A record-breaking wave of cryptocurrency hacks swept through the digital asset market in the first half of 2026, targeting decentralized finance (DeFi) protocols and cross-chain bridges. However, in a surprising twist for investors, the total amount of money stolen fell by more than half compared to last year. While hackers are attacking more frequently, their individual hauls are shrinking, though state-backed groups continue to orchestrate massive exploits.
By Elena Kowalski | July 5, 2026
According to a comprehensive cybersecurity report published by blockchain intelligence firm TRM Labs, the cryptocurrency industry experienced a historic surge in security breaches during the first half (H1 2026). Security researchers verified a total of 207 hacks during this six-month window, representing the highest number of incidents ever recorded in a single half-year period. This is a massive increase from the 83 incidents reported during the same period in H1 2025. The surge was particularly intense in the second quarter, with Q2 2026 setting an individual record of 123 incidents.
Despite the frequency of these attacks, the financial damage was significantly lower than in previous years. The report shows that hackers stole a total of USD 972 million in H1 2026. While that is still nearly a billion dollars lost, it represents a decline of over 50 percent compared to the USD 2.3 billion stolen in the first half of H1 2025. This drop suggests that while attackers are trying harder than ever, the industry’s defenses are slowly improving. Here are the key findings from the TRM Labs report:
- Record incident count — 207 hacks occurred in H1 2026, more than doubling the count from the previous year.
- Shrinking typical losses — The typical (median) hack in H1 2026 resulted in approximately USD 219,000 in stolen funds, showing that most attacks are smaller in scale.
- North Korean dominance — State-linked hacker groups, primarily the infamous Lazarus Group, stole USD 643 million, which accounts for about 66% of all stolen funds.
- Infrastructure compromises — Stolen private keys and compromised servers accounted for only 15% of the incidents but were responsible for a whopping 76% of the total stolen value.
- Smart contract exploits — Code-level exploits made up 125 of 207 incidents (about 60 percent), though they generally resulted in smaller losses.
For everyday investors, the numbers show a changing battlefield. The massive multi-hundred-million-dollar exploits that used to happen almost every week have become rarer. Instead, hackers are focusing on smaller, less-guarded projects, leading to a higher number of smaller hacks. However, the threat from elite cyber-criminals remains extremely high, as demonstrated by two massive security breaches in April that accounted for the vast majority of the six-month total.
The Exploit Mechanics
To understand how these criminals are stealing hundreds of millions of dollars, we must look at the two biggest heists of H1 2026: the attacks on Drift Protocol and KelpDAO. Both occurred in April and together accounted for approximately USD 577 million—more than half of all stolen funds in the entire first half of the year. These attacks reveal that hackers are moving away from finding simple typos in code. Instead, they are using complex social engineering and infrastructure attacks.
The first major attack hit Drift Protocol, a decentralized perpetual trading exchange on the Solana blockchain. According to security firm reports, the attackers did not find a bug in the smart contract code. Instead, they played a long game of social engineering. The hackers, identified as a subgroup of the North Korea-linked Lazarus Group known as Citrine Sleet (also tracked as AppleJeus or UNC4736), posed as a legitimate quantitative trading firm. They spent months building trust with the Drift Protocol development team, attending conferences, and engaging in technical discussions.
Once trust was established, the attackers exploited a Solana feature called durable nonces. Think of a durable nonce as a pre-signed blank check that can be cashed later. The hackers tricked the members of the Drift Protocol Security Council into signing transactions that looked harmless but actually gave the attackers administrative control. Once they had control, the hackers whitelisted a worthless token called CarbonVote Token (CVT) as collateral. They artificially pumped the value of CVT, used it to borrow against the protocol’s real reserves, and drained approximately USD 285 million in just 12 minutes.
The second giant exploit targeted KelpDAO, a popular liquid restaking protocol on Ethereum, on April 18, 2026. The hackers, believed to be the TraderTraitor subgroup of the Lazarus Group, targeted the protocol’s cross-chain bridge. KelpDAO relied on a bridge system using a 1-of-1 Decentralized Verifier Network (DVN). This means the bridge relied on a single verifier node—a digital security guard—to approve transactions between blockchains.
The attackers compromised two Remote Procedure Call (RPC) nodes, which are the communication channels the verifier uses to read blockchain data. They then launched a Distributed Denial of Service (DDoS) attack to crash the healthy nodes. With the healthy systems offline, the verifier fell back on the compromised nodes, which fed it forged data. This trick convinced the verifier to release 116,500 rsETH, valued at approximately USD 292 million, directly to the hackers.
Affected Systems
The TRM Labs report highlights that the risk profile varies dramatically depending on the system architecture. In H1 2026, smart contract exploits were the most common type of attack, representing 125 of the 207 incidents. Smart contracts are self-executing agreements written in code. When hackers find a flaw in the logic, they can manipulate the system. However, the report shows that these logic bugs are increasingly difficult to exploit for massive sums because developers are performing more frequent security audits. As a result, the average smart contract exploit was relatively small.
In contrast, infrastructure and operational compromises represent the true nightmare scenario for DeFi protocols. These compromises include stolen private keys, compromised server access, and social engineering attacks. While they made up only 15% of the total incident count, they caused 76% of the total financial losses. When an attacker steals a private key, they do not need to exploit code; they simply log in as the owner and transfer the funds. This was the case with the KelpDAO bridge and the Drift Protocol admin key compromise.
These exploits occurred against a backdrop of varying market conditions. To put these losses in perspective, let us look at the value of the primary assets in the cryptocurrency market on July 5, 2026. Bitcoin (BTC) is currently trading at USD 62,931, while Ethereum (ETH) stands at USD 1,767.99. The Solana network’s native token, Solana (SOL), is valued at USD 80.47. Other major cryptocurrencies show the following values: Binance Coin (BNB) is at USD 577.27, Ripple (XRP) is trading at USD 1.14, and Cardano (ADA) is at USD 0.1927. Additionally, Avalanche (AVAX) is trading at USD 6.82, Dogecoin (DOGE) at USD 0.0760, Polkadot (DOT) at USD 0.8703, Chainlink (LINK) at USD 7.92, and TRON (TRX) at USD 0.3246. The massive valuations of these networks explain why hackers are willing to spend months planning sophisticated operations.
The Mitigation Strategy
Limiting the damage of a hack requires rapid, coordinated defense. In both the Drift Protocol and KelpDAO incidents, emergency mitigation protocols prevented even larger catastrophes. When the KelpDAO team realized their bridge verifier was compromised, they immediately triggered emergency pause functions on their smart contracts. This quick reaction saved an estimated USD 95 million in user assets that would have otherwise been drained.
Furthermore, the broader decentralized community stepped in to help. The Arbitrum Security Council acted swiftly to freeze downstream addresses containing over 30,000 ETH. At the current Ethereum price of USD 1,767.99, this frozen amount is worth approximately USD 53 million. Freezing these assets prevented the hackers from moving the stolen funds to mixing services, showing that centralized intervention can sometimes protect user funds in decentralized networks.
To prevent future bridge exploits, developers are restructuring their security protocols. The primary mitigation strategy is eliminating single points of failure. Protocols are transitioning away from 1-of-1 Decentralized Verifier Networks to multi-verifier systems, requiring multiple independent nodes to approve cross-chain transfers. Additionally, teams are implementing stricter multi-signature (multi-sig) requirements for admin actions, ensuring that no single compromised key can ruin an entire protocol.
Lessons Learned
The data from the first half of 2026 offers critical lessons for the cryptocurrency industry. First, the report proves that the nature of security risks is shifting. While smart contract audits are essential, they are no longer enough to keep a protocol safe. Teams must focus on operational security, key management, and employee training. The fact that North Korean hackers spent months pretending to be a trading firm to infiltrate Drift Protocol shows that human psychology is often the weakest link in blockchain security.
Second, the heavy reliance on cross-chain bridges remains a massive vulnerability. Bridges connect different blockchains, making them highly complex and attractive targets for hackers. When a bridge uses a simplified verification model, it creates an easy target for state-sponsored groups. Security must be decentralized at every layer, from the code itself to the servers and communication channels that run the system behind the scenes.
For the broader community, these events highlight the importance of transparency. When protocols are honest about their security structures, investors can make better decisions. Projects that use single-node verifiers or have centralized admin keys must be labeled as high-risk, encouraging developers to adopt safer, decentralized architectures.
User Action Required
As a cryptocurrency investor, you cannot control how a protocol manages its servers, but you can take steps to protect your personal portfolio. The TRM Labs report proves that DeFi is still a high-risk environment. To safeguard your digital assets, you should implement the following security practices immediately:
- Audit the bridges you use — Before moving assets across blockchains, check if the bridge uses a multi-verifier network. Avoid bridges that rely on a single verifier or have centralized architectures.
- Diversify your holdings — Never keep all your funds in a single DeFi protocol or bridge escrow. Spread your assets across multiple wallets and protocols to reduce your exposure to a single hack.
- Use hardware wallets — Keep your primary long-term holdings in cold storage hardware wallets. These devices keep your private keys offline, protecting them from remote server compromises.
- Practice strict security hygiene — Never share your seed phrase or private keys with anyone. Be highly skeptical of direct messages on Discord or Telegram offering investment opportunities or partnerships, as these are often social engineering traps.
By taking these actions, you can protect your assets from the growing number of small-scale exploits while minimizing the damage if a major protocol you use is compromised.
Disclaimer
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
15% of incidents but 76% of the money stolen. private key management is still the entire ballgame and protocols keep treating it like an afterthought
good catch. a single compromised signer can drain a treasury faster than any smart contract bug. multisig should be the bare minimum in 2026
207 hacks and thats considered an improvement because the total went down. crazy framing. median hack being 219k means theres a long tail of massive ones pulling the average up hard
Lazarus walking away with 643m and nobody in governance talks about it. where are the sanctioned address lists actually being enforced