
H1 2026 vs H1 2025: The Numbers Dropped. The Threat Did Not.
H1 2026 losses fell 58% to $972M — but strip out Bybit from 2025 and Drift + KelpDAO from 2026 and both halves produced ~$600–700M, with 2026 spreading that loss across 2.5x more incidents. A side-by-side breakdown of what actually changed.
Every year, the industry publishes a mid-year report. Every year, the industry reads it wrong.
H1 2026 headlines read: losses down 58%, ecosystem recovering. H1 2025 headlines read: losses up 66%, worst half-year on record. Both readings miss what the data actually says. Here's the side-by-side.
The Top Line
| Metric | H1 2026 | H1 2025 | Change |
|---|---|---|---|
| Total losses | ~$972M | ~$2.1–2.47B | down ~58% |
| Total incidents | 207 | 83 | up 150%+ |
| Largest single hack | Drift — $295M | Bybit — $1.47B | down 80% |
| North Korea share | ~$643M (66%) | ~$1.6–1.7B (74%) | down in % share |
| Avg loss/incident | ~$4.7M | ~$28–30M | down sharply |
| Funds unrecovered | $620M+ | $2.29B+ net | both bad |
The drop in total losses looks significant. It is almost entirely explained by one event: the Bybit hack in February 2025 — the largest crypto theft in history at $1.47B. Strip that out and H1 2025 losses were approximately $690M to $1B — roughly in line with H1 2026.
What Actually Drove Each Half
H1 2025 — Two Events, 72% of Losses
H1 2025 was defined by concentration. Two incidents — Bybit ($1.47B) and Cetus Protocol ($225M) — accounted for approximately 72% of all losses. Remove both and the rest of the ecosystem was producing roughly $690M in losses across 342 incidents.
The Bybit attack was not a smart contract exploit. Lazarus Group compromised a Safe{Wallet} signer, bypassed multi-sig governance, and drained staked ETH before the transaction was flagged. An infrastructure and operational security failure at scale.
Wallet compromise dominated by dollar value — $1.7B across just 34 incidents — while phishing led by frequency — $410M across 132 incidents. Ethereum was the most-targeted chain: 175 incidents, $1.63B in losses.
H1 2026 — Record Volume, Distributed Damage
H1 2026 flipped the script on frequency. Incident count more than doubled — from 83 to 207. More attacks, across more protocols, at lower average value per hit.
Two April operations by North Korea-linked groups — Drift Protocol (~$285–295M) and KelpDAO (~$292M) — accounted for ~66% of all H1 2026 losses. Both were infrastructure compromises, not contract bugs. The KelpDAO attacker deposited fake tokens into Aave, borrowed $190M in legitimate assets, and triggered a bank run that drove $55B in DeFi capital outflows and pushed DeFi TVL to a two-year low.
Smart contract exploits made up 60% of all incidents but only a fraction of total value stolen. Infrastructure failures were just 15% of events but 76% of dollar losses.
Attack Vector Shift: What Changed
| Vector | H1 2025 | H1 2026 | Trend |
|---|---|---|---|
| Wallet/key compromise | $1.7B, 34 incidents | $444.5M, 33 incidents | down in value, same vol |
| Phishing | $410M, 132 incidents | $366.3M, 63 incidents | down freq, similar $ |
| Code vulnerabilities | $283M, 114 incidents | $151.6M, 204 incidents | up freq, down value |
| Infrastructure | Dominated by Bybit | Drift + KelpDAO | Persistent, state-backed |
Three things stand out:
- Phishing got more efficient. Fewer incidents in H1 2026, nearly the same dollar damage. Attackers targeting fewer, higher-value victims — less spray, more precision.
- Smart contract exploits scaled in frequency, not value. More protocols, more tokens, more attack surface. But each hit is smaller. Attackers are using contracts as entry points, not end goals.
- Infrastructure failures remain the category that matters most. In both halves, the headline losses came from private key compromise and operational failures — not code. An audited contract on compromised infrastructure is not a secured protocol.
North Korea: Smaller Share, Same Dominance
| Metric | H1 2025 | H1 2026 |
|---|---|---|
| Attributed losses | ~$1.6–1.7B | ~$643M |
| Share of total stolen | ~74–80% | ~66% |
| Operations | Bybit, others | Drift, KelpDAO |
The absolute dollar take dropped — but only because Bybit was an outlier even by their standards. Share of total stolen remained dominant at 66%.
The Drift and KelpDAO operations triggered formal diplomatic coordination between the US, Japan, and South Korea. Officials confirmed North Korean IT workers are now using AI to increase the speed and scale of operations — a capability upgrade that will not recede.
Since 2017, North Korea-linked groups have stolen an estimated $6B+ in crypto assets. This is not opportunistic crime. It is geopolitical infrastructure attack.
DeFi: The Consistent Target
In both halves, DeFi absorbed the most damage by incident count.
H1 2025: DeFi accounted for 76% of all incidents. CEX platforms saw only 11 incidents but $1.88B in losses — concentrated value attracts catastrophic hits.
H1 2026: The expanding DeFi surface drove the record incident count. Oracle manipulation emerged as a distinct vector — hitting Blend Pools V2, Aave V3, Sharwa Finance, Edel, and Ploutos Money. Projects with passed audits were compromised when price feeds failed.
Recovery: Both Periods, Same Problem
| Metric | H1 2025 | H1 2026 |
|---|---|---|
| Funds frozen/returned | ~$187M | ~$74M frozen (partial) |
| Net unrecovered | $2.29B+ | $620M+ |
| Recovery rate | Lowest since tracking began | One project fully recovered |
Recovery is getting harder. Attackers are using AI-assisted laundering, cross-chain bridges, mixers, and TRON-based stablecoin hops to make funds untraceable within hours. H1 2026 shows no structural improvement.
The AI Threat Layer — In Both Periods
Neither half-year is comparable to what came before on one dimension: AI-powered social engineering.
H1 2025: Deepfake attacks at scale — fake Zoom calls that tricked VC partners into installing malware, KYC bypass via AI-generated identity documents, AI-enabled bribery of CEX support staff. The Coinbase social engineering incident alone resulted in over $100M in user losses.
H1 2026: The capability matured. AI-assisted scams now generate 4.5x more revenue than traditional scams (Chainalysis 2026 Crypto Crime Report). AI bots run 24/7 personalized phishing campaigns, impersonate executives to authorize large transfers, and bypass exchange identity verification at scale.
This vector does not show up in smart contract audit scopes. It requires a different category of defense.
The 0xTeam Read
Comparing H1 2026 to H1 2025 on raw dollar losses is a statistical error. The correct comparison: strip Bybit from 2025, strip Drift + KelpDAO from 2026.
What remains is two ecosystems producing roughly $600–700M in losses each half — with the 2026 ecosystem running that loss rate across 2.5x more incidents. The attack surface is expanding faster than defenses are hardening.
Both periods confirm the same lesson: the most expensive incidents are not contract bugs. They are key management failures, custody compromises, and social engineering — categories that audits alone do not address. A single audit is a point-in-time assessment. A protocol's security posture requires continuous coverage: infrastructure hardening, oracle integrity, operational key governance, and real-time monitoring layered on top of code review.
Don't launch vulnerable code. Our team will review your smart contracts and deliver a full audit report within 48 hours.
Related Posts
Tags
Get Audited
Protect your protocol before attackers do. Request a full smart contract audit from 0xTeam.
Request Audit

