Analyzing 2025 Crypto Attack Scenarios Through MITRE AADAPT TTPs
Executive Summary
In 2025, cryptocurrency thefts surpassed $2.17 billion in the first half alone, driven by sophisticated attacks on warm wallets and exchanges. MITRE's AADAPT (Adversarial Actions in Digital Asset Payment Technologies) framework, launched in July 2025, provides a tailored lens for understanding these threats.
Modeled after ATT&CK, AADAPT catalogs blockchain-specific tactics, techniques, and procedures (TTPs) across 11 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Collection, Impact, and Fraud.
MITRE AADAPT Framework Overview
Framework Structure
- • 11 Core Tactics (Reconnaissance to Fraud)
- • 38+ Techniques (Flash Loan Exploits, Smart Contract Attacks)
- • Blockchain-specific TTPs
- • Real-world attack mapping
Key Focus Areas
- • Consensus mechanism vulnerabilities
- • Smart contract exploitation
- • Wallet security gaps
- • Cross-chain bridge attacks
MITRE AADAPT Framework Launch
MITRE AADAPT Framework Launch
Comprehensive cybersecurity framework for digital asset payment technologies
Key 2025 Attack Scenarios
Bybit Hack (Feb, $1.5B Ethereum)
Attributed to North Korea's Lazarus Group (APT38), hackers exploited a third-party UI flaw in Safe Wallet during cold-to-warm transfers, using social engineering and malware to manipulate frontend and bypass multisig.
AADAPT/ATT&CK Mapping
- • Initial Access, Execution
- • Credential Access, Fraud
- • T1204 (User Execution)
- • T1555 (Credentials from Password Stores)
BigONE Breach (Jul, $27M)
Supply chain attack on CI/CD pipeline injected malicious code, altering withdrawal logic without key compromise.
AADAPT/ATT&CK Mapping
- • Resource Development
- • Initial Access, Defense Evasion
- • T1195 (Supply Chain Compromise)
Nobitex Attack (Jun, $90M)
Hacktivists used infostealer malware on employee devices to steal credentials and drain hot wallets.
AADAPT/ATT&CK Mapping
- • Credential Access, Collection
- • T1555.003 (Credentials from Web Browsers)
- • T1005 (Data from Local System)
ZKsync Hack (Apr, $5M ZK Tokens)
Compromised admin key exploited legacy airdrop contract for unauthorized minting.
AADAPT/ATT&CK Mapping
- • Privilege Escalation, Fraud
- • Exploit Smart Contract
- • Generate Counterfeit Tokens
Phishing/Drainer Scams (H1, $3.1B)
AI-driven fakes tricked users into malicious approvals, draining wallets via spoofed interfaces.
AADAPT/ATT&CK Mapping
- • Initial Access, Execution, Fraud
- • T1566 (Phishing)
- • T1204 (User Execution)
- • Manipulate Transaction History
Wrench Attacks (Ongoing, $128M Cumulative)
Physical coercion targeted high-value holders for keys and phrases.
AADAPT/ATT&CK Mapping
- • Collection, Impact
- • Physical Attacks (implied)
- • Highlights non-technical gaps
TTP Mapping Summary
The table below maps these attacks to AADAPT tactics and techniques (where applicable) or ATT&CK for broader cyber elements. AADAPT emphasizes blockchain-specific exploits like Chain Reorganization and Smart Contract Attacks, while ATT&CK covers general TTPs like Credential Access.
| Attack Scenario | AADAPT/ATT&CK Tactic | Key Techniques | Description & Relation |
|---|---|---|---|
| Bybit Hack | Initial Access, Execution, Credential Access, Fraud | AADAPT: Exploit Smart Contract Implementation, Flash Loan; ATT&CK: T1204, T1555, T1056.001 | Social engineering lured devs into executing malware (InvisibleFerret), stealing wallet creds and manipulating frontend for fraudulent transfers. |
| BigONE Breach | Resource Development, Initial Access, Defense Evasion | AADAPT: Acquire Infrastructure, Exploit External Services; ATT&CK: T1195 | Malicious code in CI/CD bypassed detection, altering logic for unauthorized withdrawals—classic supply chain exploit. |
| Nobitex Attack | Credential Access, Collection, Exfiltration | AADAPT: Exploit Unsecured Credentials; ATT&CK: T1555.003, T1005, T1048 | Infostealer malware harvested employee creds from devices/browsers, enabling wallet drains and data exfil. |
| ZKsync Hack | Privilege Escalation, Fraud | AADAPT: Exploit Smart Contract, Generate Counterfeit Tokens; ATT&CK: T1078 | Leaked admin key escalated to mint tokens via vulnerable contract, exploiting chain reorganization-like flaws. |
| Phishing/Drainer Scams | Initial Access, Execution, Fraud | AADAPT: Phishing Attacks, Manipulate Transaction History; ATT&CK: T1566, T1204 | Deceptive sites induced toxic approvals, draining via smart contract exploits—prevalent in 80% of 2024 losses. |
| Wrench Attacks | Collection, Impact | AADAPT: Physical Attacks (implied); ATT&CK: T1498 (less direct) | Coercion bypassed digital TTPs for key extraction; correlates with price highs, highlighting non-technical gaps. |
MITRE ATT&CK Matrix Overlay
MITRE ATT&CK Matrix Overlay
Relevant to crypto malware like InvisibleFerret used in banking trojans and crypto attacks
Insights and Recommendations
These attacks blend traditional cyber TTPs (e.g., phishing, malware) with blockchain-specific ones (e.g., smart contract exploits), as AADAPT highlights. Groups like APT38 evolve from SWIFT heists to crypto, using tools like InvisibleFerret for credential theft and exfiltration.
Mitigation Strategies
- Adopt AADAPT for threat modeling
- Implement multi-sig/MPC solutions
- Use hardware MFA for key access
- Conduct regular opsec training
Framework Evolution
- Quarterly updates to AADAPT ensure relevance
- Real-world attack mapping improves accuracy
- Cross-framework integration enhances coverage
- Community contributions drive innovation
Stay secure—crypto's future depends on it. 🛡️