H1 2026 Crypto Hacks Reach Record High as Losses Fall Below USD 1 Billion
Key takeaways
- Over the last six months, attackers carried out 207 separate hacks, the highest number TRM has recorded in any six month period. Despite the increase in incidents, total losses reached USD 972 million, less than half of the USD 2.3 billion stolen during the first half of 2025.
- The typical hack now results in losses of about USD 219,000. Much of the increase has come from smart contract exploits targeting DeFi protocols, decentralized exchanges, and token projects.
- Two North Korea-linked thefts in April involving Drift and KelpDAO accounted for approximately USD 577 million. At the same time, infrastructure and operational compromises represented only about 15 percent of incidents but accounted for roughly 76 percent of total losses, far exceeding the impact of the more than 100 smaller smart contract exploits.
- The data points to two distinct threat patterns. One is a small number of large scale infrastructure compromises that drive the majority of financial losses. The other is a steady and growing stream of smaller smart contract exploits that continue to increase the overall number of incidents. The conditions that produced the record losses in 2025 remain in place, suggesting both threats will continue to shape the ecosystem.
{{horizontal-line}}
TRM analysis of H1 2026 hack and exploit data shows a growing gap between the number of hacks and the amount stolen. Attackers carried out 207 separate hacks but stole USD 972 million, less than half of the USD 2.3 billion stolen during the first half of 2025. The total number of hacks more than doubled from the 83 incidents recorded during the same period last year.
Q2 2026 set a new record with 123 incidents, following a record setting first quarter. The increase was consistent throughout the first half of the year rather than driven by a single month. Most attacks were smart contract exploits, which accounted for 125 of the 207 incidents. These attacks increasingly combine multiple smart contract manipulations into a single exploit rather than relying on a single coding flaw. Most stolen funds continued to come from financial services and crypto native platforms.



More hacks did not mean more money
The first half of 2026 saw more crypto hacks than any previous six month period, but those attacks resulted in significantly lower losses. Smart contract exploits drove most of the increase in incidents, yet they accounted for only a small share of the money stolen. Instead, losses were concentrated in April, when two large North Korea linked attacks against Drift Protocol and KelpDAO accounted for the majority of funds stolen during the half.
The number of incidents continues to rise because the attack surface continues to expand. Thousands of DeFi protocols, tokens, and smart contracts create more opportunities for attackers to exploit vulnerabilities at scale. The decline in total losses reflects the absence of a theft on the scale of 2025's largest attacks rather than a reduction in overall risk.
State-sponsored theft continues to drive the largest losses
TRM assesses that approximately USD 643 million, or about 66% of all funds stolen during H1 2026, is attributable to North Korea linked activity. While that is down from roughly USD 1.7 billion during the first half of 2025, North Korea remained by far the largest source of stolen value.
Nearly all of those losses came from two April operations. The Drift Protocol breach resulted in approximately USD 285 million in losses, while the KelpDAO exploit accounted for approximately USD 292 million. Together, the two attacks totaled roughly USD 577 million. Earlier this year, TRM assessed that these incidents represented 71% of all crypto hack losses through April. By the end of June, that share declined to about 66% as additional non-state incidents accumulated while North Korea's total remained largely unchanged.
North Korea's activity has not slowed. The difference is that the rest of the ecosystem experienced fewer large scale thefts than in 2025. A single successful operation against a major target can still outweigh months of losses from every other attacker combined. TRM assesses these incidents as state directed financial operations involving sophisticated infrastructure compromises rather than opportunistic smart contract exploits.
It is also important to note that these figures include only hacks and exploits. North Korea continues to generate cryptocurrency through other illicit activity, including phishing campaigns, social engineering, fraud, scams, and covert IT worker operations. As a result, the USD 643 million reflected here represents only one portion of its overall crypto revenue.
Infrastructure compromise drove the largest losses
Looking at attack methods reveals a clear divide between what drives incidents and what drives losses.
Infrastructure and operational compromises accounted for approximately 76% of all funds stolen, despite representing only about 15% of incidents. These attacks targeted the systems, credentials, and signing infrastructure that control assets rather than vulnerabilities in on chain code. The two large North Korea linked attacks accounted for most of these losses.
Smart contract exploits told the opposite story. They represented the majority of incidents but only a small share of total losses. The remaining losses came from a handful of other attack types, including a USD 24 million physical coercion, or "wrench," attack.
Prioritize infrastructure security and prepare for large-scale events
The first half of 2026 highlights several priorities for security teams.
Organizations should continue investing in smart contract audits because code exploits remain the most common attack. At the same time, greater attention should be given to the controls that protect large transfers, including key management, signing infrastructure, approval workflows, and custody. Those systems now represent the greatest source of catastrophic losses.
Incident response planning, insurance coverage, and treasury reserves should also be designed around the possibility of a major infrastructure compromise rather than an average loss. A single successful attack continues to define annual losses across the industry.
Finally, the decline in total dollars stolen should not be mistaken for a safer environment. The lower total reflects the absence of another record setting theft, not a reduction in attacker capability.
Where security and compliance teams should focus
Protocols and treasuries holding value
Organizations responsible for safeguarding digital assets should prioritize the controls that protect funds in practice, including hardware backed signing, strong key management, and multi party approval for large transfers. Smart contract audits remain essential, but infrastructure security deserves equal attention. When incidents occur, TRM's Incident Response team supports customers from the initial tracing of stolen funds through coordination with exchanges and law enforcement.
Exchanges and financial institutions
The laundering patterns behind the largest thefts are now well understood. Stolen assets typically move through cross chain bridges and no KYC swap services before reaching exchanges. Detecting these funds requires more than first hop screening. Institutions need multi hop transaction monitoring that follows assets across the entire laundering path.
TRM Wallet Screening and Transaction Monitoring continuously expand coverage as new attacker addresses are identified, allowing organizations to detect funds even after attribution is established.
Both of the half's largest thefts targeted DeFi protocols. That is why the Beacon Network has become increasingly important. Its more than 70 members, including leading exchanges and DeFi protocols, can rapidly share attacker wallet information, reducing response times from days to minutes once malicious addresses are identified.
For a broader view of the trends shaping illicit crypto activity, see TRM's 2026 Crypto Crime Report.
Outlook
The first half of 2026 demonstrates that crypto security has entered a new phase. Large infrastructure compromises continue to drive the industry's biggest financial losses, while a growing number of smaller smart contract exploits are pushing incident counts to record levels. Organizations that prepare for both threats, strengthening infrastructure while continuing to improve application security, will be best positioned as the digital asset ecosystem continues to grow.
{{horizontal-line}}
Frequently asked questions (FAQs)
1. How much was stolen in crypto hacks and exploits in H1 2026?
TRM's dataset records approximately USD 972 million stolen across 207 incidents in the first half of 2026 — less than half the roughly USD 2.3 billion lost in H1 2025.
2. Did crypto hacks go up or down compared to last year?
Both, depending on the measure. Total dollars stolen fell by more than half year over year, but the number of incidents more than doubled, from 83 in H1 2025 to 207 in H1 2026. Losses concentrated; activity dispersed.
3. How much did North Korea–linked actors steal in H1 2026?
TRM assesses approximately USD 643 million in H1 2026 losses as attributable to North Korea–linked activity — about 66% of the half-year total. That is well below the roughly USD 1.7 billion attributed in H1 2025, but North Korea remained the single largest source of stolen value in both halves.
5. What was the largest crypto hack of H1 2026?
The KelpDAO exploit in April, at approximately USD 292 million, was the single largest incident — just under 30% of all funds stolen in the half on its own.
6. Why is the average hack so much bigger than the typical one?
Because a few enormous incidents pull the average upward. The median hack cost about USD 219,000, while the mean was USD 4.7 million — more than twenty times higher. The mean reflects outliers; the median better represents the everyday threat.
7. Which attack methods caused the most damage?
By dollars, infrastructure and operational compromise — chiefly private-key and seed-phrase theft — dominated at about 76% of losses despite being only about 15% of incidents.




















