TRM Labs reports over $2.1 billion stolen across 75 cryptocurrency incidents during first half of 2025.
Infrastructure attacks targeting private keys and seed phrases dominate theft methods while state-sponsored hackers increasingly use cryptocurrency crime for geopolitical objectives.
Bybit breach reshapes cryptocurrency theft landscape with $1.5 billion loss
The February 2025 Bybit hack was the largest crypto heist ever, with $1.5 billion stolen from the exchange in what TRM Labs attributes to North Korean state actors. The single breach accounted for nearly 70% of overall cryptocurrency losses for the first half of 2025 and changed the dynamics of theft.
The Bybit hack escalated the average hack size to almost $30 million, double the $15 million average recorded in H1 2024. Even as much as February was skewed in sheer numbers, January, April, May, and June each recorded over $100 million in total thefts, pointing towards ongoing and widespread threats to the cryptocurrency space.
Source: TRM Labs
The magnitude of the Bybit hack rendered H1 2025 a record-breaking season for cryptocurrency theft, recording higher volumes of theft than the former H1 record of 2022 by a margin of around 10% and matching total losses of 2024. The trend of theft in this direction is towards the risk concentration at larger centralized exchanges and towards their appeal to experienced threat actors.
TRM Labs noted: “This incident alone accounted for nearly 70% of total losses so far this year, pushing the average hack size to nearly USD 30 million, double the USD 15 million average in H1 2024.”
North Korean state actors dominate cryptocurrency theft operations
TRM Labs data identifies North Korea-linked actors as being behind $1.6 billion of the total of stolen assets in H1 2025 and accountable for approximately 70% of total crypto theft for the period. The all-time high figure, combined with the Bybit hack, indicates continued upward activity by the Democratic People’s Republic of Korea to utilize illicit cryptocurrency gains for strategic purposes.
North Korean actions extend from sanctions evasion to support nuclear weapons initiatives and become part of state policy as central components. The quantity of actions cements North Korea’s position as the most active state actor threat within the cryptocurrency space, using digital asset theft as an essential statecraft capability.
Other government actors are increasingly using cryptocurrency hacks for geopolitical ends. The reputed Israel-linked Gonjeshke Darande, or Predatory Sparrow, hacked Iran’s largest cryptocurrency exchange Nobitex on June 18, 2025, and stole more than $90 million in what seems politically motivated rather than financially.
The hackers transferred the stolen Nobitex funds into unspendable vanity addresses without corresponding private keys. This suggests symbolic or political motivations as opposed to economic ones.
Infrastructure attacks dominate theft methods
Infrastructure attacks account for over 80% of funds stolen in H1 2025 and are ten times larger on average than all other types of attacks on cryptocurrency infrastructure. Infrastructure attacks target the technical underpinnings of digital asset infrastructure with the goal of achieving unauthorized control, influencing users, or diverting assets through compromised foundational security elements.
Private key and seed phrase theft and front-end compromise are the main infrastructure attack vectors that take advantage of the intrinsic vulnerabilities in cryptocurrency security infrastructures. Social engineering and insider actors are normally behind these attacks, revealing vulnerabilities at the core of cryptographic security systems.
Protocol exploits were another 12% of total losses, showing continued exposures within decentralized finance smart contracts. They take advantage of exposures within blockchain protocol smart contracts or underlying logic to pilfer or take control of system behavior through techniques such as flash loan and re-entrancy exploits.
KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage
