H1 2025: The Crypto Hacking Landscape Just Flipped – TRM Labs Reveals Pivotal Shift
Crypto's security playbook got rewritten in the first half of 2025—and the hackers are losing ground. TRM Labs' latest report exposes a seismic change in how digital assets are being targeted (and protected). Here's the breakdown.
From smash-and-grabs to surgical strikes
The era of blunt-force exchange hacks is fading. Attack vectors have shifted to protocol-level exploits—think DeFi composability attacks and MEV manipulation. Ironically, the 'trustless' systems are now the softest targets.
The numbers don't lie
While total stolen value remains staggering, the trendline shows something Wall Street won't admit: blockchain forensic tools are actually working. Maybe banks should take notes—their 'secure' systems still get drained by SQL injections from 2003.
One thing's clear: the crypto underworld's golden age of easy scores is over. The next wave of attacks won't be louder...just smarter.
Source: TRM Labs
Furthermore, two factors fueled this amount: infrastructure attacks and state-sponsored activity. Notably, the infamousattack alone accounted for nearly 70% of the above total. Therefore, February saw the biggest hack in the history of crypto, with $1.46 billion gone.
Moreover, because of this one hack, the average hack size grew to nearly $30 million. This is double the USD 15 million average in the first quarter of 2024.
The report notes that the Bybit hack “massively skewed” the H1 2025 total, but that January, April, May, and June saw total thefts in excess of $100 million. This suggests “a broad, persistent threat.”
Therefore, based on these findings, “H1 2025 marks a pivotal shift in crypto hacking: escalating strategic intent from state actors and other geopolitically motivated groups,” TRM Labs says. “Massive breaches, often linked to nation-state operations, now demand more than traditional cybersecurity.”
You may also like: Ex-Employee Hacks Bedrock UniBTC for $2M: Fuzzland Uncovers Insider Exploit Fuzzland has disclosed a $2 million insider attack that targeted Bedrock’s UniBTC protocol in September 2024, was carried out by a former employee who used malware, social engineering, and privileged access to compromise internal systems. Fuzzland has taken full responsibility for the breach and reimbursed all affected parties. Insider Access Used in $2M Bedrock Protocol Exploit Fuzzland, in a post on X, revealed that a past employee exploited the UniBTC protocol via a sophisticated...Infrastructure Attacks Dominated the Crypto Hacking Landscape
The report notes that infrastructure attacks – which seek to gain unauthorized control, mislead users, or reroute assets, and are often boosted by social engineering or insider access – accounted for over 80% of stolen funds in H1 2025.
These include private key and seed phrase thefts, as well as front-end compromises. Moreover, infrastructure attacks were, on average, ten times larger than other attack types.
Next, protocol exploits, including flash loan and reentrancy attacks, accounted for 12%. These attacks target vulnerabilities in a blockchain’s smart contracts or Core logic to steal funds or disrupt system behavior. They also show “persistent vulnerabilities in DeFi smart contracts.”
Meanwhile, the analysts also highlighted “the persistent and alarming role of state-sponsored crypto attacks.” Some of the most dangerous are North Korea-linked groups, such as the notorious, which were also behind the Bybit incident.
These groups are responsible for $1.6 billion, or some 70%, of the total stolen amount in H1 2025. TRM Labs describes them as “the most prolific nation-state threat actor in the crypto space.” North Korea is leveraging illicit crypto gains not only to evade sanctions, but also “as an integral component of its statecraft.”
Israeli authorities have arrested three citizens accused of spying for Iran—allegedly paid in #crypto—just days after the $90 million Nobitex hack. TRM Labs explores how these events highlight states’ evolving use of digital assets in covert operations: https://t.co/Gy5BinJTEe pic.twitter.com/PyT1FCrOt4
— TRM Labs (@trmlabs) June 25, 2025However, there are other significant threats, such as the Israel-linked group(aka Predatory Sparrow). This one hacked Iran’s largest crypto exchange,, on 18 June, stealing $90 million. Not only that, but the group released the platform’s full source code, exposing users to further risk.
This attack suggests “other state actors may increasingly leverage crypto hacks for geopolitical ends,” TRM Labs says. The attackers transferred stolen funds to deliberately unspendable vanity addresses, suggesting political motives.
“As digital assets increasingly intertwine with national security, so too will the sophistication and geopolitical motives of their exploiters,” the report warns.
TRM concludes that “the path forward requires multifaceted collaboration.” This includes better cooperation among global law enforcement, financial intelligence units, and specialized blockchain intelligence firms.
You may also like: CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup CoinMarketCap was hacked on Friday after a malicious popup appeared on its website, urging users to "verify" their wallets. The phishing-style notification asked users to connect their wallets and approve ERC-20 token access, raising immediate red flags across the crypto community. Wallet providers like MetaMask and Phantom quickly flagged the site as unsafe, with Phantom displaying a browser warning against using the platform. CoinMarketCap Removes Malicious Popup In a Friday...