A staggering $2.1 billion worth of cryptocurrency was stolen in the first half of 2025, according to a new report by blockchain intelligence firm TRM Labs. The report details 75 incidents involving stolen crypto assets, marking a 10% jump over the previous record set in H1 2022. This year’s losses nearly match the entire annual total for 2024, underscoring the intensifying threat to digital asset platforms worldwide.

TRM Labs attributed the surge largely to state-sponsored cyberattacks and sophisticated infrastructure breaches. The average hack size this year ballooned to $30 million, double the H1 2024 average of $15 million.

Bybit Hack Shatters Records, Dominates Losses

At the heart of this year’s crypto crime wave was the catastrophic February hack of Bybit, a major exchange. The breach, described by TRM Labs as the largest in crypto history, resulted in $1.5 billion in losses, accounting for nearly 70% of all stolen funds in H1 2025. The attack has been attributed to hackers linked to North Korea, reinforcing concerns over the Democratic People’s Republic of Korea (DPRK) using cybercrime to evade sanctions and finance weapons development.

“North Korea-affiliated groups have been responsible for $1.6 billion in thefts alone or close to 70% of all funds stolen in the first half of 2025,” the report stated. Analysts warn that these operations are becoming increasingly central to the DPRK’s strategy for funding state activities amid international sanctions.

Nobitex Breach Highlights Geopolitical Cyber Warfare

Another significant incident occurred on June 18, when Iran’s largest cryptocurrency exchange, Nobitex, suffered a $90 million breach. Hacker group Gonjeshke Darande, allegedly tied to Israel, claimed responsibility. The stolen funds were funnelled into vanity wallet addresses that are inaccessible, suggesting a symbolic or politically motivated attack rather than a profit-driven heist.

The Nobitex hack took place just days after Israeli airstrikes on June 13 and shortly before Israel arrested three individuals accused of spying for Iran, two of whom had received payments in cryptocurrency. TRM Labs highlighted this timing as a possible sign of intelligence operations at play, though Israeli authorities have not confirmed any direct connection.

Chainalysis, a blockchain analytics company, has identified Nobitex as a key player in Iran’s sanctioned financial network, linking it to previously exposed illicit actors. The incident underscores how digital asset theft is increasingly being used as a tool in geopolitical conflicts.

Infrastructure Attacks Dominate as DeFi Vulnerabilities Persist

Beyond state-sponsored hacks, TRM Labs found that infrastructure attacks ranging from seed phrase thefts and private key compromises to front-end hijacks were responsible for more than 80% of all stolen crypto funds in H1 2025. These breaches typically exploit system-level weaknesses, often aided by social engineering or insider access.

Meanwhile, decentralised finance (DeFi) platforms continue to grapple with protocol exploits, which accounted for around 12% of stolen funds. These attacks frequently involve flash loan manipulations or re-entrancy exploits targeting smart contract vulnerabilities, further highlighting the persistent security challenges in DeFi.

Urgent Call for Stronger Security and Global Cooperation

TRM Labs’ analysts are urging urgent reforms across the crypto ecosystem, emphasising that cryptocurrency security is now a matter of national security. The report recommends measures such as increased reliance on cold storage, adoption of multi-factor authentication, and routine threat testing to strengthen platform defences.

Moreover, TRM Labs stressed the importance of cross-border cooperation, calling for tighter collaboration between law enforcement, intelligence agencies, and blockchain forensic firms. The escalating involvement of state-sponsored actors in crypto hacks means future attacks could have far-reaching geopolitical consequences.

“The number and scale of H1 2025 breaches suggest that crypto security has become a direct concern for national security,” TRM Labs concluded. “Digital asset platforms must urgently strengthen their security posture to prevent both criminal entities and highly organised, government-backed operations from exploiting systemic vulnerabilities.”

As geopolitical tensions spill over into cyberspace, the crypto industry stands at a critical crossroads, facing mounting pressure to secure its infrastructure or risk becoming a battleground for international conflict.