Crypto Theft Hits $2.1 Billion in H1 2025 with Infrastructure Attacks and State Actors Driving Losses

• Crypto theft hits $2.1B in H1 2025, led by infrastructure attacks targeting private keys.
• North Korea responsible for 70% of losses, using crypto theft for sanctions evasion.
• Global cooperation and enhanced security needed to combat rising state-sponsored hacks.

Cryptocurrency theft reached a record of $2.1 billion during the first half of 2025, according to data from TRM Labs. The rise in losses stems from network attacks targeting private keys and seed phrases, which accounted for over 80% of all stolen assets. This surge marks one of the highest theft volumes in recent years, propelled by a series of high-profile breaches and the increasing involvement of state-sponsored hacking groups.

The largest single event was the February 2025 hack of the Bybit exchange, where $1.5 billion was stolen. TRM Labs attributes this attack to North Korean state actors. This breach alone represented almost 70% of total crypto theft in the first half of the year and caused the average hack size to jump to nearly $30 million, double the average in H1 2024.

Beyond Bybit, other months such as January, April, May, and June each recorded thefts surpassing $100 million, reflecting a persistent threat environment targeting centralized exchanges.

The sheer scale of these incidents pushed 2025’s first half theft totals above the record set in 2022 by roughly 10%, matching the losses recorded for the entirety of 2024. The growing concentration of risk at large exchanges has drawn experienced threat actors seeking significant returns.

North Korea’s Dominant Role in Crypto Theft

TRM Labs identified North Korea as the most active state actor in crypto theft during this period, responsible for approximately $1.6 billion, or 70% of the total stolen assets. These illicit activities align with the country’s broader goals, including sanctions evasion and funding nuclear weapons programs. Cryptocurrency theft has become a core component of North Korea’s statecraft, reflecting an institutionalized effort to harness digital asset crime for strategic purposes.

Beyond North Korea, other government-linked hacking groups have also exploited cryptocurrency platforms for political objectives. On June 18, 2025, the Israel-associated group Gonjeshke Darande, also known as Predatory Sparrow, hacked Iran’s largest crypto exchange Nobitex and stole over $90 million. The stolen funds were transferred to vanity addresses lacking private passwords, indicating the theft served symbolic or political purposes rather than financial gain.

Enhanced Security and Global Collaboration Needed

TRM Labs pointed out the urgent need for strengthened defenses against sophisticated state-level threats. Recommendations include enhanced insider threat detection and improved measures against social engineering attacks.

The report also stresses the importance of global cooperation among law enforcement, financial intelligence units, and blockchain analytics firms to track stolen funds and hold perpetrators accountable. The first half of 2025 displays a shift in the cryptocurrency theft landscape, with technical attacks and state-sponsored operations dominating losses.