'Fewer But Far More Surgical'—Crypto Hacks Hit $1.3 Billion In 2026

FORBES ·

Crypto losses in H1 2026 totaled $1.315 billion across 344 incidents, a figure deceptively lower than 2025 due to a single large hack last year. CertiK's report highlights a significant shift: nearly 44% of losses came from just two incidents, Kelp DAO and Drift Protocol, which exploited operational and infrastructure security flaws, not smart contract bugs. Wallet compromise is now the costliest attack vector, with attackers targeting key management and multisig governance. While code bugs remain frequent, they are less lucrative. Emerging threats include AI agents with wallet access. Nation-state actors, like North Korea, are increasingly sophisticated. Experts emphasize robust operational security and distributed key management to deter these evolving threats. "Two exploits accounted for nearly 44% of all H1 losses," the security researcher who posts as @victorokpukpan_ wrote on X on July 7. "Neither was a smart contract bug." He was describing the two heists that defined crypto's first half of 2026. According to the Hack3D report from the Web3 security firm CertiK, $1,315,676,432 was stolen across 344 on-chain incidents in those six months. On the surface, that reads like progress: a 46.8% drop from a year earlier. The drop is mostly an illusion. Almost all of 2025's higher total came from one event, the $1.45 billion Bybit theft in February of that year. Strip Bybit out and the 2025 figure falls to about $1.03 billion, which puts 2026 roughly 28% higher on a comparable basis. The number of incidents rose too, to 194 in the second quarter from 145 a year before. "A headline reading of losses down nearly 50% would suggest a meaningfully safer ecosystem," CertiK's analysts wrote. "The data does not support that conclusion." For Ronghui Gu, CertiK's co-founder and chief executive, the surprise in the half was not the total but its distribution. "What stood out most was the shape of the losses," Gu wrote in response to questions from Forbes. "A huge share of H1's damage came down to just two incidents, Kelp DAO and Drift Protocol, which accounted for nearly 44% of all losses. Both were failures in operational and infrastructure security, not code vulnerabilities in the traditional sense." Those two April incidents, the Kelp DAO exploit ($291.3 million) and the Drift Protocol breach ($285.3 million), together took about $576.6 million, and neither touched a protocol's audited code. Ido Sofer, founder of key-management firm Sodot, said on the On The Margin podcast that attackers grasped this shift before the defenders did. "You saw all the recent hacks, starting from Bybit and moving forward to a lot of others, including the recent ones like Resolve, Drift and others," Sofer said. "So those are off-chain hacks that led to on-chain loss of funds." What does that mean in practice? "Developer credentials, deployment keys, API keys that are being stolen," Sofer said. "And that provided access to moving funds on chain." Security analysts on X drew the same line. "Kelp lost $293M. The contracts were clean," wrote @0xALTF4, a DeFi analyst, on July 6. "A single compromised validator handling cross-chain message verification took everything down. Drift lost $285M. No contract bug. A manipulated signing interface." Gu put that shift in numbers. Wallet compromise was the costliest category of the half at more than $444 million, "averaging more than $13 million per event, by far the highest of any category," he wrote. Code bugs were far more common but far cheaper. "Attackers are getting more return by going after key management, multisig governance, and operational infrastructure than by hunting for bugs in code," Gu wrote. Phishing told a quieter version of the same story. The number of attacks fell by more than half, from 132 to 63, yet losses barely moved. Just four social-engineering operations produced $310 million, about 85% of all phishing losses, including a January attack in which one victim lost $284,785,689. The spray-and-pray scams are giving way to a few surgical strikes on people who hold large balances. The classic image of a crypto hack, a bug in the code, was still the most common attack by far at 204 incidents, but it cost just $151.6 million, and more of those exploits are now hitting contracts over a year old. "A project gets audited once before deployment, passes, and then never revisits that code again," Gu wrote. "The danger window doesn't close after launch." Gu's bigger worry is what happens as software agents start moving money on their own. "An AI agent with wallet access is essentially a new kind of privileged key holder," he wrote, "except its decision-making can be manipulated through inputs in ways a human might catch and a poorly-guardrailed agent won't." The report already logged a preview: the JaredFromSubway trading bot lost about $7.5 million in June after attackers deployed fake arbitrage pools built to trick its automated strategy into approving malicious contracts. Hovering over all of it is a familiar adversary. "There will be hacks. The question is, is it going to be in your company or not," Sofer said. "North Korea, they spend a significant amount of resources, and they're going to be successful one way or another. If a nation state is after you, it's going to be very hard." CertiK stopped short of naming names, noting only that the Drift breach "bears characteristics consistent with DPRK-linked operational patterns." Security accounts on X were less cautious, tying both April heists to North Korea's Lazarus Group . So Sofer's answer is to make the math unattractive. "You think about attackers. They're organizations," he said. "They calculate the ROI. If you put enough constraints and enough security rails, the cost is going to be higher than my neighbor and the other company, so probably they're going to go there because the ROI is lower." The product he sells, multi-party computation, chops a private key into pieces held on different machines and in different places so no single break-in can move money. "Instead of having one key stored in one place, it's going to be distributed," he said. "So it's going to be harder to get to a place where you can actually move the funds." Not every protocol got hit. Jonathan Han, who took over as chief executive of Euler Labs in January 2026, said the modular design of his lending protocol contained the damage when a nearby project was exploited earlier in the year. "We were also impacted," Han said on the On The Margin podcast, referring to the March Resolv incident, "but it didn't spread out to other unrelated markets. So that's the advantage of the risk isolation design." For institutions weighing whether to put money on-chain, that has become a live diligence question. "It's one of the key concerns for a lot of institutions, because they don't want their assets exposed to a lot of unknown risk on chain," Han said. "So they are doing a lot of diligence on protocols like us on how we run our operations." The audits, for the most part, held. The money left through the keys anyway. As Gu put it: "A protocol can pass a flawless code audit and still lose millions because of a compromised admin key."

DYAX Investor Sentiment

Bullish (Long) 64% · Bearish (Short) 36%

308 participants

Related News

원문 보기 — FORBES