Crypto Hacks Surge 10% in H1 2025, North Korea Linked to $1.6 Billion Theft

The first half of 2025 has seen a significant surge in crypto hacking, with infrastructure attacks and state-sponsored activities playing a major role. According to the latest report by blockchain intelligence platform TRM Labs, the first half of this year lost more than $2.1 billion across at least 75 distinct hacks and exploits. This figure is 10% higher than the previous H1 crypto hacking record from 2022 and nearly equal to the total stolen amount over the entire year of 2024. This data highlights an increasingly concentrated threat to digital assets.

Infrastructure attacks, such as private key and seed phrase thefts, and front-end compromises, accounted for over 80% of stolen funds in H1 2025. These attacks were, on average, ten times larger than other attack types. Protocol exploits, including flash loan and reentrancy attacks, accounted for 12% of the total stolen funds. These attacks target vulnerabilities in a blockchain’s smart contracts or core logic to steal funds or disrupt system behavior, showing persistent vulnerabilities in DeFi smart contracts.

The report also highlights the persistent and alarming role of state-sponsored crypto attacks. North Korea-linked groups, such as the notorious Lazarus, were behind the Bybit incident, which alone accounted for nearly 70% of the total stolen amount in H1 2025. These groups are responsible for $1.6 billion, or some 70%, of the total stolen amount in H1 2025. TRM Labs describes them as “the most prolific nation-state threat actor in the crypto space.” North Korea is leveraging illicit crypto gains not only to evade sanctions but also as an integral component of its statecraft.

Other significant threats include the Israel-linked group Gonjeshke Darande, also known as Predatory Sparrow. This group hacked Iran’s largest crypto exchange, Nobitex, on 18 June, stealing $90 million. The group released the platform’s full source code, exposing users to further risk. This attack suggests that other state actors may increasingly leverage crypto hacks for geopolitical ends. The attackers transferred stolen funds to deliberately unspendable vanity addresses, suggesting political motives.

TRM Labs concludes that the path forward requires multifaceted collaboration. This includes better cooperation among global law enforcement, financial intelligence units, and specialized blockchain intelligence firms. As digital assets increasingly intertwine with national security, so too will the sophistication and geopolitical motives of their exploiters. The report warns that massive breaches, often linked to nation-state operations, now demand more than traditional cybersecurity.