207 crypto hacks were recorded in H1 2026 as total stolen funds drop by 57% to $972 million

Blessed Frank
Crypto hacks surge to 207 in H1 2026 as total stolen funds drop by 57% to $972 million

The crypto industry’s security record for the first half of 2026 tells two very different stories. On the surface, things appear to be improving. Hackers stole approximately $972 million between January and June, according to TRM Labs, which is less than half the $2.3 billion lost during the same period in 2025.

Look a little closer, however, and the picture changes dramatically. While the industry’s financial losses fell sharply, the number of successful attacks surged to an unprecedented level. TRM Labs recorded 207 hacks and exploits in the first six months of 2026, more than double the 83 incidents reported in the same period a year earlier and the highest number recorded in six months. The momentum accelerated in the second quarter alone, which saw a record-breaking 123 incidents after an already historic first quarter.

Put the two numbers side by side, and a blunter truth emerges: the crypto industry didn’t get safer in 2026. It simply avoided a repeat of the single catastrophic event, the $1.5 billion Bybit hack, that inflated 2025’s total almost single-handedly. Strip that one incident out of last year’s ledger, and the year-on-year “improvement” looks far less convincing.

“The numbers tell two very different stories at once,” said Ari Redbord, Global Head of Policy and Government Affairs at TRM Labs. “We recorded more crypto hacks in the first six months of 2026 than in any prior half-year period on record, but total losses fell sharply, almost entirely because North Korea did not execute another operation on the scale of last year’s $1.5 billion Bybit hack. The underlying threat has not diminished. In fact, it has gotten more sophisticated and more dangerous.”

Q1: A quiet start built on phishing, not code

At the onset, the year didn’t look like it would end in a record. Data from blockchain security firm Hacken’s Q1 2026 Blockchain Security & Compliance Report put Q1 losses at $482.6 million across 44 incidents, a comparatively modest start and one driven overwhelmingly by human error rather than broken smart contracts. Phishing and social engineering alone accounted for $306 million of that figure, nearly two-thirds of the quarter’s damage, with a single hardware-wallet social engineering scam in January being responsible for $282 million of it after a victim handed over recovery credentials during a fake IT-support call.

Smart contract exploits, by contrast, contributed just $86.2 million in Q1, even as such exploits surged 213% year-on-year in raw incident count. Hacken’s analysts flagged this as the defining shift of the quarter. Attackers were increasingly bypassing well-audited code entirely and going after the people and processes around it, employees, recovery flows, and cloud credentials, rather than the contracts themselves.

For a few weeks, that looked like good news. Then April happened.

April: the month that broke the curve

If H1 2026 has a villain chapter, it is April. In under three weeks, the sector absorbed what independent trackers describe as its worst month on record, a wave of exploits that dwarfed the entirety of Q1. Figures vary slightly by tracker (CryptoRank puts April losses at roughly $631 million; others closer to $650 million), but the shape of the damage is consistent everywhere: two attacks did almost all of it.

Drift Protocol ($285 million, April 1): Solana’s leading perpetual futures exchange was compromised after North Korean operatives spent months socially engineering employees to bypass multi-signature controls, rather than exploiting a code flaw.

KelpDAO ($292 million, April 18): Attackers compromised a single-verifier configuration on KelpDAO’s rsETH cross-chain bridge, minting counterfeit collateral that was then pledged on lending markets.

May and June: quieter, but not calm

Losses fell off a cliff after April, but quieter in crypto security terms in 2026 still meant tens of millions of dollars a month and dozens of incidents.

Crypto hacks surge to 207 in H1 2026 as total stolen funds drop by 57% to $972 million
A hacker in a hoodie and cryptocurrency concept on a dark background. (Image Credit – Dream Time)

May recorded $68.3 million with no single mega-hack but a genuine shift in attack type, according to data from CertiK-linked. For the first time, compromised keys and accounts, not smart contract bugs, became the leading cause of DeFi incidents by count. Notable May cases included the Echo Protocol exploit on Monad (roughly $77 million via a compromised admin key), a Verus–Ethereum bridge drain ($3.44 million), a fast-moving TrustedVolumes liquidity provider hit ($5.87 million), and a StablR stablecoin depeg event.

June losses came in at roughly $75.87 million across 40 incidents, per PeckShield, a modest 7% decline from May. The month’s headline case was Humanity Protocol, which lost around $31–36 million after a developer’s malware-infected laptop exposed private keys tied to its bridge infrastructure; investigators at Quantstamp said the attacker’s tooling resembled patterns associated with North Korean hacking groups, and on-chain sleuths later found the stolen funds commingled with proceeds from the KelpDAO exploit, raising the possibility of overlapping threat actors.

The North Korea factor

Strip away the noise of 207 individual incidents, and one actor towers over the entire half-year. TRM Labs attributes roughly $643 million, about 66% of all H1 2026 losses, to North Korea-linked hackers, primarily the Lazarus Group and its TraderTraitor subgroup, driven almost entirely by the Drift and KelpDAO attacks in April. That is well below the roughly $1.7 billion North Korea stole in H1 2025, but Pyongyang-linked actors remain, by a wide margin, the single largest source of stolen crypto value on the planet, a position Chainalysis’s 2026 Crypto Crime Report says has held for years, with cumulative DPRK-linked theft since 2017 now estimated at above $6 billion.

TRM was careful to note that hacking is only one revenue stream. North Korea continues to generate crypto income through phishing, fraudulent IT-worker placements at Western tech and crypto firms, and outright scams, meaning the $643 million figure captures just one slice of the regime’s total illicit crypto earnings, some of which have links to funding its weapons programmes.

“What I find most concerning is how concentrated these losses are in infrastructure failures,” Redbord said. “Three-quarters of all stolen value came from compromises of keys, custody systems, and signing infrastructure, not from smart contract bugs. The industry has improved at auditing code, but our operational security has not kept pace with our on-chain complexity.”

That statistic is the single most important number to come out of H1 2026. Infrastructure and operational compromises, attacks on private keys, custody systems and signing processes rather than on-chain code accounted for just 15% of all incidents, but 76% of all money lost. Smart contract exploits, meanwhile, hit a record 125 incidents (60% of the half-year’s total attack count) yet contributed only about 17% of stolen value, as attackers increasingly stack multiple small contract manipulations into a single exploit rather than relying on one dramatic bug.

“While operational security is critical, it is equally important to target the illicit actors behind these attacks,” Redbord added. “We must use every national security tool, to include offensive cyber, information sharing for interdiction and disruption, and leveraging AI and other technology to go after North Korea.”

Overall, the 57% decline in the total amount stolen in the first half of the year is not necessarily a reassurance that the ecosystem has got it right. Judging by the sheer volume of attacks, the catalysts that produced 2025’s record year are still fully in place heading into the second half of the year. The industry must continue to be vigilant and proactive and work overtime to keep the bad actors at bay.


Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!

Register for Technext Coinference 2023, the Largest blockchain and DeFi Gathering in Africa.

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!