In 2025, cryptocurrency theft has evolved from simple rug pulls and opportunistic scams into sophisticated, nation-state–sponsored operations that target major exchanges and critical infrastructure. Over $2.17 billion was stolen in the first half of 2025, and that figure continues to rise month by month.
In September alone, 20 crypto-related attacks resulted in $127.06 million in reported losses, highlighting the rising threat. Below are three high-profile hackers who have been involved in major crypto attacks.
Sponsored
1. Lazarus Group
The Lazarus Group is an infamous, long-running hacking organization backed by North Korea. Known by aliases such as APT 38, Labyrinth Chollima, and HIDDEN COBRA, the group has consistently demonstrated the ability to bypass even the most advanced security systems.
Moreover, Hacken noted that their operations date back to at least 2007, beginning with intrusions into South Korean government systems. Other notable attacks include the Sony Pictures hack in 2014 (retaliation for the film The Interview), the WannaCry ransomware outbreak in 2017, and ongoing campaigns targeting economic sectors in South Korea.
In recent years, Lazarus has focused heavily on cryptocurrency theft, stealing more than $5 billion between 2021 and 2025. The most significant was the Bybit hack in February 2025, when the group stole $1.5 billion in Ethereum (ETH)—the largest crypto heist on record. Additional operations included a $3.2 million Solana (SOL) theft in May 2025.
“The DPRK’s ByBit hack fundamentally altered the 2025 threat landscape. At $1.5 billion, this single incident not only represents the largest crypto theft in history, but also accounts for approximately 69% of all funds stolen from services this year,” Chainalysis wrote in July.
Sponsored
2. Gonjeshke Darinde
Gonjeshke Darande (predatory sparrow) is a politically motivated cyberattack group, widely believed to have ties to Israel. Amid escalating Israel-Iran conflicts, the group exploited Nobitex, Iran’s largest crypto exchange, stealing about $90 million before burning the funds.
Gonjeshke Darande also exposed Nobitex’s source code publicly, undermining the exchange’s proprietary systems and delivering a major blow to its credibility with users and partners.
“12 hours ago, 8 burn addresses burned $90 million from the wallets of the regime’s favorite sanctions violation tool, Nobitex. 12 hours from now The source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?” they posted in June.
The group’s other attacks have also focused on Iranian infrastructure, banks, and more.
Sponsored
- In July 2021, Gonjeshke Darande disrupted Iran’s railway systems, causing major delays and posting mocking messages on public boards.
- In October 2022, the group attacked three major steel plants, releasing footage of fires that caused serious physical and economic damage.
- In May 2025, they breached Bank Sepah, Iran’s state-owned bank, leaking sensitive data and disrupting financial operations.
3. UNC4899
UNC4899 is another North Korean state-sponsored crypto hacking unit. According to Google’s Cloud Threat Horizons Report, the group operates under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency.
Sponsored
The report revealed that the group has been active since at least 2020. Furthermore, UNC4899 has concentrated its efforts on the cryptocurrency and blockchain sectors. The group has demonstrated advanced capabilities in executing supply chain compromises.
“A notable example is their suspected exploitation of JumpCloud, which they leveraged to infiltrate a software solutions entity and subsequently victimize downstream customers within the cryptocurrency vertical, underscoring the cascading risks posed by such advanced adversaries,” the report reads.
Between 2024 and 2025, the crypto hacker carried out two major crypto heists. In one case, they lured a victim on Telegram, deployed malware through Docker containers, bypassed MFA in Google Cloud, and stole millions in cryptocurrency.
In another, they approached a target via LinkedIn, stole AWS session cookies to bypass security controls, injected malicious JavaScript into cloud services, and again siphoned off millions in digital assets.
Thus, this year, crypto theft has become a tool of geopolitical conflict as much as financial crime. The billions lost this year—and the strategic motives behind many attacks—demonstrate that exchanges, infrastructure providers, and even governments must now treat crypto security as a matter of national security. Without coordinated defense, intelligence sharing, and stronger safeguards across the ecosystem, the losses will only continue to escalate.