By 2025, the landscape of cryptocurrency theft has transformed from basic rug pulls and scams to complex, state-sponsored operations targeting major exchanges and vital infrastructure. More than $2.17 billion was taken in the first half of 2025, and that amount keeps climbing.
In just September, there were 20 crypto-related attacks that led to reported losses of $127.06 million, underscoring the escalating threat. Here are three notorious hackers involved in significant crypto breaches.
Sponsored
1. Lazarus Group
The Lazarus Group is a renowned hacking organization associated with North Korea. Known by various names including APT 38, Labyrinth Chollima, and HIDDEN COBRA, this group has consistently outsmarted highly sophisticated security measures.
According to Hacken, their activities can be traced back to at least 2007, starting with attacks on South Korean government networks. Some of their prominent incidents include the 2014 Sony Pictures hack (in response to the film The Interview), the WannaCry ransomware attack in 2017, and ongoing efforts targeting various economic sectors in South Korea.
Recently, Lazarus has heavily targeted cryptocurrency, pilfering over $5 billion between 2021 and 2025. The most notable incident was the Bybit hack in February 2025, where $1.5 billion in Ethereum (ETH) was taken—the largest crypto heist recorded. Other operations included a $3.2 million theft of Solana (SOL) in May 2025.
“The DPRK’s ByBit hack fundamentally altered the 2025 threat landscape. At $1.5 billion, this single incident not only represents the largest crypto theft in history but also accounts for around 69% of all funds stolen from services this year,” Chainalysis wrote in July.
Sponsored
2. Gonjeshke Darinde
Gonjeshke Darande (predatory sparrow) is perceived as a politically driven hacking group, thought to have ties to Israel. In light of escalating clashes between Israel and Iran, the group exploited Nobitex, the largest cryptocurrency exchange in Iran, absconding with about $90 million before destroying the funds.
They also leaked Nobitex’s source code publicly, severely damaging the exchange’s credibility with users and partners.
“12 hours ago, 8 burn addresses burned $90 million from the wallets of the regime’s favorite sanctions violation tool, Nobitex. 12 hours from now the source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?” they posted in June.
The group’s other attacks have also targeted Iranian infrastructure, banks, and more.
Sponsored
- In July 2021, Gonjeshke Darande disrupted Iran’s railway systems, causing substantial delays and posting mocking messages on public boards.
- In October 2022, the group attacked three major steel plants, releasing footage of fires that led to severe damage.
- In May 2025, they breached Bank Sepah, Iran’s state-owned bank, leaking sensitive information and disrupting operations.
3. UNC4899
UNC4899 is another crypto hacking group backed by North Korea. Google’s Cloud Threat Horizons Report indicates that the group operates under the Reconnaissance General Bureau (RGB), which is North Korea’s leading intelligence agency.
Sponsored
The report states that this group has been active since at least 2020 and has focused its activities on the cryptocurrency and blockchain sectors, showcasing advanced capabilities for supply chain compromises.
“A notable example is their suspected exploitation of JumpCloud, which they used to infiltrate a software solutions entity and subsequently victimize downstream customers in the cryptocurrency space, highlighting the cascading risks posed by such advanced adversaries,” the report reveals.
Between 2024 and 2025, UNC4899 conducted two major heists. In one case, they enticed a victim on Telegram, deployed malware via Docker containers, circumvented MFA in Google Cloud, and stole millions in cryptocurrency. In another instance, they approached a target through LinkedIn, stole AWS session cookies to bypass security measures, injected harmful JavaScript into cloud services, and again siphoned off millions in digital assets.
This year, crypto theft has become both a tool of geopolitical conflict and a financial crime. The billions lost this year—and the strategic reasons behind many of these attacks—show that exchanges, infrastructure providers, and even governments need to treat crypto security as national security. Without coordinated defenses, intelligence sharing, and improved safeguards throughout the ecosystem, losses will keep mounting.
