In a grim reminder of the growing vulnerabilities in the digital asset space, a new report by TRM Labs reveals that bad actors siphoned $2.1 billion worth of crypto in the first half of 2025 across 75 incidents. The findings highlight how increasingly sophisticated cyberattacks many with alleged geopolitical backing continue to plague the crypto industry at unprecedented scale.
Infrastructure Attacks Dominate
According to the blockchain intelligence firm, over 80% of stolen funds resulted from infrastructure-level exploits, including:
- Private key thefts
- Seed phrase compromises
- Front-end hijacks
These types of attacks which target the core technical layers of crypto systems were not only the most damaging but also yielded 10 times more value per incident compared to other methods.
“Digital asset theft is becoming a covert instrument in geopolitical conflicts and national policy,” TRM researchers noted.
The Bybit Breach: A Billion-Dollar Shock
The largest crypto hack of 2025 thus far occurred in February, when $1.5 billion was stolen from Dubai-based exchange Bybit. The incident, attributed to North Korean state-sponsored hackers, alone accounted for nearly 70% of total losses this year and heavily skewed average figures.
The average hack size in H1 2025 rose to $30 million, double the average reported during the same period in 2024.
Nobitex and Geopolitical Escalation
Another high-profile exploit occurred on June 18, when Iran’s largest crypto exchange Nobitex was breached by Gonjeshke Darande, also known as Predatory Sparrow a hacker group believed to be linked to Israeli intelligence. The attack saw over $90 million transferred to unspendable vanity addresses, effectively rendering the stolen crypto unusable.
This, according to TRM Labs, signals a new phase in crypto warfare, where state-sponsored actors increasingly weaponize cyberattacks for political leverage.
“Although North Korea remains the dominant force in this arena, incidents such as reportedly Israel-linked group Gonjeshke Darande hacking Iran’s Nobitex […] suggest other state actors may increasingly leverage crypto hacks for geopolitical ends,” the report added.
Beyond Hacks: Protocol Exploits Still Loom
While infrastructure attacks led the charge, protocol-level exploits such as flash loan abuse and re-entrancy attacks accounted for around 12% of H1 losses. These exploits typically target smart contract vulnerabilities in decentralized finance (DeFi) platforms.
Historical Context and Growing Threat
The $2.1 billion figure marks a 10% increase over H1 2022’s record and nearly matches the full-year total for 2024, underscoring the escalating threat landscape. TRM Labs also referenced earlier findings from Immunefi and PeckShield, which reported over $1.63 billion in crypto thefts across 60 attacks in Q1 2025 alone.
Notably, centralized exchanges accounted for 94% of the total H1 losses, driven by the catastrophic breaches at Bybit and Phemex.
TRM’s Recommendations: Security Must Evolve
To combat the rising tide of cyberattacks, TRM Labs recommends that exchanges and protocol developers implement stronger safeguards, including:
- Multi-factor authentication (MFA)
- Cold wallet storage
- Routine security audits
- Employee training and anti-social engineering defenses
“The crypto industry must treat cybersecurity as an existential priority,” the report concludes.
