A new report by TRM Labs reveals that 2025 marked the worst first half of the year in terms of hacking and exploiting, with more than $2.5 billion being stolen during that period.
However, this figure surpassed previous H1 records in 2022, but the number was one incident and was significantly skewed by a $1.5 billion attack on Dubai-based Crypto Exchange Bybit.
Violation of definition
The Bibit violation that took place in February was not the biggest crypto hack to date. This was a geopolitical act caused by the TRM Lab, along with several other security companies, from actors sponsored by the North Korean state.
According to the report, the incident accounted for almost 70% of all crypto thefts in the first half of 2025, inflated the average hack size to $30 million, twice the H1 2024 figure. In total, there were around 75 different attacks. There are significant cases in January, April and May, all over $100 million, showing a wide and enduring landscape of threat, beyond just the headline grabbing megahack.
Overall, TRM’s insights estimate that North Korea-related groups have been responsible for a total loss of at least $1.6 billion so far this year. According to the analytics company, revenue from such operations was most likely used to help bankroll strategic initiatives, including nuclear programs, as well as avoid sanctions imposed on the Pyongyang regime.
Technically, the report noted that infrastructure intrusion targeting basic weaknesses such as private key/seedphrase security and exchange front-ends is the dominant vector, accounting for more than 80% of the stolen funds.
These violations, often amplified by social engineering and insider threats, leverage the core foundations of cryptographic security and typically result in 10 times more incidents than other methods.
Additionally, protocol-level exploits such as flash loan operations in Defi donated an additional 12%, highlighting the vulnerability of permanent smart contracts.
A new era of cyber warfare in code
H1 2025 also saw the emergence of new fronts on how geopolitical conflicts unfold. It is the explicit use of crypto hacking as a tool for war. This was seen in a recent attack on Nobitex, Iran’s largest crypto exchange, by Gonjeshke Darande (predatory Sparrow), a group reportedly linked to Israel.
The group publicly stated their motivations, claiming that Iran targeted exchanges of roles to help avoid sanctions and lend illegal activities.
Interestingly, they transferred the stolen funds to vanity addresses that lacked corresponding private keys, making them inaccessible and strongly signaled that the operation was carried out for symbolic or political retaliation rather than financial interests.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
