Crypto Hacks Hit Record 207 Incidents in H1 2026, Losses Below $1B

Share

The crypto industry lost roughly $972 million across 207 hack incidents in H1 2026, an unprecedented attack volume that nonetheless came in well below the $2.3 billion stolen during the same period in 2025. The split between rising frequency and shrinking aggregate damage sketches a threat landscape where defensive maturity is advancing faster than adversaries can disrupt it.

🔑 Key Takeaways

  • 207 hacks recorded in H1 2026, an all-time high for a six-month window
  • $972M in cumulative losses, down 58% from H1 2025
  • Median loss per exploit down 75% from the 2022 peak
  • Two incidents (Drift Protocol and KelpDAO) account for 59% of the total
  • Immunefi paid $13.45M to 837 researchers, preventing an estimated $25B in losses

Defensive Maturity: Security Investments Pay Off

The contrast between a rising incident count and shrinking aggregate losses is no coincidence. According to Immunefi’s June 2026 Ecosystem Update, several structural factors accumulated since 2022 explain the contraction: the spread of formal bug bounty programs, competitive audit regimes, continuous security coverage, and a growing base of independent researchers.

DeFi (decentralized finance) exploit losses have fallen 74% from the 2022 peak of $2.62 billion to $680.3 million in H1 2026, while the median loss per exploit is down 75% over the same stretch. Both metrics suggest the security improvements are not merely a byproduct of a smaller overall market but reflect genuine hardening of protocol-level defenses.

The scale of that ecosystem is striking. Immunefi counts more than 92,000 registered researchers protecting over $180 billion in assets across more than 650 protocols. The platform crossed $140 million in lifetime researcher payouts in June 2026, a figure the firm describes as the largest total in the security researcher market. In H1 alone, 837 researchers received roughly $13.45 million for valid bug submissions, work that prevented an estimated $25 billion in potential losses.

« Crypto security is adversarial, and it never stops evolving. The honest read on the numbers is simple: the industry is learning. »

Mitchell Amador, CEO of Immunefi

The Bug Bounty Economic Model

The ratio between losses avoided and security spending illustrates the extraordinary leverage of proactive programs. For every $1 paid in bounties, roughly $72 in losses were avoided in H1 2026, according to Immunefi data. That return on investment explains the steady adoption of formal bounty programs by DeFi protocols and the migration from one-off audits toward continuous monitoring arrangements with multiple security firms.

The Bug Bounty Council and similar industry bodies have advocated for standardized disclosure frameworks and minimum payout thresholds, gradually professionalizing a market that now competes on price, turnaround time, and researcher depth. Several jurisdictions are meanwhile exploring legal safe harbors for good-faith security researchers, a development that could expand the pool of participants in coordinated disclosure programs.

Risk Migrates to the Infrastructure Layer

The shift in attacker tactics corroborates the maturation thesis. Bridge exploits and flash-loan attacks (instant, uncollateralized borrows used to manipulate prices), which dominated the 2021-2022 threat landscape, have largely receded. Immunefi’s report describes a structural migration toward operational and infrastructure layers: private key compromises, cross-chain configuration errors, weaknesses in privileged access controls.

TRM Labs’ parallel analysis confirms the asymmetry with particular clarity:

Incident CategoryShare of IncidentsShare of Losses
Smart contract exploits~85% (125 cases)~24%
Infrastructure/operational compromises15%76%

A handful of well-executed attacks on the operational layer therefore caused more financial damage than the aggregate of hundreds of smaller protocol-level incidents. One particularly salient data point: a single physical coercion incident, often called a wrench attack in security circles, added roughly $24 million to H1 totals, a reminder that the attack surface extends beyond the digital realm to the physical security of key holders.

North Korea Still Dominates, but Concentration Eases

State-aligned threat actors, primarily the Lazarus Group cluster attributed by the FBI, remained the single largest source of crypto losses in H1 2026. TRM Labs linked North Korean groups to roughly $643 million, or 66% of the half-year total. Daunting in absolute terms, the figure nonetheless marks a decline from the 74% concentration observed in H1 2025, suggesting that address-blocking and compliance efforts are producing a marginal effect.

Two April incidents dominated the loss figures and were both attributed to Pyongyang-linked actors. The Drift Protocol breach resulted in roughly $285 million stolen, while the KelpDAO exploit led to approximately $292 million in losses. Together, these two events account for nearly 59% of all funds taken in H1 2026. TRM Labs assessed both as sophisticated, state-directed operations relying on infrastructure compromises rather than opportunistic code flaws.

The absence of any single theft on the scale of the February 2025 Bybit attack, which accounted for roughly $1.5 billion in a single day and a large portion of the $3.4 billion Chainalysis recorded for the full year, mechanically pulled aggregate figures down. The withdrawal of that kind of extreme event dragged the headline lower even as the incident count kept climbing.

Regulatory and Compliance Pressure Mounts

The H1 2026 data feeds into several ongoing regulatory files. The persistence of North Korean-linked losses, combined with the concentration of damage in cross-chain and infrastructure incidents, has reinforced calls for stricter KYC (Know Your Customer) standards at centralized exchanges and OTC desks (over-the-counter trading desks).

FinCEN (the U.S. Financial Crimes Enforcement Network) and OFAC (the Office of Foreign Assets Control) have both signaled heightened scrutiny of mixing services (tools that obscure the on-chain trail of funds) and cross-chain bridges, viewed as potential money-laundering vectors.

For institutional participants, the data validates the risk management approaches that have gained traction since 2022: cold storage (offline custody) as the default for long-term holdings, multi-signature authorization for significant transfers, robust insurance coverage for custodial positions, and continuous monitoring of wallet address reputation databases. The disproportionate share of infrastructure-layer failures has also prompted institutional custodians to reassess physical security and insider-threat programs.


An Ambivalent Snapshot Heading Into H2

Both Immunefi and TRM Labs caution against reading the decline in aggregate losses as a signal that risk is diminishing. The expanding ecosystem of DeFi protocols, liquid staking platforms (where staked assets remain tradable), and cross-chain infrastructure has broadened the attack surface, enabling more frequent but generally smaller exploits. The median loss per hack, around $219,000, remains material for the protocols and users affected.

« Hundreds of millions of dollars in annual losses remain unacceptable, even as the broader trend improves. »

Mitchell Amador, CEO of Immunefi

H1 2026 captures a threat environment in rapid evolution: record attack volume alongside moderating aggregate damage. Whether that moderation holds through the second half will depend on whether defensive investments continue to scale at the pace required to stay ahead of adversaries who have repeatedly demonstrated their ability to adapt tactics, infrastructure, and targets in response to every new barrier the industry erects.

Sources

This article is published for informational and educational purposes. It does not constitute investment advice. Do your own research (DYOR) before making any decision.

Telemac
Telemachttp://cryptoinfo.ch
Passionné de nouvelles technologies, j’explore l’univers de la blockchain et des cryptomonnaies pour partager l’actualité et les innovations du secteur.

Lire la Suite

Articles