The first half of 2025 has delivered a stark reminder of the crypto ecosystem’s vulnerabilities, with over USD 2.1 billion stolen across at least 75 distinct hacks and exploits. This marks a significant surge in illicit activity — surpassing the previous H1 record set in 2022 by roughly 10% and nearly equaling the total amount stolen in all of 2024 — and highlights an increasingly concentrated threat to digital assets.
The Bybit breach: A defining event driven by state actors
The largest cryptocurrency hack on record reshaped the entire narrative of H1 2025: the USD 1.5 billion attack on Dubai-based crypto exchange Bybit in February, which we assess was carried out by North Korea. This incident alone accounted for nearly 70% of total losses so far this year, pushing the average hack size to nearly USD 30 million — double the USD 15 million average in H1 2024. Although February's Bybit hack massively skewed the H1 total, January, April, May, and June still saw total thefts in excess of USD 100 million, indicating a broad, persistent threat.
North Korea's continued predominance and the evolving landscape of state-sponsored crypto hacks
Building on the Bybit incident, our analysis reveals the persistent and alarming role of state-sponsored crypto attacks, where thefts serve as a critical tool of statecraft. We assess that North Korea-linked groups are responsible for USD 1.6 billion of the total amount stolen in H1 2025, representing about 70% of all stolen funds and cementing their position as the most prolific nation-state threat actor in the crypto space. This staggering figure, significantly bolstered by the Bybit theft, indicates a persistent and escalating effort by the Democratic People’s Republic of Korea (DPRK) to leverage illicit cryptocurrency gains, not only to evade sanctions and finance strategic objectives, such as its nuclear weapons program, but also as an integral component of its statecraft.
Although North Korea remains the dominant force in this arena, incidents such as reportedly Israel-linked group Gonjeshke Darande (also known as Predatory Sparrow) hacking Iran’s largest crypto exchange, Nobitex, on June 18, 2025 for over USD 90 million, suggest other state actors may increasingly leverage crypto hacks for geopolitical ends. In the Nobitex hack, Gonjeshke Darande claimed to have targeted the exchange due to its central role in helping the Iranian regime circumvent international sanctions and finance illicit activities.
Notably, the attackers transferred stolen funds to deliberately unspendable vanity addresses — addresses known or suspected to lack corresponding private keys — indicating that they have no intent or capability to access these funds, strongly suggesting their motivations were symbolic or political rather than financial. Such events underscore how digital asset theft is becoming a covert instrument in geopolitical conflicts and national policy.
Attack vectors and modus operandi
Infrastructure attacks — such as private key and seed phrase thefts, and front-end compromises — accounted for over 80% of stolen funds in H1 2025 and were, on average, ten times larger than other attack types. Infrastructure attacks refer to attack techniques that target the technical backbone of the digital asset system to gain unauthorized control, mislead users, or reroute assets. Often enabled by social engineering or insider access, these breaches expose critical weaknesses at the foundation of cryptosecurity.
Protocol exploits — including flash loan and re-entrancy attacks — made up another 12%, highlighting persistent vulnerabilities in DeFi smart contracts. These attacks target vulnerabilities in a blockchain protocol’s smart contracts or core logic to extract funds or disrupt system behavior.
Lessons from previous periods and the path forward
H1 2025 marks a pivotal shift in crypto hacking: escalating strategic intent from state actors and other geopolitically motivated groups. Massive breaches, often linked to nation-state operations, now demand more than traditional cybersecurity. The industry must reinforce fundamental security — multi-factor authentication (MFA), cold storage, and frequent audits — while crucially elevating defenses against state-level capabilities by prioritizing insider threat detection and advanced social engineering countermeasures.
The path forward requires multifaceted collaboration. Enhanced cooperation among global law enforcement, financial intelligence units, and specialized blockchain intelligence firms such as TRM Labs is critical for rapidly identifying, tracking, and recovering stolen funds. Proactive information sharing and coordinated international approaches to prosecuting state-sponsored cybercriminals are paramount for effective deterrence.
As digital assets increasingly intertwine with national security, so too will the sophistication and geopolitical motives of their exploiters. H1 2025’s record thefts are a stark call to action for a collective, sustained, and strategically aligned security posture — one prepared not just for crime, but for covert acts of statecraft.
{{horizontal-line}}
Crypto hacks FAQs
What caused the spike in cryptocurrency thefts in H1 2025?
The surge in crypto thefts — totaling over USD 2.1 billion across 75 incidents — was largely driven by infrastructure attacks and state-sponsored activity, particularly the Bybit breach, which alone accounted for nearly 70% of total stolen funds.
Why is the Bybit hack considered so significant?
The February 2025 Bybit breach — attributed to North Korea — is the largest ever crypto hack, with USD 1.5 billion stolen. It reshaped the narrative for the year, inflating average hack size and underscoring the strategic use of cybercrime by nation-states.
Are state actors increasingly using crypto hacks as tools of statecraft?
Yes — groups linked to countries like North Korea and reportedly Israel have used digital asset theft to further geopolitical aims. These hacks increasingly appear symbolic or strategic rather than financially motivated, pointing to a shift in how crypto crime is weaponized.
What types of attacks led to the most crypto losses in early 2025?
Infrastructure attacks — including private key and seed phrase thefts — dominated the landscape, making up more than 80% of losses. These methods exploit foundational weaknesses in crypto systems and are often amplified by social engineering.
How should the crypto industry respond to escalating threats?
The scale and sophistication of attacks in H1 2025 call for a dual approach — bolstering fundamental security and prioritizing collaboration with law enforcement and intelligence partners. A strategic, globally coordinated defense posture is critical going forward.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
