Crypto Carnage: North Korean Hackers Steal $2.1B in H1 2025—Biggest Heist in History

Cybercriminals just pulled off the biggest crypto heist ever—and Wall Street's 'security experts' didn't see it coming.

The $2.1B Bloodbath

North Korean state-sponsored hackers dominated the first half of 2025, draining decentralized protocols like a kid with a straw in a milkshake. The Lazarus Group's signature mix of social engineering and smart contract exploits left projects reeling—while traditional finance CEOs still think 'DeFi' is a diet plan.

Why This Hurts More

Unlike exchange hacks of yesteryear, these attacks targeted cross-chain bridges and yield vaults—the plumbing that makes crypto actually useful. Every stolen dollar erodes trust in the infrastructure meant to replace banks... which, given recent overdraft fees, might still be a low bar.

Regulators are 'monitoring the situation.' Meanwhile, Kim Jong Un's cyber army just funded their next missile test with your ape JPEG profits.

The Defining Breach

The Bybit breach, which happened in February, was not just the largest crypto hack ever; it was a geopolitical act, with TRM Labs, alongside several other security firms, attributing it to North Korean state-sponsored actors.

According to the report, the incident accounted for nearly 70% of all crypto thefts in the first half of 2025 and inflated the average hack size to $30 million, double that of H1 2024’s figure. In total, there were about 75 distinct attacks. January, April, and May saw significant cases, all exceeding $100 million, indicating a pervasive and persistent threat landscape beyond just the headline-grabbing mega hack.

Overall, TRM’s insight estimated that groups linked to North Korea were responsible for at least $1.6 billion of the total losses so far this year. According to the analytics firm, proceeds from such operations were most likely used to not only evade sanctions placed on the Pyongyang regime, but also to help bankroll its strategic initiatives, including its nuclear program.

Technically, the report noted that infrastructure intrusions targeting fundamental weaknesses like private key/seed phrase security or exchange front-ends were the dominant vector, accounting for over 80% of the stolen funds.

These breaches, often amplified by social engineering or insider threats, exploit the Core foundations of crypto security and usually result in incidents ten times larger, on average, than other methods.

Additionally, protocol-level exploits, such as flash loan manipulations in DeFi, contributed another 12%, highlighting persistent smart contract vulnerabilities.

A New Era of Cyber Warfare in Crypto

H1 2025 also saw the emergence of a new front in how geopolitical conflicts are waged: the explicit use of crypto hacking as a tool of war. This was seen in the recent attack on Iran’s largest crypto exchange, Nobitex, by Gonjeshke Darande (Predatory Sparrow), a group reportedly linked to Israel, which stole more than $90 million from the platform.

The group publicly stated their motivation, claiming they had targeted the exchange for its role in helping Iran circumvent sanctions and finance illicit activities.

Interestingly, they transferred the stolen funds to vanity addresses lacking corresponding private keys, rendering them inaccessible, and strongly signaling that the operation was executed for symbolic or political retaliation, rather than financial gain.