In the first half of 2026, the web3 industry recorded roughly around ~200 hack and exploit incidents, with hack-only losses of approximately $900M. Counting only the larger, well-documented events, the figure is closer to roughly around ~130. Including social-engineering and phishing theft, the all-in total rises to about $1.1B. The precise number depends on the reporting threshold, so the trackers differ, but the range is broadly consistent across them.

The single largest theft of the period was not a protocol hack at all. In January, one holder lost more than $282M in bitcoin and litecoin to a hardware-wallet social-engineering scam, with the proceeds laundered into Monero. It sits outside the protocol figures above and is counted only in the all-in total.

Among protocol incidents, two dominate the dollar total. Drift Protocol in early April and KelpDAO later that month account for approximately $577M between them, roughly 60% of all protocol hack and exploit losses for the period. Neither was a code bug. Drift followed a sustained social-engineering operation against multisig signers, and KelpDAO followed a compromise of bridge verification infrastructure.

2026 in numbers

2026, month by month Crypto hack losses and incident count by month.

April was the worst month by a wide margin at about $647M, almost all of it from Drift and KelpDAO. May saw the most incidents of any month, around 40, for a fraction of the loss. The gap between the month with the most money lost and the month with the most incidents is the year in miniature.

The biggest losses of 2026 Top protocol incidents by reported loss. Operational and infrastructure compromises in ember, smart-contract and economic exploits in teal.

Ranked by size, the year is top-heavy. The two April incidents stand apart, and the next tier, in the low tens of millions, mixes operational compromises with a smaller number of smart-contract and economic exploits such as Truebit and Rhea Finance.

The split between volume and value

The more important pattern is the relationship between how often a failure type occurs and how much it costs. In the first quarter of 2026, 28 of 44 recorded incidents were smart-contract exploits, the kind that audits target, yet those incidents produced under a fifth of the quarter’s losses. Phishing, social engineering, and access-control failures, including stolen keys and compromised cloud infrastructure, were the minority of incidents but roughly three-quarters of the dollars lost. The same direction holds across the year to date, with compromised wallets and keys overtaking code vulnerabilities as the dominant source of losses by value.

The split between volume and value Operational and infrastructure compromise against smart-contract code, by share of incidents and share of dollars lost. Shares are approximate, drawn from published first-quarter and year-to-date root-cause breakdowns.

The long tail explains the gap. Most incidents are small code exploits in the tens or low hundreds of thousands of dollars, and there are many of them. They raise the incident count without moving the dollar total. The losses that matter financially are concentrated in a small number of operational and infrastructure failures, where a single compromised key, signer, or verifier can release tens or hundreds of millions in one transaction.

This has a direct consequence for where defensive effort goes. The smart-contract layer is the part the industry audits, fuzzes, formally verifies, and runs bug bounties against, and that work remains necessary, because code bugs are the most common incident type. It is no longer where most of the money is lost. The dollar risk has moved up the stack to keys, signers, devices, cloud infrastructure, and domains, and that layer is rarely subjected to the same scrutiny. Audits alone do not address it. One of the year’s larger infrastructure losses, Resolv, occurred at a protocol that had passed more than a dozen audits, because the failure was an off-chain signing key in a cloud account rather than a contract flaw.

The practical reading is that frequency and value call for different responses. Code bugs should continue to be managed through audits, bounties, and monitoring, because they are persistent and common. The catastrophic losses require treating the operational layer as security-critical in its own right.

Inside the operational compromises

The operational and infrastructure losses for the half-year total approximately $700M. The roughly around ~20 largest of them, examined here, carry the great majority of that figure, and they fall into five categories. Smaller key-compromise incidents run through the long tail and add to the count, but little to the total. Realised losses are used throughout, with paper figures noted where they differ.

Where the money went Realised loss by failure class across the operational-compromise incidents.

Where the incidents were The same operational-compromise incidents by count. Admin-key compromise was the most frequent and the least costly.

Within the operational category, the same inversion repeats at smaller scale. Admin-key compromise was the most frequent failure, eight of the roughly twenty, and the least costly, because available liquidity capped what a single over-privileged key could extract. The largest losses concentrated in social engineering of signers and infrastructure compromise. April alone accounts for approximately $575M of the operational total, almost all of it Drift and KelpDAO.

Admin-key compromise

Eight incidents involved a single privileged key or role with broad authority and no compensating control such as a timelock or a genuine multi-party threshold. Wasabi Protocol’s deployer account held the sole administrative role and was used to grant a malicious helper contract the access needed to upgrade its vaults. StakeDAO’s deployer key repointed a cross-chain peer and forged a token mint moments later. StablR operated a 1-of-3 minting multisig, which presents the appearance of a threshold while functioning as a single key. Realised losses in this category were limited by available liquidity rather than by the access controls, and most drained in a single transaction.

Social engineering of signers

One incident, Drift Protocol, produced the single largest protocol loss of the half-year at approximately $285M. Threat actors attributed to North Korea spent roughly six months establishing a trusted relationship as a trading counterparty before persuading Security Council signers to pre-sign transactions through Solana durable nonces. A 2-of-5 threshold with no timelock meant two compromised approvals were sufficient to transfer control. The contracts themselves were not exploited.

Employee and developer device compromise

Two incidents originated from compromised endpoints. Step Finance lost approximately $27M after attackers compromised executive devices and used them to reach treasury and fee wallets. Humanity Protocol operated a multisig of 3-of-6 on Ethereum and 3-of-5 on BSC, but enough owner keys were backed up to a single employee laptop that one compromised machine met the signing threshold on both chains at once. Throughout the period, poisoned VS Code and npm packages targeted developer machines as a delivery mechanism for the same class of credential and key theft.

Cloud and infrastructure key compromise

Four incidents, the most costly category in aggregate, involved keys or verification infrastructure held off-chain. Resolv held a privileged signing key in AWS KMS, and an attacker who reached that environment, by way of a contractor’s retained credential from an earlier project, altered the signing-key policy and minted approximately $25M of unbacked stablecoin against a deposit worth a fraction of that amount. KelpDAO relied on a single off-chain verifier, which was induced to attest a forged message and released approximately $290M. Two further incidents are included with caveats. THORChain is more accurately characterised as a flaw in a threshold-signature implementation, and Gravity Bridge remains a suspected key compromise pending a post-mortem.

Domain and DNS hijack

Five incidents involved control of a project’s domain or DNS rather than its keys or contracts. CoW Protocol lost its .fi domain through registrar impersonation, and a phishing clone served from the hijacked domain caused approximately $1.2M in user losses over roughly four and a half hours. By contrast, OpenEden, Curvance, and HypurrFi faced comparable attempts and prevented user losses by detecting the unauthorised change early. The differentiating factor across this category was registrar hardening and DNS monitoring rather than budget.

Outlook

On the current trajectory, a further nine-figure loss originating outside the contract is a realistic expectation for the second half of 2026. The incentive is established, the access remains comparatively soft, and recent activity shows attackers favouring social engineering and infrastructure compromise over attacks on well-audited contract code. North Korean threat actors are credited with between 55 and 76% of all crypto hack losses so far in 2026, depending on the period measured, almost entirely on the basis of the two April incidents. The volume of small code exploits is unlikely to fall, but it is the operational layer that determines whether a year produces another $577M concentration. Organisations that bring that layer under the same scrutiny as their contracts will be best positioned to stay out of the next set of post-mortems.

What security leads should do

The defences for every category above are established and inexpensive relative to the losses they prevent. The recurring gap is ownership. This layer is seldom assigned to the security function, so it is seldom audited. The following actions, in priority order, close the most exposure for the least effort.

1. Inventory privileged access. Enumerate every key, role, signer, device, cloud identity, and domain that can move funds or change code, and map each to a named owner and a specific device. Several of the incidents above were possible because no current inventory existed.

2. Enforce real thresholds and timelocks. Require a 3-of-n minimum on any function that can mint, upgrade, or transfer ownership, with signers that are genuinely independent. Place a timelock in front of upgrade and treasury functions so a malicious transaction is observable before it executes.

3. Verify signer independence. Confirm that no single laptop, browser profile, or key backup can produce more than one signature on a high-value multisig. A threshold scheme provides no protection once its keys share a device.

4. Treat endpoints as key custody. Deploy EDR on every machine that touches a key, prohibit key material on workstations, and require hardware signing so a key never exists in a form an endpoint can leak. Extend supply-chain controls to developer tooling and dependencies.

5. Harden cloud and verification infrastructure. Where a signing key must reside in a cloud KMS, secure the controlling identity more strictly than the chain it protects, with least-privilege roles, hardware-backed access, and alerting on every privileged call. Avoid single-verifier designs for any off-chain verification.

6. Lock and monitor domains. Apply registry-lock and registrar two-factor authentication, and monitor DNS and TLS certificates with alerting on any unauthorised change. Early detection was the only difference between the contained domain incidents and the costly one.

7. Rehearse the post-compromise case. Exercise key-rotation and incident runbooks against the scenario in which the signing threshold has already been crossed, not only the single-key-leak case.

8. Match the audit budget to the value at risk. Smart-contract audits remain necessary for the high volume of code bugs, but they do not cover the layer that lost most of the money this year. Give keys, signers, devices, cloud identities, and domains a review cadence and budget comparable to contract audits.

— Adrian

Sources and method

Totals cover hack and exploit incidents from 1 January to 11 June 2026, reconciled across several incident trackers whose figures differ by threshold and by whether scams and phishing are included. Hack-only losses are approximately $900M, or about $1.1B including social-engineering and phishing theft. Incident counts range from roughly around ~130 for major events to roughly around ~200 once the long tail is included, and June is partial, through the 11th.

Incident data and root-cause breakdowns are drawn from project disclosures and from PeckShield, CertiK, DefiLlama, Hacken, TRM Labs, SlowMist, SEAL, Chainalysis, Blockaid, and the LayerZero post-mortem with Mandiant and CrowdStrike, alongside reporting from Rekt, The Block, CoinDesk, and Cointelegraph.