- Infrastructure breaches accounted for over 80% of crypto losses, totaling $2.1B in H1 2025.
- North Korea-linked hackers stole $1.6B, making up 70% of all H1 2025 crypto thefts.
- Crypto hacks in H1 2025 matched the total number of exploits seen throughout 2024.
TRM Labs, a blockchain intelligence firm, reported that crypto hackers stole approximately $2.1 billion in the first half of 2025. More than 80% of these losses were attributed to infrastructure breaches, which include private key thefts, seed-phrase exploits, and the compromise of front-end platforms. These incidents averaged ten times the loss associated with typical protocol exploits, underscoring their severity.
TRM Labs said most of these attacks were made possible through social engineering or insider access. The firm defined infrastructure breaches as targeting the backbone of crypto operations, wallets, interfaces, and authentication systems, rather than exploiting on-chain logic. The scale of these incidents pushed the average hack size in 2025 to $30 million, up from $15 million in the same period last year.
An additional 12% of the loss was attributed to protocol-based vulnerabilities, including flash loans and re-entrancy attacks on smart contracts. These bugs expose the logical vulnerabilities of decentralized applications and continue to pose a significant concern in the decentralized finance (DeFi) industry.
North Korea-Linked Hackers Behind Most Crypto Thefts in 2025
TRM Labs attributed $1.6 billion, nearly 70% of all stolen funds, to state-backed groups linked to North Korea. The largest single incident in February was the compromise of Bybit, resulting in a loss of $1.5 billion, with the Lazarus Group identified as the primary suspect. This hack alone distorted the average size of hacks and almost reached the total theft in 2024.
The report also mentioned an attack in June, where an Israeli-aligned hacking group, Gonjeshke Darande, infiltrated Iran’s Nobitex exchange. That attack resulted in a $90 million loss, with funds sent to wallets marked as “unspendable.” TRM highlighted this breach as an example of cryptocurrency theft being used as a geopolitical tool.
Related: Crypto Trading Hours Limited After Nobitex $100M Hack: Report
Crypto thefts in January, April, May, and June all exceeded $100 million. The frequency and magnitude of theft indicate growing coordination among cybercriminal groups and the continued vulnerability of crypto platforms to organized attacks.
TRM Urges Coordinated Industry Response and Stronger Safeguards
To mitigate the growing threat, TRM Labs encouraged the sector to implement enhanced security measures. These include improving cold storage, implementing advanced multi-layered verification, and detecting insider threats. Moreover, the company emphasized that systems should be audited frequently by on-chain protocols and increase front-end security to minimize the attack surface.
The report also called for improved collaboration between exchanges, developers, and law enforcement agencies. TRM noted that cross-border investigations and real-time information sharing are critical to disrupting state-sponsored cyber activity.
Hackers have increasingly used stablecoins like the USDT on TRON to launder stolen assets. Mixers, cross-chain bridges, and chain-hopping are still usually used as obfuscation strategies. These tools enable attackers to transfer funds across several networks, making recovery difficult.
TRM Labs concluded that the crypto industry needs a unified and strategic approach to address rising threats. Without industry-wide cooperation and enforcement, the scale of future attacks could increase even further. According to the firm, the first half of 2025 has already set a concerning precedent.
