By 2025, cryptocurrency theft had evolved from simple, opportunistic scams to sophisticated, nation-state-sponsored operations targeting major exchanges and critical infrastructure. Over $2.17 billion was stolen in the first half of 2025, and the number continues to rise every month.
In September alone, there were 20 cryptocurrency-related attacks that cost $127.06 million, highlighting the growing threat. Here are three prominent hacker groups that have been involved in major cryptocurrency attacks.
1. Lazarus Group
The Lazarus Group is a notorious, long-running, North Korean-backed hacking organization. Known by aliases such as APT 38, Labyrinth Chollima, and HIDDEN COBRA, the group has consistently demonstrated its ability to bypass even the most advanced security systems.
Hackers also noted that their activities date back to at least 2007, with intrusions into South Korean government systems. Other notable attacks include the 2014 Sony Pictures hack (in retaliation for the film The Interview), the 2017 WannaCry ransomware outbreak, and ongoing campaigns targeting economic sectors in South Korea.
In recent years, Lazarus has focused heavily on cryptocurrency theft, stealing more than $5 billion between 2021 and 2025. The Bybit hack in February 2025 was the most significant, when the group stole $1.5 billion in Ethereum (ETH) — the largest cryptocurrency theft ever recorded. Other activities include the theft of $3.2 million in Solana (SOL) in May 2025 .
“The DPRK’s Bybit hack fundamentally changed the 2025 threat landscape. At $1.5 billion, the incident not only represents the largest cryptocurrency theft in history, but also accounts for approximately 69% of the total amount stolen from services this year,” Chainalysis wrote in July.
2. Gonjeshke Darinde
Gonjeshke Darande (Sparrows of Prey) is a politically motivated hacking group believed to be linked to Israel. Amid escalating tensions between Israel and Iran, the group hacked Nobitex , Iran’s largest cryptocurrency exchange, stealing around $90 million before burning the coins.
Gonjeshke Darande also made Nobitex's source code public , undermining the exchange's proprietary system and causing great damage to its reputation with users and partners.
“12 hours ago, 8 burn addresses burned $90 million from the wallets of the regime’s favorite sanctions-busting tool, Nobitex. 12 hours from now, the Nobitex source code will be made public, and the Nobitex walled garden will have no walls. Where do you want your assets?” they posted in June.
Other attacks by the group have also focused on Iran's infrastructure, banks and many other sectors.
- In July 2021, Gonjeshke Darande disrupted Iran's railway system, causing major delays and posting mocking messages on public bulletin boards.
- In October 2022, the group attacked three major steel plants, releasing videos of fires that caused severe material and economic damage.
- In May 2025, they hacked into Bank Sepah, Iran's state-owned bank, leaking sensitive data and disrupting financial operations.
3. UNC4899
UNC4899 is a North Korean state-sponsored crypto-hacking unit. According to Google's Cloud Threat Horizons Report, the group operates under the direction of the Reconnaissance General Bureau (RGB), North Korea's main intelligence agency.
The report reveals that the group has been active since at least 2020. Furthermore, UNC4899 has focused its efforts on the cryptocurrency and blockchain sectors . The group has demonstrated advanced capabilities in carrying out supply chain attacks.
“A notable example is their suspected exploitation of the JumpCloud exploit, which they used to infiltrate a software solutions company and then attack downstream customers in the cryptocurrency sector, highlighting the pervasive risks posed by such advanced adversaries,” the report reads .
Between 2024 and 2025, the crypto hacker carried out two major thefts. In one case, they lured a victim on Telegram, deployed malware via Docker containers, bypassed MFA on Google Cloud , and stole millions of dollars in cryptocurrency.
In another case, they accessed their target via LinkedIn, stole AWS session cookies to bypass security measures, injected malicious JavaScript code into cloud services, and again siphoned off millions of dollars in digital assets.
So this year, cryptocurrency theft has become a tool in geopolitical conflict as well as financial crime. The billions of dollars lost this year—and the strategic motivations behind many of the attacks—show that exchanges, infrastructure providers, and even governments need to treat cryptocurrency security as a national security issue. Without coordinated defenses, intelligence Chia , and stronger protections across the ecosystem, the losses will only continue to mount.
