The landscape of cryptocurrency theft in 2025 has transformed, moving beyond simple fraudulent schemes into elaborate operations orchestrated by nation-states, targeting major cryptocurrency exchanges and vital infrastructure. The first six months of 2025 witnessed losses exceeding $2.17 billion, a sum that continues to climb steadily.
September alone saw 20 separate attacks on crypto platforms, resulting in a reported $127.06 million vanishing from wallets, highlighting the increasing danger. Below are profiles of three notorious hacker groups linked to significant cryptocurrency breaches.
Sponsored
1. Lazarus Group
The Lazarus Group, a hacking organization backed by North Korea, has a long and troubling history. Operating under various aliases like APT 38, Labyrinth Chollima, and HIDDEN COBRA, this group has consistently bypassed some of the most robust security measures.
Further investigation by Hacken reveals their activities stretch back to at least 2007, initiating with intrusions into South Korean government systems. Significant attacks include the Sony Pictures hack in 2014, retaliation for “The Interview” film, the 2017 WannaCry ransomware attack, and ongoing campaigns against South Korean economic interests.
In recent years, Lazarus has focused heavily on stealing cryptocurrency, amassing over $5 billion between 2021 and 2025. A particularly damaging event was the Bybit breach in February 2025, during which the group made off with $1.5 billion in Ethereum (ETH). This stands as the biggest cryptocurrency theft ever recorded. They also executed a $3.2 million Solana (SOL) heist in May 2025.
“The North Korean (DPRK) ByBit hack significantly shifted the threat environment of 2025. The $1.5 billion stolen in that single instance represents the largest cryptocurrency theft to date, and accounts for nearly 69% of all funds stolen from crypto services this year,” Chainalysis reported in July.
Sponsored
2. Gonjeshke Darinde
Gonjeshke Darande, translating to “Predatory Sparrow”, is a cyberattack group motivated by political goals, with suspected ties to Israel. As tension grew between Israel and Iran, the group targeted Nobitex, Iran’s premier cryptocurrency exchange, making off with approximately $90 million before destroying the funds.
Gonjeshke Darande also leaked Nobitex’s core source code publicly, damaging the exchange’s intellectual property and causing significant reputational harm among users and collaborators.
“Earlier today, eight burn addresses destroyed $90 million worth of assets from the wallets of Nobitex, the regime’s preferred tool for sanctions evasion. In the coming hours, Nobitex’s source code will be released publicly, leaving its walled garden defenseless. Where do you want your assets to be?” they announced in June.
The group has focused its efforts on Iranian infrastructure, financial institutions, and other strategic targets.
Sponsored
- In July 2021, Gonjeshke Darande caused substantial disruptions to Iran’s railway system, leading to extensive delays and posting provocative messages on public displays.
- In October 2022, the group launched attacks on three prominent steel manufacturing facilities, sharing video footage of the resulting fires which inflicted significant physical and financial damage.
- In May 2025, they successfully infiltrated Bank Sepah, Iran’s state-owned bank, exposing sensitive data and disrupting critical financial operations.
3. UNC4899
UNC4899 is another North Korean-backed cryptocurrency hacking group. According to Google’s Cloud Threat Horizons Report, the group operates under the direction of the Reconnaissance General Bureau (RGB), North Korea’s leading intelligence agency.
Sponsored
The report detailed that the group’s activities date back to at least 2020. UNC4899 has primarily focused on targeting the cryptocurrency and blockchain industry, exhibiting notable expertise in executing supply chain attacks.
“A key instance is their suspected exploitation of JumpCloud, which they then used to compromise a software company, subsequently impacting downstream customers within the cryptocurrency sector, showcasing the far-reaching implications of such advanced threat actors,” the report indicated.
Between 2024 and 2025, the digital criminals carried out two major cryptocurrency thefts. In one incident, they lured a target on Telegram, deploying malicious software via Docker containers, bypassed multi-factor authentication (MFA) within Google Cloud, and siphoned off millions in digital assets.
In a separate attack, they contacted a victim using LinkedIn, stole AWS session cookies to circumvent security protocols, injected harmful JavaScript code into cloud services, and once again, made off with millions in digital currency.
This year, cryptocurrency theft has evolved into a tool for geopolitical conflict, alongside its role as financial crime. The substantial financial losses and the strategic motivations fueling numerous attacks show that cryptocurrency exchanges, infrastructure providers, and even governments must now consider cryptocurrency security as a critical matter of national security. Without enhanced and coordinated defenses, broader intelligence sharing, and stronger protections across the crypto ecosystem, the associated losses will undoubtedly continue to increase.