TRM Labs says the first half of 2026 set a new record for crypto hacks by incident count, even as total losses dropped sharply from the prior year. That split says a lot: attackers are spreading out, hitting more targets, and still finding plenty of weak keys, sloppy ops, and brittle DeFi plumbing to exploit.
- 207 hacks in H1 2026, the highest six-month total TRM has recorded
- $972 million stolen, down from $2.3 billion in H1 2025
- North Korea-linked actors blamed for about 66% of stolen funds
- Drift Protocol and KelpDAO were the biggest blows
- Private keys, credentials, smart contracts, and AI scams stayed front and center
Those figures come from TRM Labs’ Crypto Hacks in First Half of 2026 Report security roundup. It paints a familiar but uglier picture: more incidents, more operational discipline among attackers, and a threat mix shifting away from simple code bugs toward attacks on people, privileges, and infrastructure.
The clearest lesson is the one crypto keeps learning the hard way. The chain may be decentralized, but the weakest point is often human. Keys get stolen. Admin access gets abused. Signers get manipulated. And once funds move, recovery is usually a long shot, not a plan.
More hacks, less money, and that is not a win
TRM says attackers carried out 207 separate hacks and stole $972 million in the first half of 2026. That is a record high for hack count in a six-month period, but it is also far below the $2.3 billion stolen in H1 2025.
That matters because incident count and dollar damage are not the same thing. A higher number of attacks can still produce lower total losses if the biggest blowups are fewer, or if attackers are shifting toward more numerous medium-sized exploits instead of a handful of gigantic drains.
TRM says that is exactly what happened. The firm found 125 of the 207 incidents were smart contract exploits, while infrastructure and operational compromises made up a much smaller share of incidents but a far larger share of stolen value. In plain English: lots of bugs, but the biggest money came from breaches that hit the control layer directly.
Smart contract exploits are attacks on blockchain-based code that manages funds or protocol behavior. Infrastructure and operational compromises are nastier in a different way: stolen credentials, compromised signers, breached internal systems, and other failures outside the contract itself. If the code is the lock, this is the thief finding the spare key under the mat and then changing the alarm code for fun.
For a broader view of how these attacks are being organized and industrialized, TRM’s H1 2026 Crypto Hacks Reach Record High as Losses Fall Below breakdown and its 2026 Crypto Crime Report both point to the same ugly trend: security failures are increasingly a business model, not an accident.
North Korea-linked groups kept taking the biggest bite
TRM attributes roughly $643 million, or about 66% of all stolen crypto funds in H1 2026, to North Korea-linked threat activity. That is a huge number, and it should be treated with the usual cybercrime caution: attribution is an analyst judgment, not a courtroom verdict. But the scale is still hard to ignore.
Two April attacks did most of the damage: Drift Protocol and KelpDAO. TRM says those incidents accounted for nearly all of the North Korea-attributed losses in the period it tracked.
The biggest single hit was Drift Protocol, where TRM says attackers stole approximately $285 million on April 1. The breach involved weeks of staging, months of social engineering, and abuse of Solana’s durable nonce feature, which helps transactions remain valid for longer than a standard one-time-use nonce. The short version: the attacker did not just “break the code.” They manipulated people and transaction mechanics until the drain was effectively pre-approved. That is not a hack so much as an industrialized confidence trick with blockchain garnish.
TRM’s write-up of the incident aligns with its North Korea Stole 76% of All Crypto Hack Value in 2026 findings, and the follow-up detail in North Korean Hackers Attack Drift Protocol In USD 285 underlines just how methodical the operation was.
KelpDAO was hit on April 18, with TRM pegging losses at approximately $292 million. The attack targeted its rsETH LayerZero bridge on Ethereum. A bridge is the plumbing that moves assets or messages between blockchains. It is also one of the messiest places to secure because you are stitching together systems that were never meant to trust each other this much. TRM says the attackers compromised internal RPC nodes, the infrastructure used to communicate with the chain, and manipulated verifier logic. That let them push the exploit through while around $75 million was frozen on Arbitrum.
The aftermath also shows how ugly recovery looks in practice. Funds were moved through THORChain, a cross-chain liquidity protocol often used to swap assets across networks, with a large portion eventually flowing toward Bitcoin. Once funds are moving through bridges, swaps, and mixers, the trail gets messy fast. That is not a bug; it is the whole point of the laundering playbook.
For a sharper post-mortem on how the Solana breach played out, see Solana’s Drift Protocol Hacked for $270M in Largest DeFi, North Korean Hackers Hit Drift Protocol: DeFi Security, and Drift Protocol’s $280M Hack: A Six-Month DeFi Con Exposes.
Ethereum stayed the biggest target
Ethereum was the most targeted blockchain in TRM’s breakdown, with 56 incidents. That is not shocking. Ethereum still carries a huge share of DeFi activity, token launches, bridges, and protocols holding meaningful value. More value attracts more attackers. More complexity gives them more places to look for mistakes.
Other chains frequently targeted in the period included BNB Chain, Base, and Arbitrum. Again, no mystery here: attackers go where the liquidity, users, and weak assumptions live.
Some of the projects named in credential-related compromises included Humanity Protocol, Resolv, Wasabi Protocol, Gravity Bridge, Fluid, StablR, and Polymarket. TRM also pointed to exploits involving oracle manipulation across projects such as Blend Pools V2, Aave V3, Sharwa Finance, Edel, and Ploutos Money.
Oracle manipulation means tampering with the external price or data feeds that smart contracts rely on. It is a long-running DeFi weakness because a contract can only behave as well as the information it receives. If the input is poisoned, the output is garbage, and sometimes that garbage is stolen funds.
Recovery is still the exception
TRM says that among the largest hacks it tracked, only one project fully recovered its stolen assets. Two others managed to freeze just over $74 million, while more than $620 million remained effectively lost.
That distinction matters. Frozen funds are blocked for now. Recovered funds are actually back where they belong. In crypto security, people love to blur those two together, usually right up until they realize the money never came home.
The practical takeaway is simple: audits help, but they are not a force field. A clean report on a contract does not save a protocol if signers are compromised, internal systems are exposed, or admin credentials are treated like an afterthought. The front line is custody, key management, and incident response, not vibes.
April skewed the half-year badly
TRM says April was the most destructive month for losses, with hackers stealing about $631 million. That was nearly 68% of all crypto losses in the first six months of the year.
That concentration tells you a lot about how half-year statistics can hide reality. One brutal month can make the entire period look much worse than the surrounding weeks. It also means a small number of highly coordinated attacks can overwhelm all the incremental improvements elsewhere in the market.
May recorded the highest number of hacks at 41, followed by June with 36 and April with 34. So the pattern was not one quiet stretch followed by a single explosion. The threat level stayed elevated across the quarter, while April simply delivered the biggest financial hit.
AI scams are getting more efficient, not more magical
TRM also flags rising AI-driven scams, and Chainalysis’ The Industrialization of Cryptocurrency Scams Demands a 2026 Crypto Crime Report adds a useful benchmark: scams with on-chain links to AI vendors make about 4.5 times more money than traditional scams. Chainalysis puts that at roughly $3.2 million per operation versus $719, 000 for scams without those AI-linked on-chain connections.
That does not mean AI is somehow independently hacking blockchains. It means fraud is becoming cheaper, faster, and more convincing. AI-generated voice clones, fake support agents, polished phishing pages, bot-driven outreach, and impersonation campaigns all make it easier to trick people at scale.
The danger is boring in the worst possible way: victims get manipulated faster, scam operators work more efficiently, and the old “just look for bad grammar” trick becomes less useful by the week. The scammers are leveling up. Naturally, they are using it for theft instead of, say, writing better poetry.
Key questions and takeaways
-
Why did losses fall even though hacks hit a record?
TRM says attackers spread out across more incidents, especially smaller and medium-sized exploits. The biggest damage was still concentrated in a few major infrastructure and key-compromise attacks, but not enough to match H1 2025’s dollar total. -
What caused most of the money loss?
Infrastructure and operational compromises did. Stolen credentials, compromised signers, and related access failures hit higher-value systems directly, which is why they accounted for a much larger share of funds than of incidents. -
Why is North Korea mentioned so often?
TRM attributes about $643 million, or roughly 66% of stolen funds in H1 2026, to North Korea-linked activity. That makes it the dominant source of stolen crypto value in the period, by TRM’s assessment. -
What were the biggest individual blowups?
Drift Protocol and KelpDAO defined the first half of the year, with losses of approximately $285 million and $292 million, respectively. Together, they drove most of the North Korea-linked losses TRM tracked. -
Is AI changing crypto crime in a serious way?
Yes, mostly by making scams more scalable and more convincing. Chainalysis says AI-linked scams generate far more revenue per operation, which points to better impersonation and more effective fraud tooling, not autonomous “AI hackers.”
The first half of 2026 leaves crypto with the same uncomfortable lesson it keeps paying for: the biggest threats are rarely the most glamorous ones. A smart contract bug can hurt. But stolen keys, compromised admins, brittle bridges, and sloppy operational security still do the heavy lifting for the thieves.
That is the part the industry can actually fix. Better custody. Stronger signer controls. Tighter infrastructure security. More disciplined bridge design. Less trust in shiny dashboards and more attention to the people and systems that can move the money.
Crypto’s promise still matters. So does the freedom, privacy, and decentralization that brought many people here in the first place. But none of that excuses weak security. In this market, sloppiness is not a harmless mistake, it is an open invitation.
Further reading
One more blunt datapoint on who is still doing the most damage behind the curtain.