
Phishing and wallet compromises drove $1.32B in H1 crypto losses. CertiK warns the real threat is rising as targeted attacks replace random exploits.
Crypto-related losses fell 46.8% year over year to $1.32 billion during the first half of 2026. Blockchain security firm CertiK warned the decline does not indicate a safer crypto market.
CertiK's H1 2026 security report said the lower loss figure is heavily influenced by the absence of an event on the scale of the $1.4 billion Bybit exploit recorded in the same period last year. The firm said a simple comparison of headline numbers creates a misleading impression because attackers are carrying out fewer random campaigns and instead executing more targeted operations that inflict heavier damage per incident.
Breaking down the first-half figures, CertiK reported that phishing remained the leading cause of crypto theft during the first quarter, resulting in losses of $508.2 million. During the second quarter, wallet compromises overtook phishing as the largest attack method, accounting for $807.5 million in stolen assets. A significant share of those losses came from just two major incidents. CertiK said more than 70% of the second-quarter total stemmed from attacks targeting KelpDAO and Drift Protocol, both of which are believed to have been carried out by North Korean state-sponsored hackers.
Total losses appear lower. CertiK said the industry is facing a structurally higher rate of attack activity than a year earlier. Excluding the exceptional Bybit hack from 2025, the firm concluded that individual attacks are becoming more financially damaging and increasingly focused on high-value targets instead of opportunistic exploits.
Separate findings from blockchain intelligence firm TRM Labs support that assessment. In its H1 2026 report released on Wednesday, TRM Labs said the decline in the total value stolen should not be interpreted as evidence that attackers have become less capable. According to the firm, the lower figure is largely the result of there being no record-breaking theft comparable to the Bybit incident during the reporting period.
TRM Labs also found that the number of crypto-related security incidents rose sharply from 83 in the first half of last year to 207 in H1 2026, the highest six-month total the company has recorded. Its analysis further showed that smart contract exploits accounted for 125 incidents, representing roughly 60% of all recorded attacks.
Alongside its assessment of attack trends, CertiK identified private key management and multisignature wallet controls as the most critical areas requiring stronger protection. The firm recommended that crypto protocols and institutions securing substantial onchain assets strengthen every layer of key management, including hardware security and multisignature governance. CertiK said investments in these controls can produce disproportionately strong security benefits because they directly reduce the impact of attacks targeting sensitive wallet infrastructure. The firm also highlighted geographic distribution of wallet signers as a key safeguard.
Attention has also turned to the growing role of North Korean cyber operations. According to TRM Labs, North Korean hackers have stolen more than $6 billion worth of cryptocurrency since 2017. The recent attacks linked to KelpDAO and Drift Protocol prompted officials from the United States, Japan and South Korea to meet late last month to discuss ways to curb North Korea's cyber activity and the illicit revenue generated through crypto theft. During those discussions, government representatives acknowledged that North Korean IT workers are increasingly using artificial intelligence to improve the scale and speed of cyber operations. Several cybersecurity leaders have separately warned that AI-assisted techniques are making protocol exploits harder to detect and defend against.
Meanwhile, hardware wallet maker Ledger has continued to advise crypto users to keep recovery seed phrases offline and never disclose them, describing those practices as basic safeguards against phishing attacks and unauthorized wallet access.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.