Crypto Theft Surges to $2.1 Billion in H1 2025, Fueled by State-Backed Cyber Attacks – TRM Labs
Cryptocurrency thefts have soared to $2.1 billion in just the first half of 2025, according to a newly released report by blockchain intelligence firm TRM Labs. The study highlights a dramatic escalation in both the scale and geopolitical implications of crypto-related cybercrime, marking a 10% increase over the previous record for the first half of any year, set in 2022.
This year’s figures nearly surpass the total global crypto thefts recorded throughout 2024, signalling a shift in threat actors, techniques, and motivations.
Bybit Hack: The Largest Crypto Theft in History
The single most significant event of 2025 so far was the $1.5 billion hack of Dubai-based crypto exchange Bybit in February. TRM Labs attributes this massive breach to North Korean state-sponsored actors, describing the attack as a turning point in the global cyber threat landscape.
“The Bybit attack redefined the threat landscape. It underscored how cryptocurrency theft has evolved into a tool of statecraft,” TRM Labs stated.
The Bybit breach alone accounted for nearly 70% of all crypto losses in H1 2025, pushing the average hack size to $30 million, double that of the same period last year.
North Korea Dominates as Crypto’s Top Nation-State Threat
TRM Labs found that North Korea-linked hacking groups were responsible for $1.6 billion of the total crypto stolen so far this year. The country has solidified its position as the most prolific nation-state actor in the digital asset threat space.
These operations are not only financial but increasingly political and strategic, posing national security concerns for nations around the world.
New Nation-State Players: Geopolitical Motives Emerge
Beyond North Korea, other state-backed actors are now emerging. On June 18, 2025, Iran’s largest exchange Nobitex was hacked for over $90 million by a suspected Israel-affiliated cyber group called Gonjeshke Darande (Predatory Sparrow).
Unlike traditional financial heists, the attackers transferred funds to vanity wallet addresses, rendering them unspendable, which suggests a motive focused on political messaging and sabotage, not profit.
How Hackers Are Stealing Crypto in 2025
According to TRM Labs, more than 80% of stolen funds resulted from infrastructure attacks, breaches of crypto platforms’ technical underpinnings. These include:
- Private key thefts
- Seed phrase exposure
- Front-end compromises
- Social engineering and insider threats
These attacks were on average 10 times more damaging than other types, such as decentralised finance (DeFi) exploits.
Meanwhile, DeFi vulnerabilities like flash loans and reentrancy attacks accounted for 12% of total losses, exposing ongoing flaws in smart contract security despite years of audits and warnings.
Call for Global Crypto Security Overhaul
TRM Labs warns that the industry can no longer rely on outdated security measures. The firm advocates for a new defence paradigm in response to the evolving and state-sponsored threat landscape.
Key recommendations include:
- Multi-factor authentication (MFA)
- Cold wallet storage
- Routine smart contract audits
- Enhanced insider threat detection
- Counter-social engineering training
In addition, the report calls for global collaboration between regulators, law enforcement, and analytics firms to trace and recover stolen funds. TRM Labs also recommends international legal frameworks, real-time information sharing, and sanctions against nation-state hackers to create effective deterrence.
Conclusion
The TRM Labs report on cryptocurrency thefts in the first half of 2025 presents a stark reality: digital assets are now frontlines in global cyber warfare. As hacks grow in volume and complexity—often tied to geopolitical motives—the industry and regulators alike must step up with aggressive, coordinated responses.
With nearly $2.1 billion lost in just six months and state-sponsored actors driving the surge, the need for robust, unified crypto security has never been more urgent.
