Crypto Hacks Surge to $2.1B in 2025: TRM Labs Sounds Alarm on Seed Phrase and Front-End Attacks

TRM Labs reports $2.1B in crypto losses in H1 2025 from seed phrase and front-end hacks, led by a $1.5B Bybit attack. Discover TRM’s insights and protection tips. (144 characters)

TRM Labs: Leading the Fight Against Crypto Crime

TRM Labs, a San Francisco-based blockchain intelligence firm founded in 2018, is at the forefront of combating cryptocurrency-related financial crime. With $150 million in funding from investors like PayPal Ventures and Bessemer Venture Partners, TRM Labs leverages advanced analytics to track illicit crypto flows, serving clients including the FBI, IRS, and major exchanges like PayPal and Visa. Its cutting-edge platform, authorized by FedRAMP Moderate in September 2024, empowers law enforcement and crypto platforms to detect and prevent fraud. On June 27, 2025, TRM Labs released its 2025 Crypto Crime Report, revealing a staggering $2.1 billion in crypto losses in the first half of 2025, driven by sophisticated seed phrase and front-end attacks.

Record-Breaking Crypto Losses in 2025

TRM Labs’ latest report, released today, exposes a 10% surge in crypto thefts, with hackers stealing $2.1 billion across 75 incidents in H1 2025, surpassing the 2022 record of $2 billion and nearly matching 2024’s full-year total of $2.2 billion. The average hack size doubled from $15 million in H1 2024 to $30 million, highlighting the growing sophistication of cybercriminals. A single attack—the $1.5 billion Bybit hack in Dubai by North Korea’s Lazarus Group in February—accounted for nearly 70% of losses. Even excluding this outlier, January, April, May, and June each saw over $100 million in thefts, signaling widespread vulnerabilities across the crypto ecosystem.

Dominant Attack Vectors: Seed Phrase and Front-End Exploits

Over 80% of the $2.1 billion stolen resulted from 75 infrastructure attacks targeting the core of crypto platforms:

• Private Key and Seed Phrase Thefts: Hackers exploited weak storage practices, phishing, or malware to steal private keys and seed phrases, gaining direct access to wallets. These attacks were 10 times more lucrative than other methods, averaging $30 million per incident.
• Front-End Compromises: Cybercriminals deployed phishing websites and fraudulent messages, often using social engineering to trick users into revealing sensitive information or approving transactions. Fake support chats and trust-building tactics amplified these attacks.
• Key Incident: The Bybit hack saw North Korean actors compromise exchange infrastructure, while a $90 million attack on Iran’s Nobitex exchange, linked to the Israel-affiliated Gonjeshke Darande group, targeted front-end systems for geopolitical disruption.

Protocol Exploits: A Persistent Threat

Protocol-level attacks accounted for 12% of losses, totaling $252 million:

• Flash Loan Attacks: Hackers borrowed large sums instantly without collateral, manipulating market prices to drain funds from DeFi protocols with weak oracle security.
• Re-Entrancy Attacks: Attackers repeatedly called smart contract functions before transactions completed, siphoning funds, as seen in the $9.6 million Resupply hack involving price manipulation. These exploits underscore the need for rigorous smart contract audits to address persistent vulnerabilities.

State-Sponsored Cybercrime Escalates

The report highlights a surge in state-backed hacking:

• North Korea: Responsible for $1.6 billion in thefts, including the Bybit hack, North Korea uses crypto to fund military and nuclear programs, evading sanctions. Their attacks average $30 million, five times larger than non-state actors.
• Geopolitical Actors: The Nobitex hack, attributed to Gonjeshke Darande, sent $90 million to unspendable wallets, likely to destabilize Iran’s economy. Such politically motivated attacks are rising, turning crypto into a geopolitical battleground.
• T3 Financial Crime Unit: Formed by TRM Labs, Tether, and Tron, the T3 FCU froze $100 million in USDT linked to illicit actors since September 2024, showcasing proactive defense.

Impact on Crypto Platforms and Users

The $2.1 billion in losses has shaken the crypto ecosystem:

• Centralized Exchanges: Bybit and Phemex accounted for 94% of Q1 2025 losses ($1.52 billion), making them prime targets due to concentrated assets.
• DeFi Protocols: Smart contract exploits, like Resupply’s $9.6 million loss, expose risks in decentralized systems.
• Eroding Trust: Insider threats, such as the $2 million Bedrock UniBTC hack by a former employee, and social engineering attacks undermine user confidence.

TRM Labs’ Call to Action

TRM Labs urges immediate action to counter these threats:

• Multifactor Authentication (MFA): Secure wallets and platforms with MFA to block unauthorized access.
• Cold Storage: Store private keys and seed phrases offline in hardware wallets to protect against phishing and malware.
• Smart Contract Audits: Conduct frequent, third-party audits to fix vulnerabilities like re-entrancy or flash loan exploits.
• Insider Threat Detection: Use behavioral analytics to monitor for compromised employees.
• User Education: Train users to spot phishing, fake interfaces, and social engineering tactics.
• Real-Time Monitoring: Leverage TRM Labs’ analytics to detect suspicious transactions and trace illicit funds.
• Global Collaboration: Strengthen partnerships, like T3 FCU’s $100 million USDT freeze, to combat state-sponsored actors.

TRM Labs’ FedRAMP authorization enhances its ability to support law enforcement and exchanges in tracking illicit flows.

Looking Ahead: A New Era of Crypto Security

TRM Labs warns that without intervention, losses could hit $4 billion in 2025 as state-sponsored and geopolitically motivated attacks intensify. North Korea’s $1.6 billion haul and emerging actors like Gonjeshke Darande highlight crypto’s role in global conflicts. Emerging solutions include:

• AI-Driven Security: Real-time anomaly detection, as used by TRM Labs’ Behavioral Intelligence, to flag suspicious activity.
• Decentralized Protocols: Secure multi-party computation to protect private keys.
• Regulatory Alignment: Stronger AML/CTF compliance to deter illicit activity, as seen in TRM’s partnerships.
• Cross-Border Efforts: Global intelligence-sharing to prosecute hackers, exemplified by T3 FCU.

Conclusion

TRM Labs’ June 27, 2025, report reveals a critical escalation in crypto hacks, with $2.1 billion lost in H1 2025, driven by seed phrase, front-end, and protocol attacks. The Bybit and Nobitex hacks, led by state-sponsored actors, expose vulnerabilities in centralized and decentralized systems. With TRM Labs’ blockchain intelligence and recommendations like MFA, cold storage, and global collaboration, the industry can fight back. As crypto becomes a geopolitical flashpoint, platforms and users must prioritize security to protect digital assets