Crypto seed phrase, front-end hacks drive record losses in 2025: TRM Labs

Crypto private key exploits and front-end protocol attacks account for 80% of the $2.1 billion worth of crypto that has been stolen so far this year, TRM Labs reports.

Crypto private key exploits and front-end compromises have accounted for most of the $2.1 billion worth of crypto lost to attacks in the first half of 2025, says blockchain intelligence firm TRM Labs.

Over 80% of crypto stolen across 75 hacks so far this year was taken in so-called infrastructure exploits, which, on average, made off with 10 times more than other attack types, TRM Labs said in a report on Thursday.

Infrastructure attacks target the technical backbone of a system to gain unauthorized control, mislead users, or reroute assets.

They include attacks such as hijacking a crypto wallets private seed phrase or exploiting the user-facing part of a crypto protocol.

“These methods exploit foundational weaknesses in cryptosystems and are often amplified by social engineering.” Protocol exploits help fuel surge in illicit crypto activity

Another major successful attack vector was protocol exploits, including flash loan and re-entrancy attacks, which accounted for 12% of the losses in the first half of the year.

“These attacks target vulnerabilities in a blockchain protocols smart contracts or core logic to extract funds or disrupt system behavior,” TRM Labs explained.

Overall, losses in the first half of 2025 have surpassed the previous record set in 2022 by roughly 10% and nearly equal the total losses from all of 2024, which TRM Labs said “highlights an increasingly concentrated threat to digital assets.”

Losses in the first half of 2025 have already surpassed all of 2024 combined. Source: TRM Labs State-sponsored attacks responsible for most losses

North Koreas $1.5 billion hack of Dubai-based crypto exchange Bybit in February made up nearly 70% of the total losses so far in 2025.

That attack also pushed the average hack size to nearly $30 million, double the $15 million average in the first half of 2024.

However, according to TRM Labs, January, April, May and June still saw total thefts over $100 million.

The pro-Israel hacker group Gonjeshke Darande, or Predatory Sparrow — which has possible links to the Israeli government — contributed to jacking up the averages as well, after it exploited Irans largest crypto exchange, Nobitex, for $100 on June 18.

“H1 2025 marks a pivotal shift in crypto hacking: escalating strategic intent from state actors and other geopolitically motivated groups,” TRM Labs said.

“Multifaceted collaboration” needed to combat bad actors

TRM Labs said that the crypto industry needs to reinforce fundamental security, such as multifactor authentication, cold storage, frequent audits and prioritize insider threat detection and advanced social engineering countermeasures.

It added there also needs to be “multifaceted collaboration” between global law enforcement, financial intelligence units and blockchain intelligence firms.

“H1 2025s record thefts are a stark call to action for a collective, sustained, and strategically aligned security posture — one prepared not just for crime, but for covert acts of statecraft,” TRM Labs said.