The first half of 2025 has marked a grim milestone for the cryptocurrency industry, with over $2.1 billion stolen across 75 distinct hacks and exploits, according to a recent report by TRM Labs.
This figure not only surpasses the previous first-half record set in 2022 by 10% but nearly matches the total losses from all of 2024, underscoring an escalating and increasingly sophisticated threat landscape.
The report highlights how cybercriminals, particularly state-sponsored actors, are exploiting vulnerabilities in digital asset platforms for both financial and geopolitical gains.
The most significant incident driving this record-breaking total was the February 2025 hack of the Dubai-based Bybit exchange, which resulted in a staggering $1.5 billion loss—the largest crypto heist in history.
Attributed to North Korea’s Lazarus Group, this breach alone accounted for nearly 70% of the total funds stolen in H1 2025, inflating the average hack size to $30 million, double that of H1 2024.
North Korea-linked groups were responsible for an estimated $1.6 billion in thefts, cementing the nation’s role as the most prolific state actor in the crypto-hacking space.
The Bybit hack, facilitated through a compromised Safewallet update, exemplifies how state-sponsored actors are leveraging advanced techniques to exploit systemic weaknesses.
Beyond the Bybit megahack, the report reveals a persistent and widespread threat, with January, April, May, and June each recording over $100 million in losses.
Infrastructure attacks, including private key and seed phrase compromises, accounted for over 80% of the stolen funds.
These attacks often involve social engineering, phishing, or insider threats, targeting the foundational security of crypto platforms.
For instance, the $100 million Bitget hack in April exposed private keys, while the $220 million Cetus Protocol exploit in May highlighted vulnerabilities in decentralized finance (DeFi) platforms.
Protocol-level exploits, such as flash loan manipulations and re-entrancy attacks, contributed 12% of losses, underscoring persistent smart contract vulnerabilities.
A disturbing trend in H1 2025 is the growing use of crypto hacks as a tool of geopolitical warfare.
The June 18 attack on Iran’s largest crypto exchange, Nobitex, by the Israel-linked group Gonjeshke Darande (Predatory Sparrow), resulted in a $90 million theft.
Unlike typical financially motivated hacks, the stolen funds were sent to unspendable vanity addresses with anti-IRGC messaging, signaling a symbolic and political motive.
This incident, amid escalating Israel-Iran tensions, highlights how digital assets are becoming strategic targets in global conflicts.
TRM Labs warns that such attacks reflect a “pivotal shift” in crypto hacking, with state actors increasingly using cyberattacks to advance geopolitical agendas.
The report also sheds light on the broader implications for the crypto ecosystem.
Despite efforts to bolster security through audits and white-hat bounties, the scale of losses suggests that current measures are insufficient.
TRM Labs recommends urgent reforms, including increased use of cold storage, multi-factor authentication, and ongoing threat testing.
The firm also emphasizes the need for international cooperation among law enforcement, intelligence agencies, and blockchain forensic firms to counter state-sponsored threats.
The Bybit hack, for example, prompted discussions about the effectiveness of cold wallet storage mandates, with authorities exploring technology-neutral security policies.
The surge in H1 2025 hacks underscores the dual-use nature of crypto infrastructure: while it empowers financial innovation, it also serves as a vector for illicit activity.
North Korea’s use of stolen funds to bankroll its nuclear program and the Nobitex hack’s role in geopolitical signaling illustrate how crypto crime has transcended traditional financial motives.
As TRM Labs notes, “digital asset theft has morphed into a tool of statecraft,” demanding a coordinated global response.”
For the crypto industry, the path forward requires not only enhanced cybersecurity but also proactive intelligence sharing to mitigate risks and protect the ecosystem from increasingly sophisticated adversaries.
As the crypto sector grapples with these evolving threats, the TRM Labs report serves as a wake-up call.
With losses already rivaling annual totals and state-sponsored actors intensifying their efforts, the industry must prioritize robust security measures and global collaboration to safeguard digital assets in this new era of cybercrime.