
Hack losses fell 47% in H1 2026, but attack count doubled to 207. Two North Korean-linked exploits accounted for 70% of Q2 losses. CertiK calls ecosystem 'deeply unsafe.'
Crypto hacks in the first half of 2026 stole 46.8% less value than a year earlier. The number of attacks doubled, from 83 to 207.
Blockchain security firm CertiK, which compiled the data, called the ecosystem "deeply unsafe" in its mid-year report. The drop in total losses alongside a rise in attack frequency points to a shift in hacker strategy, CertiK's report said. Attackers are hitting more targets, each for a smaller average haul.
Two exploits dominated the second quarter. KelpDAO lost roughly $380 million in a single breach. Drift Protocol lost about $210 million. Together they accounted for more than 70% of Q2's total losses, which came in around $850 million. Excluding those two events, the median hack in Q2 was a fraction of the size seen a year earlier.
North Korean state-sponsored groups, tracked by CertiK as Lazarus Group and its affiliates, were responsible for both large Q2 attacks. The same groups have been active in prior quarters. When state-backed hackers focus on a small number of high-value targets, recovery rates tend to be near zero, CertiK's historical data shows.
Private key compromises remained the single most common attack vector, accounting for roughly 40% of all incidents. Flash loan attacks and oracle manipulation made up another 25% combined. The rest were split across smart contract exploits, phishing, and governance attacks.
CertiK's report did not break out recovery rates for the first half. In prior periods, stolen funds recovered through negotiation or law enforcement action have been a small fraction of total losses, typically under 5%.
The doubling of incident count raises a question for anyone running a watchlist on smaller-cap tokens or newer DeFi protocols. The risk per dollar of TVL may be rising even as headline loss numbers improve. For traders who hold positions on smaller chains or in protocols outside the top 20 by market cap, the security audit history of each contract becomes a more relevant filter than it was a year ago.
CertiK's full report is scheduled for public release later this month, with protocol-level detail on each incident.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.