Crypto hacks 2026: 1.3 billion dollars gone, and the weakest link is no longer the code
The half-year security ledger is in, and the headline reading on crypto hacks 2026 is deceptively cheerful. CertiK's Hack3D report counts 1,315,676,432 dollars stolen across 344 on-chain incidents in the first six months, a 46.8 per cent drop from the same period last year.

The half-year security ledger is in, and the headline reading on crypto hacks 2026 is deceptively cheerful. CertiK’s Hack3D report counts 1,315,676,432 dollars stolen across 344 on-chain incidents in the first six months, a 46.8 per cent drop from the same period last year. TRM Labs, using its own methodology, records the busiest six months for incident volume on record while total losses fell below a billion dollars. Progress, apparently. The fine print says otherwise.
Almost all of 2025’s higher total came from a single event, the 1.45 billion dollar Bybit theft in February of that year. Strip that out and last year’s comparable figure falls to about 1.03 billion dollars, which puts 2026 roughly 28 per cent higher on a like-for-like basis. Incident counts rose too, with 194 in the second quarter against 145 a year earlier. Fewer catastrophes, more burglaries.
The distribution of losses tells the sharper story. Two April incidents, the KelpDAO exploit at roughly 291 million dollars and the Drift Protocol breach at about 285 million, together account for nearly 44 per cent of everything stolen in the half. Neither touched a line of audited smart contract code. Both, according to TRM Labs, trace to North Korea-linked groups, which the firm assesses took approximately 643 million dollars overall, about two-thirds of all funds stolen in the period.
That is the structural shift defining crypto hacks 2026: the weakest link has migrated from code to keys and people. CertiK chief executive Ronghui Gu has made the point explicitly, and practitioners describe the same pattern from the trenches: stolen developer credentials, compromised deployment keys and pilfered API access producing off-chain intrusions that end in on-chain losses. Smart contract exploits still drive the incident count, but they now account for a small share of the money. The industry spent five years auditing its Solidity and rather less time auditing its laptops.
June offered the pattern in miniature. PeckShield tallied 75.87 million dollars lost across 40 attacks, down about seven per cent from May. The month’s largest, a breach of Humanity Protocol exceeding 30 million dollars, began with private keys backed up to a developer machine infected with malware, with tooling consistent with North Korean groups and proceeds laundered across Bitcoin, Solana, BNB Chain and Hyperliquid, commingled with funds from the KelpDAO attacker. Elsewhere, Syscoin’s bridge lost 10 million dollars to unauthorised token minting, a prominent MEV bot lost 7.5 million, and users of two long-deprecated Aztec products lost a combined four million from systems nobody maintained.
Recovery statistics complete the sobering picture. Of the largest incidents this half, researchers report only one project fully recovered its assets, two others froze just over 74 million dollars between them, and more than 620 million remains effectively gone. Attribution improves every year; restitution does not.
The lesson for anyone holding or building is uncomfortable precisely because it is unglamorous. The frontier of crypto hacks 2026 is operational security: hardware-isolated keys, signing hygiene, vetted dependencies and the assumption that any developer laptop is a target of state-level interest. Full reports are available from CertiK and TRM Labs. The code, for once, is mostly fine. The humans need patching.
Retail users were not spared the half’s ingenuity either. Polymarket users lost around three million dollars to a phishing campaign that injected a malicious script through a third-party provider, a compromise no individual vigilance could realistically have caught, while the twin Aztec incidents drained products deprecated years earlier and controlled by nobody. The unfashionable advice writes itself: treat abandoned protocols as radioactive, withdraw from anything unmaintained, and assume that any interface, however familiar, can be turned against its users upstream. Attackers have stopped waiting for mistakes in new code and started harvesting the industry’s accumulated neglect.


