Crypto hacks hit record 207 in H1 2026, but smart contracts aren't the main target
In brief
- TRM Labs recorded 207 hacks in H1 2026, more than double the 83 incidents in H1 2025
- Total theft fell to $972 million despite higher hack frequency, signaling a shift in attack vectors
- Infrastructure and operational compromises caused 76% of losses while representing only 15% of incidents
- North Korea-linked activity accounted for roughly 66% of all H1 2026 stolen funds
More incidents, smaller median losses
The number of hacks more than doubled from 83 incidents in H1 2025 to 207 in H1 2026. Most of that surge came from smart-contract exploits—125 of the 207 incidents—yet the median hack loss was about $219,000 while the mean stood at $4.7 million. Smaller attacks are hitting more frequently.
Q2 alone produced 123 incidents, after a record-setting first quarter. The velocity is real. But the biggest damage isn't coming from where audits focus.
Where the real losses hide
Here's the inversion: infrastructure and operational compromises accounted for only about 15% of incidents in H1 2026 but roughly 76% of stolen value. Keys, custody, signing infrastructure, approval flows—these are the points of failure that matter most. The largest losses in H1 2026 came from failures in systems that hold or authorize control of funds rather than smart contract vulnerabilities.
Two incidents illustrate this. The Drift Protocol hack resulted in losses of roughly $285 million in April 2026. The KelpDAO hack resulted in losses of roughly $292 million in April 2026. The combined losses from Drift Protocol and KelpDAO totaled near $577 million. In both cases, attackers targeted infrastructure and human layers around DeFi systems rather than core smart contracts.
"More protocols, tokens, and decentralized applications are being hit, but the losses that still define the year are concentrated in operational systems: keys, custody, signing infrastructure, approval flows, and other controls around the code rather than the code alone." — TRM Labs report
The North Korea factor
About $643 million, or roughly 66% of all funds stolen in H1 2026, was attributable to North Korea-linked activity. That's a significant decline from about $1.7 billion in the first half of 2025. Yet the sophistication hasn't dropped. North Korea-linked operations combine technical intrusion, social engineering, operational patience, laundering infrastructure, and state-directed financial goals. They're not running spray-and-pray exploits. They're dismantling the operational perimeter.


