According to blockchain intelligence firm TRM Labs, crypto private key thefts and front-end compromises have been the primary drivers behind the $2.1 billion lost to attacks in the first half of 2025.
In a report released Thursday, TRM Labs revealed that over 80% of stolen crypto—across 75 incidents—resulted from infrastructure exploits. These attacks typically netted 10 times more than other forms of cyberattacks.
Infrastructure exploits target the foundational layers of crypto systems to seize unauthorized control, deceive users, or redirect assets. This includes tactics like stealing a wallet’s private seed phrase or manipulating the user interface of crypto protocols.
“These methods exploit foundational weaknesses in cryptosystems and are often amplified by social engineering.”
Protocol Exploits Drive Surge in Illicit Crypto Activity
Another significant attack vector in the first half of 2025 was protocol exploits—such as flash loan and re-entrancy attacks—which accounted for 12% of total losses.
“These attacks exploit weaknesses in a blockchain protocol’s smart contracts or core logic to siphon funds or disrupt operations,” TRM Labs noted.
Total crypto losses so far this year have exceeded the previous record set in 2022 by about 10% and are already close to matching the full-year losses of 2024. According to TRM Labs, this trend “highlights an increasingly concentrated threat to digital assets.”
State-Sponsored Attacks Account for Majority of Crypto Losses
North Korea’s $1.5 billion hack of Dubai-based crypto exchange Bybit in February accounted for nearly 70% of all crypto losses in 2025 so far.
The scale of that breach also drove the average hack size to nearly $30 million—double the $15 million average seen in the first half of 2024.
Despite the outsized impact of the Bybit hack, TRM Labs noted that January, April, May, and June each still recorded over $100 million in total crypto thefts.
Adding to the surge, the pro-Israel hacker group Gonjeshke Darande, also known as Predatory Sparrow and potentially linked to the Israeli government, exploited Iran’s largest crypto exchange, Nobitex, for $100 million on June 18.
“H1 2025 marks a pivotal shift in crypto hacking,” TRM Labs stated, “with escalating strategic intent from state actors and other geopolitically motivated groups.”
“Comprehensive Collaboration” Essential to Counter Malicious Actors
TRM Labs emphasized that the crypto industry must strengthen its core security practices, including multifactor authentication, cold storage solutions, regular audits, and heightened vigilance against insider threats and sophisticated social engineering tactics.
The firm also called for “multifaceted collaboration” among global law enforcement agencies, financial intelligence units, and blockchain analytics firms.
“H1 2025’s record-breaking thefts serve as a clear warning,” TRM Labs stated. “They demand a collective, sustained, and strategically coordinated security response—one capable of addressing not only criminal activity but also covert operations driven by state interests.”
