
TRM Labs recorded 207 hacks in H1 2026. Total losses fell to $972M. Infrastructure compromises drove 76% of stolen value. The real risk isn't smart contracts.
The number of crypto hacks just set a record. TRM Labs recorded 207 separate incidents in the first half of 2026, the most the firm has seen in any six-month period. Total losses fell to $972 million, less than half the $2.3 billion stolen during the first half of 2025.
That split changes the security story. More protocols and applications are being hit. The losses that define the year are concentrated in operational systems: keys, custody, signing infrastructure, approval flows. The controls around the code, not the code alone.
Smart-contract exploits accounted for 125 of the 207 incidents. The median hack was about $219,000. The mean was $4.7 million. That gap shows how a few very large incidents dominate aggregate losses, even as the day-to-day threat environment gets more crowded with smaller exploit attempts.
Infrastructure and operational compromises accounted for only about 15% of incidents, TRM said. They drove roughly 76% of stolen value. That ratio turns the report from a hack-count story into a security-priority story.
If a protocol treats audits as the whole security program, it is defending only part of the risk. An attacker can skip the core contract by compromising a signer, manipulating a bridge validation path, or obtaining approval for a malicious transfer.
The clearest example is the concentration of North Korea-linked activity. TRM assesses that about $643 million, or roughly 66% of all funds stolen in H1 2026, was attributable to North Korea-linked actors. That figure was down from about $1.7 billion in the first half of 2025. It still made them the largest source of stolen value.
Nearly all of that H1 2026 total came from two April operations involving Drift Protocol and KelpDAO. TRM put the Drift loss at roughly $285 million and KelpDAO at roughly $292 million, for a combined total near $577 million.
Those incidents reflected the same broader pattern. Attackers targeted the infrastructure and human layers around DeFi systems. They did not simply hammer at core smart contracts.
TRM's warning is that the lower dollar total in H1 2026 reflects the absence of another theft on the scale of 2025's largest attacks. It does not reflect a reduction in attacker capability. The aggregate number fell because the biggest outlier was smaller. The class of risk that creates outliers remains unresolved.
That makes the next large loss less likely to look like a simple bug report. It is more likely to expose a weak approval process, a compromised private key, a signer that could be socially engineered, or a vendor dependency that was trusted too broadly.
Smart-contract work remains important. TRM says code exploits are still the most common incident type. The change is that audits cannot be the ceiling of the security program.
The controls that matter most for catastrophic loss sit around asset movement. TRM specifically pointed to key management, signing infrastructure, approval workflows, and custody as areas requiring greater attention.
A hardened protocol now needs to know who can initiate large transfers, who can approve them, which devices can touch signing paths, how governance changes are delayed, and what happens if a trusted operator account is compromised. A static audit report cannot answer those questions after the operational environment changes.
For security teams, the next budget discussion should cover more than another audit cycle. It should include hardware-backed signing, multi-party approval for large transfers, limits on privileged access, monitored developer devices, and tested incident-response playbooks.
The same shift affects exchanges and custodians that may never be the initial target. TRM said stolen assets often move through cross-chain bridges and no-KYC swap services before reaching exchanges. Multi-hop transaction monitoring and faster wallet intelligence sharing become part of the security stack.
For protocols, the security plan has to assume that prevention can fail. It must define who can pause systems, who can contact counterparties, and which transfer paths are watched in the first minutes after detection.
TRM's H1 2026 data shows a split between the growing volume of smaller smart-contract incidents and the concentrated operational compromises that still set the industry's loss profile. The next large loss is more likely to come from a compromised key or approval process than from a bug in a smart contract. For a broader view of crypto market dynamics, see our crypto market analysis.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.