Skip to main content
Home » Cryptocurrency » News » Q2 2026 Is Already the Most-Hacked Quarter in Crypto

Q2 2026 Is Already the Most-Hacked Quarter in Crypto

7 min read
Q2 2026 Is Already the Most-Hacked Quarter in Crypto

Stay connected with KayaToday—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.


83 incidents. $755 million stolen. Cross-chain bridges remain the industry’s most dangerous attack surface. The record was broken before the quarter even ended.

The numbers are in, and they’re difficult to frame as anything other than a crisis.

The second quarter of 2026 has become the most-hacked quarter in cryptocurrency history by incident count, with 83 exploits recorded across the period according to analysis by market insights platform Unfolded, drawing on DefiLlama data. The quarter isn’t even finished. The record was broken while the clock was still running.

Q2 2026 Is Already the Most-Hacked Quarter in Crypto

Source:Defillama

Total losses across those 83 incidents reached $755.3 million — a significant figure, though considerably below the $3.56 billion lost in Q4 2020, which remains the costliest single quarter on record by dollar value. The gap between record incident volume and sub-record dollar losses tells its own story about where the industry currently stands, and it isn’t necessarily reassuring.

The Two Biggest Hits

Two exploits dominated the quarter’s loss figures and together account for the majority of what was stolen.

The KelpDAO hack, which resulted from a LayerZero OFT bridge exploit, cost the restaking platform $293 million — the single largest incident of the quarter and more than 38% of total Q2 losses on its own. The Drift Protocol exploit followed closely at $280 million, bringing the combined total of just these two incidents to $573 million, or roughly 76% of everything stolen across all 83 attacks.

The remaining $182 million in losses was distributed across 81 separate incidents — a long tail of smaller exploits that, taken individually, might not generate major headlines but collectively represent a sustained, high-frequency assault on the ecosystem’s security infrastructure.

Other notable incidents include the $36 million stolen from Humanity Protocol on June 8 — an attack linked to suspected North Korean actors by security firm Quantstamp — the $10.7 million THORChain exploit on May 15 stemming from an MPC vulnerability, two separate attacks on Aztec Connect’s deprecated smart contracts yielding $2.1 million and $1.3 million respectively, and a $1.7 million bridge exploit on Ethereum layer-2 network Taiko involving its chain state verification mechanism.

Bridges Are Still the Most Dangerous Attack Surface

Cross-chain bridge exploits emerged as the dominant attack vector of Q2 2026, accounting for $351 million in stolen value — nearly half of the quarter’s total losses from a single category of vulnerability.

The concentration of losses in bridges is not new information. Cross-chain infrastructure has been the most costly attack surface in the crypto ecosystem for several years, responsible for some of the largest single exploits in the industry’s history including the Ronin Bridge, Wormhole, and Nomad attacks in previous cycles. What Q2 2026 demonstrates is that the problem has not been solved despite years of awareness, auditing, and industry discussion about bridge security.

The fundamental challenge with bridges is architectural. Moving assets between blockchains requires trust assumptions that don’t exist within a single chain’s security model. A bridge must verify state on one chain while executing on another, which creates attack surfaces that sophisticated actors can exploit through compromised validators, manipulated price feeds, or vulnerabilities in the verification logic itself. The KelpDAO hack through the LayerZero OFT bridge illustrates how a single vulnerability in this infrastructure can cascade into nine-figure losses.

Compromised admin attacks and fake token price manipulation together accounted for 37% of Q2 losses, while private key compromises represented 5.66% — a smaller share by dollar value but a category that has been growing in frequency as attackers increasingly target operational security failures rather than smart contract code.

Why More Hacks, But Less Money Stolen

The apparent paradox at the center of Q2’s data — record incident count alongside losses well below the all-time quarterly high — has a straightforward explanation that is less comforting than it might initially appear.

Dmytro Tarasiuk, product director at risk intelligence platform CORE3 and crypto security rating platform CER.live, pointed to the significant contraction in total value locked across DeFi as a key factor. TVL fell from approximately $164 billion before a major liquidation event on October 10 to around $73 billion at the time of reporting — a decline of more than 55%. When there’s less value sitting in protocols, attackers can execute the same number of attacks and still walk away with smaller absolute dollar amounts.

In other words, the lower loss figure reflects a smaller target, not better defenses.

Tarasiuk also identified the industry’s most persistent underlying vulnerability with notable precision. Protocols, he told Cointelegraph, are being re-engineered faster than their underlying risk management complexity can be properly addressed. The result is that projects “declare a three-of-six multisig and store three keys on one laptop” — creating the kind of operational security failure that made the Humanity Protocol hack possible despite the project having technically sound security policies on paper.

The gap between a correctly designed security architecture and a correctly implemented one is where most of these exploits live. Smart contract audits don’t catch operational failures. Multisig schemes don’t protect against key consolidation mistakes. Bridge security frameworks don’t prevent compromised admin credentials. The vulnerabilities that are driving Q2’s record incident count are largely human and procedural rather than purely technical.

AI’s Expanding Role in the Attack Landscape

The surge in hacking activity has renewed a debate that has been building throughout 2026: whether the proliferation of advanced AI models has fundamentally shifted the cybersecurity balance of power toward attackers.

Mitchell Amador, CEO of bug bounty platform Immunefi, described the current environment to Cointelegraph as a “vulnerability apocalypse” — a term that reflects both the volume of incidents and the speed at which new exploits are being identified and deployed. His argument is that AI tools have lowered the technical barrier for finding and exploiting vulnerabilities to the point where actors who would previously have lacked the capability are now operationally dangerous.

This concern directly echoes what Anthropic’s own internal research found earlier this year: that more than 67% of accounts banned from its platform for policy violations had used AI to prepare for cyberattacks, and that the risk classification of banned accounts nearly doubled in severity between the first and second halves of the study period. The pattern Anthropic identified — AI enabling less sophisticated actors to attempt more sophisticated attacks — maps directly onto what the Q2 incident data appears to show.

Anthropic’s recent release of Claude Mythos through its Fable 5 variant generated significant crypto security community concern for precisely this reason. The model’s demonstrated ability to identify more than 10,000 critical vulnerabilities in widely-used software raised questions about whether similar capabilities would accelerate exploit discovery in DeFi protocols, even with guardrails in place.

Conclusion

83 incidents in a single quarter represents roughly one exploit every 2.5 days on average. For an industry that has spent years arguing that blockchain technology’s transparency and immutability make it more secure than traditional finance, sustaining that pace of successful attacks is a significant reputational and structural challenge.

Read Also: The G7 Just Called Out North Korea’s Crypto Theft Machine

The concentration of losses in a small number of large incidents — two attacks accounting for 76% of total Q2 losses — suggests the industry’s highest-value targets remain vulnerable to sophisticated, well-resourced attackers. The long tail of smaller incidents suggests that even protocols with modest TVL are being targeted at increasing frequency, consistent with the thesis that lower attack costs are expanding the viable target set.

For DeFi users, the practical implications are immediate. Capital deployed across unaudited or recently-launched protocols carries risk that is not purely theoretical. Bridge transactions move assets through infrastructure that has proven consistently vulnerable to sophisticated attacks. Admin key management failures continue producing catastrophic outcomes even at well-funded, credible projects.

The record has been broken. The quarter isn’t finished. And the structural conditions that produced 83 incidents in three months — lower attack costs, persistent bridge vulnerabilities, operational security failures, and AI-assisted exploit discovery — haven’t changed.

Aryad Satriawan is an Investment Storyteller with a professional career in the crypto (web3) and stock market industry. Aryad has been actively trading and writing analysis/research on crypto, stock and forex markets since 2016, currently an educator at one of the largest stock broker in Indonesia.
440 articles
More from Aryad Satriawan →
We follow strict editorial standards to ensure accuracy and transparency.