Crypto thefts skyrocketed in the first half of 2025, with over $2.1 billion stolen across at least 75 attacks—nearly matching 2024’s total and surpassing the previous H1 record set in 2022.
North Korea Groups Responsible for 70% of Losses
In the first half of 2025, over $2.1 billion in crypto was stolen across at least 75 distinct hacks and exploits, nearly equaling the total amount stolen in all of 2024. According to the latest TRM Crypto Crime report, the losses in the first half of 2025 surpass the record set in the first half of 2022 by roughly 10%. The report, however, shows the $1.5 billion Bybit hack in February accounting for almost 70% of the total losses.
Besides the colossal losses in February, TRM data shows January, April, May, and June as the only other months with losses exceeding $100 million. Only March had losses below $100 million.
As reported by several media outlets, North Korea-affiliated hackers are believed to be behind the Bybit breach. While the community response to the sophisticated attack made life difficult for the cybercriminals, media reports suggest that a significant chunk of the funds is lost forever. Meanwhile, the report notes the persistent and alarming role of state-sponsored crypto attacks and singles out Pyongyang as the chief culprit.
“We assess that North Korea-linked groups are responsible for $1.6 billion of the total amount stolen in the first half of 2025, representing about 70% of all stolen funds and cementing their position as the most prolific nation-state threat actor in the crypto space,” the report concludes.
While North Korea is believed to use funds stolen from digital asset exchanges to finance its weapons program, the report acknowledges that other state actors leverage crypto hacks for geopolitical ends. It cites the hacking of Iran’s largest crypto exchange, Nobitex, on June 18, 2025, for over $90 million by the Israeli-linked Gonjeshke Darande.
Unlike other groups that go on to spend the stolen funds, Gonjeshke Darande transferred the funds to unspendable vanity addresses. This act, the report asserts, “underscores how digital asset theft is becoming a covert instrument in geopolitical conflicts and national policy.”
Meanwhile, the TRM team found infrastructure attacks such as private key and seed phrase thefts or front-end compromises accounted for over 80% of stolen funds in the first half of 2025. Protocol exploits, on the other hand, made up another 12%, highlighting persistent vulnerabilities in decentralized finance (DeFi) smart contracts.
To counter the growing threat posed by state-backed attackers, the TRM report urges the crypto industry to reinforce fundamental security — multi-factor authentication (MFA), cold storage and frequent audits. It must prioritize improving the detection of insider threats and strengthening defenses against advanced social engineering tactics.
Follow Wendy for more latest updates