Hackers Steal $2.7B Crypto in 2025: Record Year

By : Karla Spencer Karla Spencer Reviewed By: Benny Morgan Benny Morgan
Hours Updated

Key Takeaway: Cybercriminals stole a record-breaking $2.7 billion in cryptocurrency during 2025, with North Korean state-sponsored hackers responsible for at least $2 billion of the total, including the largest crypto theft in history.

Crypto Breach

Historic Crypto Breach Shatters All Records

The cryptocurrency industry suffered its most devastating year on record in 2025, as hackers successfully stole $2.7 billion in digital assets across dozens of major breaches, according to blockchain-monitoring firms Chainalysis, TRM Labs, and De.Fi. This staggering figure represents a 23 percent increase from 2024’s $2.2 billion in stolen crypto and marks the third consecutive year that annual cryptocurrency theft records have been broken.​

The scale of losses has accelerated dramatically. By late June 2025—just halfway through the year—the cryptocurrency sector had already lost $2.17 billion, essentially matching the entire 2024 total with six months still remaining. The unprecedented velocity of losses demonstrates that despite significant investment in security improvements and blockchain analytics, cryptocurrency platforms remain extraordinarily vulnerable to determined threat actors.​

According to Chainalysis, the rapid accumulation of losses in 2025 stands in sharp contrast to previous years. In 2022, the worst year on record before 2025, it took 214 days to reach $2 billion in stolen funds. In 2025, the cryptocurrency sector reached comparable theft volumes in just 142 days—a 72-day acceleration that underscores the escalating threat environment.​

The Bybit Catastrophe: Largest Crypto Theft in History

On February 21, 2025, cybercriminals executed what has been officially recognized as the largest cryptocurrency theft ever recorded, breaching the Bybit exchange and stealing approximately $1.4 billion in Ethereum and other digital assets, primarily affecting 401,000 ETH tokens.​

The FBI and blockchain analysts attributed the attack to Lazarus Group, the infamous North Korean state-sponsored hacking organization that operates under the control of North Korea’s Reconnaissance General Bureau. The breach exposed a sophisticated methodology that prioritized social engineering over technical exploitation. Rather than discovering code vulnerabilities, attackers compromised a developer machine and injected malicious JavaScript code into Safe{Wallet}, the cryptocurrency wallet provider that Bybit relied upon to secure its holdings.​

When Bybit CEO Ben Zhou initiated a routine transaction moving Ethereum from cold storage to a temporary wallet, the malicious code intercepted the transaction code itself and altered its destination address. Zhou and other authorized signers unknowingly approved a transaction that routed their funds to the attackers’ wallets instead of Bybit’s intended recipient.​

Within two hours of the theft, Lazarus Group immediately began dispersing the stolen funds across 50 different cryptocurrency wallets, each containing approximately 10,000 ETH, initiating a sophisticated money-laundering operation. Within 48 hours, at least $160 million had been transferred through cryptocurrency mixers and decentralized exchanges, substantially complicating recovery efforts.​

Bybit responded by launching the “Lazarus Bounty” program, offering cryptocurrency rewards to individuals who could help identify and freeze stolen funds. The program achieved limited success, with approximately 20 bounty hunters earning over $4 million in rewards for helping recover $40 million—representing an 8.5 percent recovery rate.​

North Korea’s Record-Breaking $2 Billion Haul

North Korean government-backed hacking groups demonstrated why they have become the most prolific cybercriminals targeting cryptocurrency globally, stealing at least $2.02 billion in 2025, representing 76 percent of all cryptocurrency service compromises. This 51 percent increase from 2024’s $1.34 billion reflects both the Bybit hack and numerous other successful operations throughout the year.​

The cumulative value of cryptocurrency stolen by North Korean hackers since 2017 now exceeds $6.75 billion, according to Chainalysis. This represents a staggering revenue stream for a regime cut off from international commerce by comprehensive United Nations sanctions. The stolen cryptocurrency funds play a critical role in financing North Korea’s nuclear weapons and ballistic missile development programs.​

Shift to Social Engineering

A critical tactical evolution occurred in 2025, as North Korean hackers increasingly abandoned direct technical exploits in favor of social engineering attacks targeting cryptocurrency exchange employees and executives. This shift reflects the reality that as cryptocurrency exchanges have hardened their technical defenses through extensive code audits and security testing, human beings have become the weakest link in cryptocurrency security infrastructure.​

Lazarus Group achieved this shift through multiple tactics: creating fake job recruitment campaigns to distribute malware, impersonating legitimate companies through domain spoofing, and conducting sophisticated phishing campaigns targeting exchange employees authorized to approve large transactions.​

Security researchers discovered that Lazarus Group registered the domain “bybit-assessment.com” at 22:21:57 on February 20, 2025—less than two hours before executing the heist. The domain registration used the email address “trevorgreer9312@gmail.com,” which analysts linked to previous Lazarus campaigns, demonstrating how attackers create near-identical copies of legitimate company domains to deceive employees.​

Other Major 2025 Breaches

While the Bybit theft dominated discussions, numerous other significant breaches occurred throughout 2025. The Cetus Protocol hack on May 22, 2025, resulted in the theft of $223 million from Sui’s largest decentralized exchange, while the Balancer protocol breach in November drained approximately $128 million from liquidity pools.​

According to Slow Mist Blockchain, 2025 witnessed 200 major security incidents globally with $2.935 billion in total losses, with Ethereum ecosystems experiencing the highest attack frequency.​

Looking Ahead

The 2025 cryptocurrency theft crisis underscores a fundamental vulnerability in digital asset infrastructure: despite technological sophistication, security depends critically on defending against human manipulation and insider threats. As North Korea continues leveraging cryptocurrency theft to circumvent international sanctions and fund weapons development, the cryptocurrency industry faces mounting pressure to implement more comprehensive security approaches combining technical defenses with rigorous employee training and advanced threat detection.

Karla Spencer
Karla Spencer

I’m Karla Spencer, Editor at SecureDetectives. I studied Computer Science at the University of Washington, where my focus on cybersecurity shaped my expertise in protecting users against online threats. My role involves creating research-driven content on digital privacy, security, and parental control tools with an emphasis on tested, practical solutions.

My professional background includes firsthand testing of VPNs, password managers, monitoring software, and data protection tools. I specialize in breaking down complex digital security issues into clear, actionable insights that help readers safeguard their personal information and protect families online. Accuracy, depth, and usability drive my editorial approach.

At SecureDetectives, I combine years of industry experience with academic knowledge to deliver reliable guidance on evolving online risks. My goal is to empower users to make informed decisions about their digital safety. I maintain a rigorous, evidence-based process that reflects real-world use cases and addresses today’s most pressing cybersecurity challenges.

Similar Posts