The industry found out that sometimes, less attacks equals more damage in 2025. Typically, it translates into the converse.

The headline figure in 2025: between $3.3 billion and $4 billion without inclusion of which security company you're using. The difference is not as significant as the trend, which is upwards and significantly from 2024. Almost all of this was from fewer, but much larger, attacks.

That change is a clue! Easier targets are becoming more elusive. The big ones, though, such as exchanges, infrastructure, multi-sig wallets, these are the ones that go when they go.

This record was set on February 21.
Bybit. This is where this story begins and many ways ends. Bybit has identified suspicious activity on 21st February 2025 at around 12:30 PM UTC, a routine transfer from a cold wallet to a warm wallet. When anyone realized what had occurred, approximately $1.5 billion had vanished from the Ethereum digital money.

How it happened, the mechanics of it are important; it's not a brute force attack. The Lazarus Group, also known as TraderTraitor or APT38, is North Korea's state-backed hacking team, and they had breached a developer's workstation at the multi-signature wallet management company Bybit, called Safe{Wallet}. It was through a malicious JavaScript that they injected into the Safe interface. Upon being asked by Bybit staff to approve a seemingly routine transfer, they saw a legitimate transaction on the UI. In fact, the money was going to an address belonging to the attackers. They signed it. The money moved. It disappeared in no time.

On Feb. 26, the FBI officially identified Lazarus. By that time, the stolen funds were already spread out over thousands of blockchain addresses via mixers and DEXs, the traditional practice of money laundering. Bybit managed to remain solvent, reopen withdrawals and introduce a recovery bounty program. Not much was recovered.

The Bybit theft was more than twice the previous record, which was the $611 million Poly Network hack of 2021. If so, then the hacker eventually returned the majority of the money. Lazarus Group did not.
The North Korea situation will not go away
This was not the first time Bybit was featured by the Lazarus Group. In 2025, North Korea-based entities reportedly siphoned off a minimum of $2.02 billion in cryptocurrency, up 51% from the previous year. The figure is about 76% of all service related breaches for the year. Since their attacks began, North Korea has a total of about $6.75 billion stolen.

The strategies have changed. They place IT personnel within crypto companies to have access from within. They pose as recruiters from Web3 and AI companies to obtain credentials from developers and executives. And when they find a supply chain vulnerability — like the Safe{Wallet} developer machine — they use it surgically.

This is no group of common criminals. A program that is profitable for a legitimate government, and conducted carefully and effectively. For them the crypto industry is a consistent and predictable revenue.

As of June, total hacks losses amounted to over $2 billion. The last quarter brought more. The Binance anomaly in October had the price of Bitcoin fluctuating from $122,000 to almost $104,000, and it wasn't hacked but rather, it was a reminder that market infrastructure failures are just as costly as security breaches.

The Bitget case is interesting because it's a different type of attack. A total of 8 accounts were strategically exploiting a Bitget internal trading bot logic by repeatedly front running the trading bot's quotes to purchase the VOXEL token at artificially low prices and sell it at artificially high prices. There will be no hack of the smart contract, no phishing. Only a sort of market manipulation that’s directed at the automated systems within the exchange. Bitget subsequently halted trading and threatened legal action — but the $100 million was there no longer.

Phishing remains the number one loser.Phishing is the top dog loser.
The large hacks make headlines while phishing was responsible for $722 million in losses in 248 incidents in 2025. Not a small number of... Fake exchange sites rose 40% on DeepStrike. Attacks also evolved along the supply chain with malicious code embedded in browser extensions, plugins and development libraries converting user machines into passive collection points for seeds and private keys.

The typical victim is losing $1.5 billion isn't. They get to the wallet and lose it due to clicking a link, installing an extension, or entering their seed phrase in a place that they shouldn't. These smaller incidents can mount up quickly.

The things that were recovered.
Almost nothing. Only some $334.9 million of stolen money has been recovered or frozen in 2025, compared to $488.5 million in 2024, PeckShield reported. More and more capital flowed through bridges, mixers, and cross-chain paths in such a short period that it became too quick to catch up. Time is of the essence when it comes to freezing stolen cryptocurrency, and attackers are not the ones who don't know that.

So what did we learn in 2025?So what did 2025 really bring us?
A few things became more difficult to overlook after this year. The security of the blockchain supply chain has become a first-order consideration for any crypto operation — not only for the exchange, but for any third-party infrastructure that's connected with it. The Safe{Wallet} compromise didn't attack Bybit directly. It struck a trusted tool and that was the end of it.

Multi-signature setups – designed to be the most secure method of protecting large amounts of money – were found to have a serious flaw: If there's a problem with the interface that displays the transaction, and it's compromised, then the signatures don't count. The more names that sign a transaction, the more risky it is.

The North Korea thing is not a “technical problem with a technical solution.” It's a geopolitical issue, with the use of crypto as its funding mechanism. The industry must make its systems more resilient – it must – but it will not be able to outpace a state-level program with patches to smart contracts.

One thing that is consistent throughout each and every major breach in 2025 is that it originated from a trusted source. A developer's machine. An in-house trade bot. A multi-sig interface. A browser extension. The perimeter is not limited to the exchange where the exchange infrastructure meets the network, it is the entire area of the infrastructure's footprint. Which in 2025 is ubiquitous.