detection, the official Cetus X profile confirmed that an incident had been identified, the smart contract was paused for safety, and an investigation was underway. Cetus said it was working with the Sui Foundation and other ecosystem members to develop next‑step solutions aimed at recovering the remaining stolen funds. A Sui representative noted that Cetus had collaborated with other DeFi protocols, the Sui Foundation and network validators, and that a large number of validators had identified the addresses holding the stolen funds and were ignoring transactions on those addresses until further notice. AMLBot reported that approximately $212 million had been bridged to Ethereum at a rate of about $1 million per minute, and the Cetus team had characterized the incident internally as “just a bug,” a characterization that AMLBot said raised questions given the timing. Onchain Lens added that the attacker had gained control of all SUI‑denominated pools, exploited over $200 million, and had begun moving USDC.