- TRM Labs confirmed that $1.6B in crypto losses were caused by North Korea-related hacks in H1 2025.
- The Bybit breach alone accounted for nearly 70% of H1 2025 crypto losses, totaling $1.5B.
- Infrastructure attacks made up over 80% of stolen crypto funds in the first half of 2025.
The new report by blockchain intelligence company TRM Labs reported 75 incidents involving stolen crypto assets worth more than $2.1 billion in the first half of 2025. This figure represents a 10% increase compared to the prior H1 record in 2022 and almost matches the 2024 total for the entire year. Targeted infrastructure attacks and increased state-sponsored cyber operations have contributed much to this surge.
TRM Labs points to the February hack of the Bybit exchange, which was reported as the largest hack in the history of cryptocurrencies. North Korean hackers caused the incident, which resulted in a loss worth $1.5 billion, accounting for nearly 70% of all stolen funds in H1. This one incident skewed the average hack size to $30 million, double the H1 2024 average of $15 million.
State-Sponsored Cyberattacks Dominate 2025 Crypto Breaches
According to TRM Labs, North Korea-affiliated groups have been responsible for $1.6 billion in thefts alone or close to 70% of all funds stolen in the first half of 2025. Analysts view these attacks as a strategic tool for the Democratic People’s Republic of Korea (DPRK) to evade sanctions and fund its weapons program.
In addition to the Bybit hack, a hack on June 18 occurred on, Nobitex, Iran’s largest cryptocurrency exchange, which exposed more geopolitical interests. Hacker group Gonjeshke Darande, allegedly linked to Israel, took credit for the $90 million heist. The funds were sent to vanity wallet addresses that cannot be accessed, indicating the action was likely symbolic or politically motivated.
TRM Labs noted the hack occurred shortly after Israeli airstrikes on June 13 and just before Israel announced the arrest of three individuals allegedly spying for Iran. Two of the suspects were paid in cryptocurrency. The report suggests a possible intelligence connection, though Israeli officials have not confirmed it.
The Nobitex breach reflects a growing trend where digital asset theft becomes an extension of national conflict. Chainalysis reports that Nobitex serves a central role in Iran’s sanctioned financial network and has ties to previously identified illicit actors.
Also Read: Lazarus Group Linked to Massive Hack That Drained 6 Crypto Wallets
Infrastructure Breaches and Protocol Exploits Continue to Surge
According to TRM Labs, infrastructure attacks include seed phrase thefts, private key compromises, and front-end hijacks, accounting for over 80% of crypto losses in H1 2025. These attacks exploit system-level weaknesses and are often supported by social engineering tactics or insider involvement.
Furthermore, Protocol exploits accounted for about 12% of the stolen funds. These included flash loan manipulations and re-entrancy attacks that targeted smart contract vulnerabilities in decentralized finance (DeFi) platforms.
TRM Labs recommends urgent reforms in security practices across the crypto ecosystem. The firm’s analysts recommend increasing the use of cold storage, multi-factor authentication, and ongoing threat testing. It also emphasize on the importance of international cooperation between law enforcers, intelligence agencies, and blockchain forensic firms.
The number and scale of H1 2025 breaches suggest that crypto security has become a direct concern for national security. With geopolitical interests intensifying, digital asset platforms need to strengthen security to prevent both criminal entities and highly organized government-sponsored activities.
Also Read: Cetus Protocol Restarts with Fresh Plan and Compensation after $223 Million Hack