SolutionsProductsAuditsBlogContactRequest an Audit
BlogH1 2026: Record Attacks. $972M Gone. Don't Call It Progress.
H1 2026: Record Attacks. $972M Gone. Don't Call It Progress.
featured9 min readJuly 08, 2026
0xTeam Author
Share

H1 2026: Record Attacks. $972M Gone. Don't Call It Progress.

A record 207 crypto hacks hit in H1 2026, yet losses fell to $972M — less than half of H1 2025. The lower dollar figure isn't a safer ecosystem. It's attackers diversifying: more incidents, bigger key compromises, and AI-scaled operations.

The numbers look better. They are not.

In the first half of 2026, attackers carried out 207 separate crypto hacks — a record for any six-month window — yet total losses came in at $972 million, less than half the $2.3 billion stolen during the same period in 2025. Security teams across the industry have been quietly breathing easier. They shouldn't.

The lower dollar figure does not mean a safer ecosystem. It means attackers are diversifying their playbook.

The Numbers

MetricH1 2026H1 2025
Total incidents20783
Total losses~$972M~$2.3B
Largest single hackDrift Protocol $295MBybit $1.47B
NK attribution~$643M (66%)~$1.7B (74%)
Smart contract hacks125 incidents (60%)
Funds unrecovered$620M+

The incident count more than doubled year-over-year. Q2 alone logged 123 attacks — a new quarterly record. The frequency is rising because the attack surface is rising: thousands of new DeFi protocols, tokens, and smart contracts each cycle means more entry points for adversaries operating at scale.

Top 5 Hacks of H1 2026

#1 — Drift Protocol | ~$285–295M | April 1, 2026 | Solana

Attack type: Admin key / governance compromise

The largest single crypto hack of H1 2026. Attackers seized an administrative key on Drift Protocol, Solana's leading decentralised perpetuals exchange, and drained its vaults in a single operation. Roughly $155M in JLP tokens, SOL, and stablecoins were funnelled to a suspicious wallet, swapped to USDC, bridged to Ethereum, and partially converted to ETH — all within hours. The exploit wiped over 50% of Drift's TVL. No smart contract bug. A governance and multisig failure. $230M in USDC moved freely before Circle intervened.

#2 — KelpDAO | ~$292M | April 2026 | Ethereum / Arbitrum

Attack type: Bridge compromise / fake collateral

The attacker stole 116,500 rsETH from KelpDAO's LayerZero bridge, deposited the tokens into Aave V3 as collateral, and borrowed ~82,600 ETH against them. rsETH lost its backing almost immediately. The positions became impossible to liquidate, leaving Aave facing a $200–280M debt gap. DeFi TVL on Aave fell from $26.4B to $20.1B in a single day. MEXC pulled $431M, Abraxas Capital pulled $392M, Justin Sun moved ~65,584 ETH. Aave pools hit 100% utilisation, blocking depositors from withdrawing. KelpDAO paused contracts within 46 minutes — too late. Arbitrum's Security Council froze ~30,000 ETH. Most remained unrecovered.

#3 — Humanity Protocol | ~$36M | June 8–9, 2026 | Ethereum / BNB Chain

Attack type: Phishing → malware → private key theft

A palm-scan-based identity protocol backed by $50M in VC funding, hacked not through its tech but through an employee's laptop. An attacker sent a phishing email impersonating Bithumb, installed malware signed with a South Korean Hancom certificate, and stole MetaMask credentials and private keys from a director's device. With three of six Gnosis Safe owner keys in hand — all stored on the same laptop — the attacker upgraded the Hyperlane bridge to a malicious contract on Ethereum, drained ~141M H tokens, then seized ProxyAdmin control on BNB Chain and minted an additional 100M H tokens. H token collapsed 80–90% within hours. Total impact: ~447M H tokens stolen or unauthorisedly minted. Root cause: a multisig that lived on one laptop.

#4 — Step Finance | ~$27–30M | January 31, 2026 | Solana

Attack type: Private key compromise via device exploit

Step Finance, a leading Solana analytics platform, had an executive's device compromised — likely via phishing or social engineering — giving attackers access to the protocol's multisig signing infrastructure. They unstaked and transferred ~261,854 SOL ($27–30M) out of the treasury. Not a smart contract bug. A key management failure. The team clawed back ~$4.7M via Token22/Remora tools. The rest was swapped and moved to unknown addresses. Services were shut down abruptly. Same pattern as Drift. Same root cause: keys held by humans, accessed via humans.

#5 — Rhea Finance | ~$18.4M | April 16, 2026 | NEAR Protocol

Attack type: Smart contract logic flaw + oracle manipulation

Two days of preparation. 423 fake wallets. 123 fake token contracts. The attacker built the entire infrastructure before a single dollar moved. Rhea Finance's margin trading feature had a slippage protection flaw: it summed expected outputs across sequential swap steps but failed to verify what actually came back. The attacker exploited this to count the same token value twice — borrowing funds that were immediately funnelled into their own fake pools, triggering forced liquidations that drained the reserve. ~$9M was recovered or frozen (including $3.29M USDT frozen by Tether). ~$4M in ZEC entered Zcash shielded pools and is effectively gone. Rhea held 95% of NEAR's DeFi TVL at the time of the exploit.

Two Attacks Did Most of the Damage

North Korea-linked groups were responsible for approximately $643 million — 66% of all stolen funds in H1. Down from 74% last year, but dominant by any measure. Drift and KelpDAO alone accounted for 59–66% of all H1 losses — both sophisticated, state-directed infrastructure operations, not opportunistic smart contract exploits.

The scale of the damage prompted a joint meeting between US, Japanese, and South Korean authorities to coordinate responses. Officials confirmed that North Korean IT workers are now using AI to scale the speed and sophistication of their operations.

Volume vs. Value — Two Different Stories

By incident count, smart contract exploits led — 125 of 207 hacks, or 60%. Mostly smaller, opportunistic, and increasingly multi-step: attackers chaining multiple contract manipulations into a single exploit rather than relying on one flaw.

By dollar value, infrastructure and private key compromises dominated. Just 15% of incidents, but responsible for roughly 76% of total funds stolen. The math is unambiguous: operational failures are more expensive than code failures.

The breakdown by vector:

  • Wallet/key compromises — $444.5M across 33 incidents. Most expensive vector in H1.
  • Phishing — $366.3M across 63 incidents. Fewer attacks than last year, nearly the same dollar damage. Attackers targeting fewer, higher-value victims.
  • Code vulnerabilities — $151.6M across 204 incidents. Most frequent. Least costly per event.

Oracle Manipulation — The Underreported Risk

Blend Pools V2, Aave V3, Sharwa Finance, Edel, Rhea Finance, and Ploutos Money all suffered losses tied to corrupted or manipulated price feeds — including projects that had passed security audits. Wrong price data lets attackers inflate collateral, drain liquidity, and exit before the protocol reacts.

An audited contract sitting on a manipulable oracle is not a secure protocol.

Where Losses Hit

Ethereum was the most-targeted chain — 153 incidents, approximately $522.8M in losses. The deepest liquidity is always the deepest target.

Monthly breakdown: May recorded the highest incident count (41 hacks), followed by June (36) and April (34). April was the most financially destructive month — driven by the two state-backed operations.

Of the largest hacks, only one project fully recovered its stolen assets. Two others managed to freeze approximately $74M combined. More than $620M remains effectively unrecovered.

AI-Powered Scams: The Vector No One Is Auditing

AI-assisted scams now generate approximately 4.5x more revenue than traditional scams (Chainalysis 2026 Crypto Crime Report). Attackers are using AI-generated video and voice to bypass KYC, impersonate executives to approve large transfers, and run 24/7 personalized phishing campaigns at scale.

This is not a smart contract problem. It is an identity and operations problem — and it is scaling faster than defences are.

What H2 Looks Like

A lower loss total against a record incident count is not a recovery. It is an adaptation. Attackers are spreading across a larger surface, improving operational sophistication, and reserving state-backed infrastructure breaches for the biggest paydays.

Private key management and multisig wallet governance are now the most consequential security surface in the ecosystem. Hardware security modules, geographically distributed signers, multisig governance — this is where the asymmetric security returns are.

Smart contract audits remain necessary. They are no longer sufficient. Infrastructure hardening, oracle integrity, key governance, and social engineering defences now sit alongside code review as non-negotiable layers. Protocols that treat a passed audit as a security posture will keep getting surprised.

The 0xTeam Read

207 hacks. $972M gone. Record incident count. The headline number dropped — the threat did not.

H2 2026 will tell us whether the frequency trend holds. Given the expanding attack surface and confirmed nation-state actors now running AI-enhanced operations, we expect it to.

++
Worried? Get your security audit done today.

Don't launch vulnerable code. Our team will review your smart contracts and deliver a full audit report within 48 hours.

Request Audit
© 0xTeam space 2026. All rights reserved.