2026 First Half Crypto Hacker Incidents Summary: How Much Was Lost
Just over halfway through 2026, the crypto industry has already lost over $940 million to hacks.
121 hacking incidents. 85 occurred in the second quarter alone, with approximately $775 million stolen. The number of attacks in Q2 is roughly double the previous single-quarter record.
This isn't bear market data—Bitcoin has fallen from its all-time high of over $122,000 last October, and the total crypto market cap has halved from $4.21 trillion to $2.15 trillion. Hackers, however, have only gotten busier.
A leading global cryptocurrency platform,suitable for both beginners and experienced traders.
New user benefit: 20% off trading fees upon registration!!
1. April: The Worst Month for Losses in Crypto History
April was the single worst month on record for crypto hacking—approximately 30 incidents, with over $625 million stolen.
Two incidents accounted for 93% of that total:
KelpDAO: $293 million. On April 18, attackers stole these funds via a vulnerability in the LayerZero cross-chain bridge. This attack triggered a chain reaction—users withdrew approximately $15 billion in deposits from Aave within four days, causing its TVL to plummet from $26.4 billion to $14.3 billion, a drop of 46%.
Drift Protocol: $285 million. On April 1, the Solana ecosystem derivatives protocol Drift was attacked.
These two incidents alone total over $570 million. Most of the remaining twenty-plus attacks were under $5 million, with many under $1 million.
2. Q1 to Q2: Attack Numbers Double, Tactics Shift
In the first quarter, the crypto industry experienced over 80 cyberattacks, double the number year-over-year. January saw 29 incidents with losses over $392 million; February, 26 incidents with losses over $22 million; March, 27 incidents with losses over $81 million.
Entering the second quarter, the number surged to 85.
A notable change: attacks have shifted from "large-scale, occasional" to "small-scale, high-frequency." In the first five months of 2026, DeFi thefts exceeded $840 million across over 50 incidents; compared to approximately 30 incidents in the same period of 2025, the number of events increased by about 70%.
Hackers are no longer pursuing one big score but are spreading their firepower across more targets. This makes them harder for the industry to track and defend against.
3. Cross-Chain Bridges: A Persistent Security Black Hole
Cross-chain bridges (protocols that transfer assets between different blockchains) remain a major weak point in crypto security.
Secret Network × Axelar Cross-Chain Bridge: $4.67 million. On June 10, hackers exploited a vulnerability in the Secret Network and Axelar cross-chain bridge contract, forging deposits and minting unbacked tokens, which they then swapped and cashed out.
The attack lasted a full seven days—the issue was only exposed on June 17 when a normal cross-chain transfer failed due to insufficient funds in the custody account.
What was the root cause? When the contract was deployed in 2023, the custody model was changed to a minting model, two key functions responsible for verifying the source of transfers were deleted, and it was never externally audited.
The problem with cross-chain bridges: they need to lock assets on one chain and mint corresponding assets on another. If a single point of vulnerability exists, the liquidity pools on both sides can be exposed simultaneously.
4. Supply Chain Attacks: Bypassing Code, Targeting People
Hackers are shifting their focus from smart contract code to people, processes, and infrastructure.
Polymarket: $3 million. In June, the prediction market platform Polymarket suffered a third-party vendor breach—attackers injected malicious code into the platform's frontend via a compromised vendor, directly accessing some users' browser wallets.
The attack completely bypassed the audited on-chain code, targeting the website layer that users rarely check. Fewer than 15 users were affected, but this was already Polymarket's second security incident in two months—in May, a compromised employee wallet led to a $700,000 loss.
Yield Yak: Frontend Compromised. On June 24, a malicious wallet-draining script was detected on the voting subdomain of DeFi yield aggregator Yield Yak. This was the second frontend compromise in a few days, following Gitcoin.
Supply chain attacks are becoming an increasingly attractive attack vector—as on-chain code becomes harder to breach, hackers are turning to external dependencies and the website layer.
5. Private Key Leaks & Social Engineering: The Oldest Attacks, Still the Most Effective
Bybit: $1.46 billion (February 2025). Although it happened in 2025, this incident's impact extended into 2026—the FBI confirmed the North Korean hacker group Lazarus Group was responsible. Attackers first controlled the Safe wallet's frontend code, then replaced the displayed address with a malicious one when Bybit's multi-signature owners signed a transaction. This is the largest cryptocurrency theft by value in recent years.
BitoPro: Approximately $11.5 million (May). Taiwanese exchange BitoPro was attacked using methods highly similar to the Lazarus Group. Hackers used social engineering to target a cloud-responsible employee, implanted malware for long-term persistence, bypassed endpoint protection and multi-factor authentication (MFA), observed operations for several days, and then initiated malicious scripts during a wallet system upgrade to transfer assets.
Grinex: $13.7 million (April). This Kyrgyzstan-based exchange suspended operations immediately after having $13.7 million stolen.
jaredFromSubway: Approximately $15 million (June). jaredFromSubway, a well-known MEV bot operator on Ethereum, lost approximately $15 million. The root cause was that the bot contract had approved assets to an untrusted third-party contract. Attackers accumulated these unused approvals and eventually drained the bot's real balance in one go.
SecondFi: Over $20 million (June). The Cardano ecosystem wallet service provider SecondFi had issues with its self-developed wallet generation software. SlowMist founder Cos noted that based on the flow of funds from hacker addresses, the actual loss might exceed $20 million, involving over 129 million ADA.
Aztec: Approximately $2.2 million (June). Privacy protocol Aztec suffered its second attack in three days, executed via its escape hatch circuit implementation.
Time Bombs in Unverified Contracts. In the first six months of 2026, attackers stole $36.7 million from DeFi contracts whose source code was not verified on explorers like Etherscan. Affected protocols include Truebit, Trusted Volumes, Aperture Finance, and Ekubo.
6. Malware is Also Evolving
USB Worm Steals Seed Phrases. In June, Microsoft Defender warned about a new USB-based malware that steals 12 or 24-word BIP39 seed phrases, scanning for Bitcoin, Tron, and Monero addresses every 500 milliseconds to redirect transactions.
Mac Users Targeted. Attackers are using code editor extension marketplaces to inject malicious extensions, tricking developers into downloading them, thereby stealing cryptocurrency wallet data and system passwords. They even attempt to replace hardware wallet desktop applications.
7. What Changed in the First Half of 2026
Looking back at these six months, several clear trends emerge:
Attack numbers are exploding, while individual amounts are shrinking. The strategy has shifted from "hunting big whales" to "casting a wide net." This means defense difficulty has risen sharply for the industry—it's hard to secure all small targets simultaneously.
The attack surface is expanding. It's not just smart contract vulnerabilities anymore—frontends, third-party vendors, employee devices, social engineering, and private key management are all potential entry points.
Cross-chain bridges remain the biggest single point of risk. One vulnerability can unlock hundreds of millions of dollars.
Audits are not a panacea. Secret Network's cross-chain bridge was never audited; the Polymarket attack bypassed audited on-chain code; jaredFromSubway's problem was in authorization management. Code security is just one piece of the security puzzle.
8. What Regular Users Should Do
Don't just look at these numbers and think "that's far from me." Many attack victims are ordinary users. Remember:
1. Don't store seed phrases on electronic devices. USB worms, clipboard hijackers, malicious extensions—attackers have a thousand ways to steal seed phrases from your device.
2. Don't click unknown links, don't approve unknown contracts. When a frontend is compromised, the page you see might be fake.
3. Use cold wallets for large amounts. Hot wallets (connected to the internet) are exposed to the attack surface; cold wallets (offline storage) are physically isolated.
4. Pay attention to a project's security history. If a project has had a security incident, it's likely to happen again—Polymarket twice in two months, Aztec twice in three days.
5. Diversify your asset storage. Don't put all your coins in one wallet or one protocol. Don't put all your eggs in one basket.
In the first half of 2026, the crypto industry lost $942 million to hacks. 121 attacks, averaging one every 1.5 days.
And this isn't the worst yet. Audit firms warn the industry is approaching a pace of "one attack per day." What the second half will bring, no one can say for sure.
The only certainty is: hackers won't rest, so you shouldn't let your guard down either.
The world's largest cryptocurrency exchange by trading volume,leading in security and liquidity.
New user benefit: Enjoy 20% off trading fees upon registration!
FAQ
How much money did the crypto industry lose to hacks in the first half of 2026?
As of the end of June, there were 121 hacking incidents with total losses of approximately $942 million. This includes 85 incidents in Q2, with losses of about $775 million.
Which two incidents caused the largest losses?
The KelpDAO ($293 million) and Drift Protocol ($285 million) incidents in April were the two largest attacks of the first half. Together, they accounted for 93% of the total amount stolen in April.
What new trends emerged in hacking during the first half?
Attacks have shifted from "a few large-scale attacks" to "small-scale, high-frequency" persistent infiltration. Simultaneously, the attack surface has expanded from smart contract code to frontends, third-party vendors, employee devices, and social engineering. Cross-chain bridge vulnerabilities and private key leaks remain major risk points.
