Crypto Hacks in H1 2026: Losses and Trend Analysis

 / 
6

In the first half of 2026, the crypto industry presented a divided picture regarding hacking incidents:attack frequency hit a record high, but total losses dropped by more than half.This contradiction stems from two concurrent changes—two massive attacks led by North Korean hackers accounted for the majority of losses, while the focus of security vulnerabilities shifted from 'code' to 'infrastructure.'

Binance Exchange
The world's largest cryptocurrency exchange by trading volume,leading in security and liquidity.
New user benefit: Enjoy 20% off trading fees upon registration!

Overall Situation: Record Number of Incidents, Losses Halved

According to a report released by blockchain security firm TRM Labs in early July 2026, the crypto industry experienced207hacking incidents in the first half of 2026—the highest number TRM has recorded for any six-month period. In the same period last year, there were only 83 incidents.

In contrast to the record number of attacks, total losses in the first half amounted to approximately$972 million, less than half of the $2.3 billion lost in the same period in 2025. Data compiled by SlowMist shows a similar trend: 158 publicly disclosed security incidents with cumulative losses of approximately $929 million.

Key Signal: The number of attacks doubled while losses halved—indicating a shift in hacker tactics from 'one big heist per year' to a 'high-frequency, low-intensity' guerrilla approach. The median loss per attack in H1 2026 was approximately$219,000, but the average loss was pulled up to over$4.7 milliondue to a few massive cases.

Loss Concentration: Two Cases Account for the Majority

The distribution of losses in the first half was extremely uneven. April was the worst month, with approximately$631 millionstolen, accounting for nearly68%of total H1 losses. Two incidents contributed the vast majority:

  • KelpDAO: Loss of approximately$292–293 million(April), involving an attack on the LayerZero cross-chain bridge infrastructure.

  • Drift Protocol: Loss of approximately$285–295 million(April).

These two cases alone totaled over$577 million, accounting for nearly 60% of H1 losses. The second quarter (Q2) became the most active quarter on record for attacks—83 separate incidents with total losses of $755.3 million, with these two cases alone accounting for over three-quarters of quarterly losses.

Attacker Profile: North Korean Hackers Still Dominant

TRM Labs attributed approximately66%of stolen funds (about$643 million) to hacker groups linked to North Korea. Nearly all losses from this direction were concentrated in the two April attacks on KelpDAO and Drift Protocol. The report noted that the capabilities of North Korean hacker groups have not diminished; the decline in H1 2026 losses is simply due to the absence of a record-breaking event like the $1.5 billion Bybit hack in 2025.

Vulnerability Structure: Code Flaws Numerous, Infrastructure Flaws Costly

This is the most notable trend shift in the first half of 2026.

  • Smart Contract Vulnerabilities: Most numerous, driving the record number of attacks. The majority of the 207 H1 incidents came from contract exploits on DeFi protocols, DEXs, and token projects. However, they caused a relatively small proportion of financial losses.

  • Infrastructure and Operational Vulnerabilities: Accounted for only about15%of incidents but caused approximately76%of losses.

These vulnerabilities center onstolen private keys, compromised transaction signing systems, and breached enterprise infrastructure. Data from SlowMist confirms this: stolen private keys and administrator credentials caused about40%of total losses. Historically, private key leaks have accounted for approximately 40% of total industry losses.

Binance Exchange
The world's largest cryptocurrency exchange by trading volume,leading in security and liquidity.
New user benefit: Enjoy 20% off trading fees upon registration!

Trend Judgments and Checklist

Based on the above data, several clear judgments can be made:

  1. Audits Are No Longer a Panacea: Smart contract audits can no longer fully protect projects from theft. Attackers are bypassing the code layer and directly targeting signing systems and key management.

  2. Cross-Chain Bridges Remain a Hotspot: Cross-chain bridge-related attacks in Q2 led to approximately$351 millionin losses, nearly half of the quarter's total. The LayerZero OFT bridge vulnerability directly caused the KelpDAO incident.

  3. AI-Driven Attacks Are on the Rise: According to a Chainalysis report, AI-driven crypto scams are about4.5 timesmore profitable than traditional scams and can be used to bypass exchange identity verification.

Checklist: If you operate a project or manage funds, review the following:

  • Are private key generation, storage, and signing processes layered and isolated? Is there a multi-approval mechanism?

  • Is there an emergency response plan for 'infrastructure breach' scenarios, not just 'contract failure' scenarios?

  • Do the external nodes or validator networks relied upon by cross-chain bridges or messaging systems have sufficient redundancy and protection mechanisms?

  • For large transfers, are time delays, multi-signature, and risk control parameters in place to provide a reaction window after a hack?