Crypto hackers stole $1.3 billion in the first half of 2026, but the real shift is who they're hitting and how.
CertiK's Hack3D report puts the number at $1,315,676,432 stolen across 344 on-chain incidents between January and June. That's the headline. It isn't the story.
After accounting for funds that were frozen or clawed back, net losses landed at $1,200,364,925, according to CertiK. Compare the gross figure with the same period in 2025 and the totals look lower. That comparison is misleading. Nearly all of H1 2025's total came from one event, the $1.45 billion Bybit theft in February 2025. One heist skewed a year. Strip Bybit out of the 2025 baseline and last year's figure falls to roughly $1.03 billion. On that like-for-like basis, H1 2026 is up about 28%, CertiK found.
So the industry didn't get safer. The pattern changed.
Two Big Attacks Pointed Away From Code
Nearly 44% of all H1 2026 losses came from just two incidents: the April 1 breach of Drift Protocol and the April 18 attack on KelpDAO's LayerZero-powered bridge. Combined, those two attacks moved about $576 million out of the ecosystem. Neither was a simple case of a smart contract doing the wrong calculation.
KelpDAO, a liquid restaking protocol, lost about $292 million after attackers forged a cross-chain message tied to its rsETH bridge. LayerZero said the bridge used a 1-of-1 decentralized verifier network setup, meaning one verifier could approve messages before funds moved. One node. Chainalysis later described the exploit as an attack on off-chain RPC infrastructure, not on KelpDAO's own contracts or LayerZero's contracts. The attacker compromised internal RPC nodes, helped force reliance on those nodes with a denial-of-service attack, and got a valid-looking message through a system that had no second verifier to reject it.
LayerZero attributed the KelpDAO attack to North Korea's Lazarus Group, specifically the TraderTraitor cluster. Chainalysis also said the attackers were linked to Lazarus and noted that KelpDAO's quick response blocked a follow-up attempt to drain another 40,000 rsETH, worth about $95 million at the time. That ugly operational detail matters because it shows how close the loss came to being even worse.
Drift came first. On April 1, attackers drained $285 million from the Solana derivatives protocol after, according to Chainalysis, spending months building relationships with the team and getting security council members to unknowingly pre-sign transactions. Once the attackers had control, they whitelisted a worthless fake token as collateral and used it to pull out real assets including USDC, SOL, and ETH. The drain took about 12 minutes.
Months of work. Twelve minutes to cash out.
The New Target Is Whoever Holds the Keys
Wallet compromise, not contract exploits, was the costliest single category of the half. CertiK tracked $444,531,691 lost across 33 wallet compromise incidents, averaging more than $13 million per event. Code vulnerabilities were still the most frequent category by incident count, with 204 incidents. They just weren't where the biggest money went.
That should make you uncomfortable if you're running a protocol and still treating an audit as the whole security plan. Audits check whether code behaves as written. They don't prove that your multisig signers can withstand a months-long social engineering campaign. They don't prove your bridge configuration has enough independent verifiers. They don't tell you whether your team would spot a poisoned infrastructure layer before the transaction looks valid on-chain.
Here's the thing: DeFi spent years talking as if the main enemy was bad code. Bad code is still a problem. CertiK's numbers make that clear. But the richest attacks in H1 2026 were aimed at people, permissions, and infrastructure. If your treasury depends on a handful of signers, or your cross-chain setup depends on one verifier, the attacker doesn't need to outsmart your smart contract. They need to reach the person or machine allowed to tell it what to do.
CertiK's report doesn't suggest the second half will look calmer. It says DPRK-linked actors have tended to escalate as the year progresses, and it identifies the second half of 2026 as a period of heightened concern. You don't need a dramatic forecast to see why. Fewer targets, bigger balances, and less code to reverse-engineer is a useful deal for an attacker.
The next nine-figure loss is more likely to start with a message to someone holding signing rights than with a bug nobody caught. That isn't a subtle warning. It's the operating reality now.
Also read: SBI Holdings Picks Ondo Finance to Bring Japanese Stocks Onchain • Zcash rallies past $550 as its Ironwood upgrade nears mainnet activation • Hackers hijacked Brian Chesky's X account to push an AI-written crypto tokenization thread