Record Losses in the Crypto Industry: 80% of Thefts Are Related to Attacks on Private Keys and Frontends of Bitcoin Wallet

The cryptocurrency industry has seen unprecedented levels of cybercrime in the first half of 2025, with more than $2.1 billion in digital assets stolen in six months, according to analytics firm TRM Labs, exceeding the 2022 record by 10% and nearly equaling the total losses for all of 2024 1 2 6 8 .

Main causes of losses

Crypto key exploits and attacks on protocol frontends were the main cause of these losses, accounting for over 80% of the funds stolen. These infrastructure attacks include:

Compromise of crypto wallet seed phrases – key elements of access to digital assets.
Exploitation of vulnerabilities in the frontends of crypto protocols – user interfaces through which interaction with blockchain services occurs.

These methods are aimed at gaining unauthorized control over the technical basis of systems, misleading users, and redirecting assets to attackers. Often, these attacks are accompanied by social engineering and the involvement of insiders, which increases their effectiveness 1 2 5 6 .

Protocol exploits

Attacks that directly target vulnerabilities in smart contracts and underlying logic of blockchain protocols, including flash loans and re-entrancy attacks, accounted for about 12% of the total losses. These exploits allow attackers to withdraw funds or disrupt protocols, which also causes significant damage to the crypto ecosystem 1 2 5 .

Major incidents and geopolitical context

The largest incident was the attack on the Bybit crypto exchange in Dubai in February 2025 , which resulted in the theft of approximately $1.5 billion — almost 70% of all losses in the first half of the year. TRM Labs estimates that a North Korean hacker group was behind it. This incident significantly increased the average hack size to $30 million, double the figure for the first half of 2024 5 8 .

In addition, monthly losses exceeded $100 million during January, April, May and June. There is also a known attack by the pro-Iranian group Gonjeshke Darande (Predatory Sparrow), allegedly linked to the Israeli government, which stole $100 million from the Iranian exchange Nobitex in June 2025 1 5 .

TRM Labs notes that in 2025, there will be a qualitative change in the nature of attacks: they are increasingly strategic and geopolitical in nature , acting as an instrument of state policy and cyber confrontation. The growing role of digital assets in national security issues increases the complexity and political background of cyber attacks 3 4 6 .

Safety Recommendations

In light of record losses, TRM Labs recommends that the crypto industry and users strengthen basic security measures:

Implementation of multi-factor authentication .
Using cold storage of assets (offline wallets).
Conducting regular security audits .
Developing cooperation between law enforcement, financial intelligence and blockchain analysts to quickly share information and respond to threats.

Experts emphasize that to counter modern threats, comprehensive and strategically coordinated security is needed, taking into account not only technical but also geopolitical aspects 1 6 7 .

Thus, the first half of 2025 has become an alarming signal for the entire crypto industry: large-scale infrastructure exploits and protocol attacks, supported by geopolitical motives, have led to record losses of $2.1 billion . This requires immediate strengthening of cybersecurity measures and international cooperation to protect digital assets at the global level.

What are the main methods used by attackers to steal crypto assets in 2025?

In 2025, attackers will use a range of modern methods to steal crypto assets, including the following main areas:

Phishing and fake interfaces . Fraudsters create exact copies of popular crypto services, wallets and exchanges, sending links via social networks, instant messengers and email. Users enter their private keys, passwords or seed phrases on such fake sites, which leads to a loss of control over assets 2 6 9 .
Compromise of private keys and seed phrases . Users often store keys in unprotected places – notes on their phone, cloud storage, messengers. Attackers gain access to devices or accounts and steal cryptocurrency 2 .
Use of malware and viruses . Through software repositories, disguising viruses as useful scripts or bots, hackers install spyware that steals passwords, transaction data and changes crypto wallet addresses in the clipboard, redirecting funds to their accounts 5 .
Social engineering and attacks on employees . Attackers penetrate the corporate networks of crypto businesses through employees, using phishing emails, malicious files, and fake job offers. This allows them to gain access to internal systems and steal large sums of money 3 6 .
Exploiting frontend and smart contract vulnerabilities . Hackers find technical holes in the user interfaces of crypto protocols and in the logic of smart contracts, which allows them to intercept assets or manipulate transactions 6 .
Use of artificial intelligence : Criminals are using AI to create high-quality phishing messages and deepfakes, making the deception more effective and making the fraud more difficult to detect 2 4 7 .
Pump-and-Dump schemes . Manipulation of prices of illiquid tokens through artificial increase in value and subsequent mass sale, which leads to losses for investors 1 6 .

Thus, in 2025, cryptocurrency theft methods combine technical vulnerabilities, social engineering, and modern technologies, including AI, which requires users and companies to strengthen comprehensive cybersecurity and be vigilant when handling digital assets.

Why Infrastructure Exploits Bring Attackers 10 Times More Profit

Infrastructure exploits are 10x more profitable for attackers for several key reasons related to their depth of impact and the scale of assets stolen.

Control over the technical basis of the system
Infrastructure attacks are aimed at gaining unauthorized control over fundamental elements of a cryptosystem, such as compromising crypto wallet seed phrases or vulnerabilities in protocol frontends. This allows attackers to directly control user and system assets, bypassing normal security restrictions 2 .
Exploiting Fundamental Vulnerabilities
These exploits exploit fundamental weaknesses in cryptographic systems and protocols that are difficult to quickly patch, allowing attackers to obtain large sums of money rather than small bugs or vulnerabilities that limit the amount of funds that can be stolen 2 .
High efficiency and scale
Infrastructure attacks allow for the theft of funds in a large-scale and centralized manner, which significantly increases the total amount of assets stolen in a single operation. Unlike small phishing attacks or individual hacks, here the attackers gain access to large reserves at once 2 .
Social engineering supplement
Often such attacks are accompanied by elements of social engineering, which increases the probability of successful hacking and increases the potential profit. Users enter their keys or data on fake interfaces, which makes it easier to steal 2 .

Thus, infrastructure exploits provide attackers with deeper and larger access to assets , which leads to their profits being, on average, 10 times higher than those from other types of attacks.

How Social Engineering and Cryptosystem Vulnerabilities Are Related in Attacks

The connection between social engineering and cryptosystem vulnerabilities in cyber attacks is that social engineering exploits the human factor , which is the weakest link in any security system, including cryptosystems.

Social engineering is a method of psychologically manipulating people , with the help of which attackers gain the victim’s trust and force them to voluntarily disclose confidential information – for example, private keys, seed phrases, passwords, or access data for crypto wallets and crypto protocols 1 2 5 .
Even the most reliable cryptographic protection becomes vulnerable if a user, under the influence of social engineering, provides an attacker with access to his keys or launches malware that exploits technical vulnerabilities in the system 1 6 .
Social engineering is often the first stage of a complex attack , allowing hackers to bypass technical barriers and penetrate infrastructure by exploiting human gullibility and inattention 1 6 .
In cryptosystems, this is especially dangerous, since the compromise of even one private key or seed phrase gives complete control over assets, bypassing complex cryptographic protections. Thus, social engineering amplifies the effect of technical vulnerabilities, turning them into critical flaws 1 4 7 .
Examples of such attacks include phishing sites, fake support messages, spoofing of crypto wallet interfaces and protocols, and the introduction of malware through deceptive actions 2 5 7 .

Ultimately, social engineering and cryptosystem vulnerabilities complement each other : the former provides attackers with access to the system by deceiving users, while the latter provides technical capabilities for stealing assets. Therefore, effective protection requires not only technical measures, but also user training, raising their awareness, and developing a security culture 1 7 .

What is the role of state hackers in the rise of cybercrime in the crypto market?

The role of state hackers in the rise of cryptocurrency cybercrime in 2025 is significant and multifaceted. According to TRM Labs and other sources, state-owned or state-sponsored hacker groups are becoming some of the main initiators of large-scale and strategically thought-out attacks on crypto exchanges, protocols, and digital asset infrastructure.

Key aspects of the role of state hackers:

Strategic nature of attacks
State hackers use cyber attacks not only for direct theft of funds, but also for political, economic and intelligence purposes. For example, the attack on the Bybit exchange in February 2025, which resulted in the theft of $1.5 billion, is believed to be linked to state structures. Such actions are aimed at undermining confidence in the crypto market and destabilizing the financial systems of competing countries.
High level of technical preparation and resources
State groups have significant financial and technical capabilities, which allows them to conduct complex multi-stage attacks (APT attacks), use malware, remote access trojans and spyware to control the infrastructure of victims for a long time. This significantly increases the effectiveness and scale of hacks.
Exploiting vulnerabilities in infrastructure and protocols
State hackers actively exploit fundamental vulnerabilities in crypto protocols, smart contracts, and user interfaces, which allows them to steal large sums of money and gain control over systems.
Impact on the growth of overall cybercrime
According to TRM Labs, nation-state attacks account for a significant share of total crypto market losses in 2025. Their actions contribute not only to direct thefts, but also to the growth of sophisticated, strategically planned cyberattacks, which increases the overall threat level to digital assets.
Geopolitical context and cyber confrontation
Cyber attacks on the crypto market often become part of a wider geopolitical struggle, where digital assets are used as a tool of pressure and economic influence. State hackers can specifically attack competitors’ infrastructure, which leads to an increase in the number and scale of incidents.

Summary

State-sponsored hackers are playing a key role in the rise of cybercrime in the cryptocurrency market, using their resources and capabilities to carry out large-scale, technically sophisticated, and strategically motivated attacks. This requires the industry to strengthen security measures and international cooperation to counter such threats 1 5 .

What security measures do experts recommend to protect against new types of attacks?

Cybersecurity experts recommend a comprehensive approach to protecting against new types of attacks on crypto infrastructure and digital assets, which includes the following key measures:

Multi-factor authentication (2FA)
Using 2FA significantly reduces the risk of unauthorized access even if your password or private key is compromised 6 .
Cold Storage of Assets
Moving large amounts of cryptocurrency into offline wallets that are not connected to the internet minimizes the possibility of theft through remote attacks[TRM Labs].
Regular audits and software updates
Timely updates of operating systems, applications and smart contracts eliminate known vulnerabilities that can be exploited by attackers 1 6 9 .
Restricting access rights and the principle of least privilege
Controlling access for employees and users, prohibiting independent installation of software and minimizing the number of administrators reduce the risks of internal hacking and infrastructure compromise 1 .
Using Firewalls and WAFs
Placing networks and services behind modern firewalls and web application firewalls helps block application-level attacks, including DDoS and front-end exploits 1 2 3 5 .
Backup and network segmentation
Regular backups and segmentation of the infrastructure increase resilience to attacks and simplify incident containment 2 4 .
User training and awareness raising
Prevention of phishing attacks and social engineering is achieved through regular training and informing employees about modern fraud methods 4 .
Collaboration with law enforcement and analysts
Information sharing and joint actions help to quickly identify and neutralize threats at an early stage [TRM Labs].
Using modern traffic analysis technologies and AI
Intelligent monitoring systems and machine learning allow you to detect anomalies and prevent complex targeted attacks in real time 2 5 .

Thus, effective protection against new types of attacks on cryptocurrency assets requires a combination of technical means, organizational measures and an increased security culture among both users and companies working with digital assets.

Experts believe the following security measures are the most effective against new types of cyberattacks on crypto assets and digital infrastructure:

Security measures	Justification and effectiveness
Multi-layered protection using firewalls	Firewalls block unauthorized access and prevent brute force attacks, filter suspicious traffic 1 2 .
Access rights restriction and the principle of least privilege	Minimizing the number of administrators and prohibiting independent software installation reduces the risks of internal hacking and compromise 2 3 .
Regular software and security updates	Fixing vulnerabilities in software and OS prevents known holes from being exploited by attackers 2 3 .
Multi-factor authentication (2FA)	Significantly reduces the risk of intruder access when passwords or keys are compromised 2 .
Cold storage of crypto assets (offline wallets)	Isolates large amounts of money from online threats and remote attacks[TRM Labs].
User training and awareness raising	Regular training on cyber hygiene, phishing and social engineering recognition reduces the likelihood of successful attacks 2 4 .
Security monitoring and analysis (SIEM, EDR, XDR, behavioral analysis)	Allows you to quickly detect and respond to anomalies and targeted attacks, minimizing damage 5 6 .
Backup and encryption of data	Protects against data loss and reduces the impact of ransomware 2 3 6 .
Network segmentation and micro-segmentation	Isolates critical systems, limiting the spread of attacks within the infrastructure 1 6 .
Cooperation with law enforcement agencies and analysts	Enables information sharing and collaborative response to threats[TRM Labs].

Thus, experts emphasize that the most effective is a comprehensive multi-level strategy that combines technical means of protection, organizational measures and user training. Particular attention is paid to the automation of detection and response to incidents, as well as constant updating of security systems and restriction of access rights.