The first half of 2025 recorded over $2.1 billion in stolen crypto assets, according to TRM Labs’ latest report – marking a new high for H1 losses and nearly matching the entire 2024 total. However, beneath the headline lies a deeper story of improving security overshadowed by a single black swan event.
Bybit Hack Skews the Numbers
TRM Labs highlighted that the $1.5 billion Bybit exploit in February 2025 accounted for around 70% of total losses. The attack was attributed to North Korea’s Lazarus Group, which has maintained its status as the most prolific state-backed hacking entity targeting the digital asset ecosystem.
Without the Bybit incident, H1 2025 losses would have been approximately $600 million, which is lower than H1 2024. This indicates that while the overall frequency of attacks remains high, the severity per incident has declined, aside from rare mega hacks.
Geopolitical Tensions Fuel New Threats
Another major event was the June 2025 hack on Nobitex, Iran’s largest crypto exchange. Predatory Sparrow, a pro-Israel hacktivist group linked to the Israeli government or military, claimed responsibility, reportedly destroying over $90 million in funds by sending them to inaccessible addresses tagged with anti-IRGC messages. Unlike the Bybit hack, this incident appeared driven by political sabotage rather than financial gain.
While Lazarus Group’s involvement in the Bybit hack is widely confirmed, the Nobitex attack’s direct attribution to the Israeli state remains unproven, reflecting the complex intersection of cybersecurity and geopolitical conflict.
Shift in Attack Patterns
The report also revealed:
- Infrastructure attacks (private key compromises, admin access exploits) dominated, accounting for nearly half of total stolen funds.
- DeFi protocol exploits, such as flash loan and oracle attacks, fell to 10% of total losses, continuing a multi-year decline driven by better smart contract auditing and security practices.
Is Crypto Security Improving?
Despite the record headline, the data suggests overall ecosystem security is improving:
- Excluding Bybit, losses are down compared to last year.
- Protocol-level vulnerabilities are declining, thanks to rigorous audits and maturing development standards.
However, single points of failure remain existential threats. The Bybit hack showed that when centralized private key management is breached, the consequences can eclipse an entire year’s progress in a single day.
Strategic Implications
TRM Labs recommends that exchanges, custodians, and protocols:
- Strengthen operational security for private key management and access controls.
- Adopt multi-layered defense strategies, combining technology, policies, and personnel training.
- Collaborate with blockchain intelligence firms and regulators to detect and mitigate state-backed or geopolitically motivated threats.
The Bybit hack serves as a stark reminder: black swan events remain the greatest risk to crypto security, even as general custody practices and infrastructure hardening continue to improve.
