Sui DEX Cetus suspected of being hacked: Over $200M in potential losses

Update (May 22, 2025, 1:27 pm UTC): This article has been updated to add further data and statements by Hacken.

Cetus, a decentralized exchange (DEX) built on the Sui blockchain, is suspected to have been hit by a massive exploit that may have drained more than $200 million worth of digital assets.

Pseudonymous Web3 researcher COMDARE3 posted on X that “users report” that Sui-based DEX Cetus is being exploited.” They also shared a screenshot of Cetus market data on DEX Screener, showing many assets losing well over half of their value over the last 24 hours.

The team behind Extractor, an onchain monitoring tool developed by crypto cybersecurity company Hacken, confirmed that “at least $63m was already bridged to Ethereum, 20k ETH was just transferred to a fresh wallet” in a single transaction. A Hacken representative told Cointelegraph that these findings were confirmed by the company’s Web3 researcher, Yehor Rudytsia.

Cetus pool data shows that as of the time of writing, the DEX processed $2.9 billion worth of transactions on May 22, a significant increase over the $320 million reported on May 21. This heightened level of activity may have been caused by funds being siphoned out of the protocol.

Cetus did not immediately respond to Cointelegraph’s request for comments about the suspected exploit. A Sui team representative gave no comment to Cointelegraph regarding the Cetus situation.

Digital Forensics: Far-reaching consequences for the market

Some tokens, such as Lombard Staked BTC (LBTC) or AXOLcoin (AXOL) lost most of their value on Cetus. The top 15 losers all lost in excess of three-quarters of their price.

Knock-on effects have already become apparent, with the Sui-based money market, Scallop, halting all borrowing on its protocol. The protocol said in an X post that a further announcement would be made when operations resume, but assured users that funds are safe.

Outside Cetus, LBTC appears to have gained over 4% in value over the last day, according to CoinMarketCap data. Others, such as Axol (AXOL), have not been as fortunate, with CoinMarketCap data showing a loss of nearly 99.5%.

The alleged exploiter’s address contains nearly $52 million of Sui (SUI) tokens, $4.9 million of Haedal Staked SUI (HASUI), over $19.5 million of Toilet (TOILET), nearly $19.5 million of wrapped USDt (USDT) and many other assets.

The official Cetus X profile confirmed that an incident on the protocol was detected, and the smart contract was paused for safety. It added that an investigation was ongoing.

Related: Coinbase hacker trolls ZachXBT onchain after $42.5M THORChain swap

Digital Forensics: Suspicious fund transfers raise alarm

However, blockchain analysts and compliance firms are raising concerns about the project’s transparency. A representative from AMLBot told Cointelegraph:

“We’re seeing $212 million being bridged to Ethereum at a rate of $1 million per minute. That level of urgency suggests there may be more to the story than a simple bug.”

Related: AI tool claims 97% efficacy in preventing ‘address poisoning’ attacks

The AMLBot representative — referring to statements made by Cetus team members on Discord — further explained that while the Cetus team “is calling this incident ‘just a bug,’ — the timing raises questions.”

Onchain data service Onchain Lens stated in an X post that “the attacker gained control of all SUI-denominated pools, exploiting over $200M, and has also started moving $USDC.”

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks