H1 2025 Hacks Hit $2.1B Record, Led by North Korean Actors: Report

A new report by TRM Labs has revealed that 2025 has had the worst ever first half of the year in terms of hacks and exploits, with more than $2.5 billion stolen in that period.

However, while the figure surpassed the previous H1 record set in 2022, the numbers were considerably skewed by just one incident, a $1.5 billion attack on Dubai-based crypto exchange Bybit.

The Defining Breach

The Bybit breach, which happened in February, was not just the largest crypto hack ever; it was a geopolitical act, with TRM Labs, alongside several other security firms, attributing it to North Korean state-sponsored actors.

According to the report, the incident accounted for nearly 70% of all crypto thefts in the first half of 2025 and inflated the average hack size to $30 million, double that of H1 2024’s figure. In total, there were about 75 distinct attacks. January, April, and May saw significant cases, all exceeding $100 million, indicating a pervasive and persistent threat landscape beyond just the headline-grabbing mega hack.

Overall, TRM’s insight estimated that groups linked to North Korea were responsible for at least $1.6 billion of the total losses so far this year. According to the analytics firm, proceeds from such operations were most likely used to not only evade sanctions placed on the Pyongyang regime, but also to help bankroll its strategic initiatives, including its nuclear program.

Technically, the report noted that infrastructure intrusions targeting fundamental weaknesses like private key/seed phrase security or exchange front-ends were the dominant vector, accounting for over 80% of the stolen funds.

These breaches, often amplified by social engineering or insider threats, exploit the core foundations of crypto security and usually result in incidents ten times larger, on average, than other methods.

Additionally, protocol-level exploits, such as flash loan manipulations in DeFi, contributed another 12%, highlighting persistent smart contract vulnerabilities.

A New Era of Cyber Warfare in Crypto

H1 2025 also saw the emergence of a new front in how geopolitical conflicts are waged: the explicit use of crypto hacking as a tool of war. This was seen in the recent attack on Iran’s largest crypto exchange, Nobitex, by Gonjeshke Darande (Predatory Sparrow), a group reportedly linked to Israel, which stole more than $90 million from the platform.

The group publicly stated their motivation, claiming they had targeted the exchange for its role in helping Iran circumvent sanctions and finance illicit activities.

Interestingly, they transferred the stolen funds to vanity addresses lacking corresponding private keys, rendering them inaccessible, and strongly signaling that the operation was executed for symbolic or political retaliation, rather than financial gain.