Crypto Heists Hit Record High in H1 2025 as State-Sponsored Attacks Surge

Nation-states have emerged as leading perpetrators of crypto theft in the first half of 2025, according to an analysis by blockchain intelligence firm TRM Labs published on June 26.

So far in 2025, more than US$2.1 billion (AU$3.2 billion) worth of crypto has been stolen in at least 75 notable attacks, over 10% more than the previous H1 record posted in 2022 and almost matching losses accrued throughout the entirety of 2024. TRM Labs said the vast majority of these losses are directly attributable to the actions of nation-states.

North Korea’s ramping up of its hacking efforts has played a major role. The ByBit hack in February — attributed to the North Korean regime and marking the largest single crypto theft in history at US$1.5 billion (AU$2.2 billion)— signals a new era in nation-state involvement, according to TRM Labs. The firm said it potentially indicated that state actors are now looking to crypto-crime as a means to geopolitical influence, not simply an illicit means of revenue raising.

While North Korea is the largest nation-state player, it certainly isn’t alone. TRM pointed to the June 18 theft from Iran’s largest crypto exchange, Nobitex, reportedly by the Israeli-linked group Gonjeshke Darande (aka Predatory Sparrow) as another example of crypto theft as an emerging tool of statecraft.

“In the Nobitex hack, Gonjeshke Darande claimed to have targeted the exchange due to its central role in helping the Iranian regime circumvent international sanctions and finance illicit activities,” TRM Labs said. 

Related: Iran’s Nobitex Crypto Exchange Hacked for $90M in Sophisticated Vanity Address Attack

Private Key Thefts and Front-End Exploits Remain Biggest Vulnerabilities 

TRM Labs said infrastructure attacks, which include private key thefts and front-end exploits, remain far and away the biggest vulnerabilities facing crypto — accounting for 80% of all losses in the first half of 2025. These attacks are, on average, 10 times larger than other types of attacks.

Protocol attacks, which mainly impact DeFi platforms and include flash loan and re-entrancy attacks, rank second as a threat vector according to TRM Labs, accounting for 12% of losses. These attacks tend to exploit vulnerabilities in smart contract code and highlight that the perennial issue of smart contract security remains a concern for crypto.

Related: ByBit Breach: $1.5 Billion in Funds Stolen as Exchange Vows to Return Customer Assets

TRM Labs said the increasing role of nation-states in crypto thefts means the industry must bolster its security (such as audits, multi-factor authentication) and that global law enforcement must work together more collaboratively.