LONDON, July 5, 2026
Crypto hackers carried out a record 207 attacks in the first half of 2026, according to TRM Labs, even as total stolen funds fell to about $972 million in a new sign that the industry’s security problem is spreading beyond a few giant exploits.
The numbers show a split market for crypto risk. More projects are being hit, but the largest dollar losses are still coming from key management, custody, signing infrastructure and other operational systems that control who can move funds.
Market snapshot: TRM Labs said H1 losses fell from roughly $2.3 billion a year earlier to $972 million, while incidents rose from 83 to 207. DefiLlama’s hacks database showed about $16.66 billion in total value hacked across DeFi and crypto exploits when checked by Daily Crypto Briefs on July 5. Bitcoin traded near $62,645, and the Crypto Fear and Greed Index stood at 23, or Extreme Fear.
Bitcoin
BTCTRM attributed roughly $643 million, or about 66% of H1 crypto hack losses, to North Korea-linked activity. The firm said the lower total should not be read as a safer environment, because a single major infrastructure breach can still define the year.
That framing is important after a month of security-heavy crypto headlines. Daily Crypto Briefs covered the patched Aptos bug that raised a $70 billion systemic-risk estimate and earlier tracked more than $605 million in crypto platform attacks. TRM’s new half-year data turns those individual incidents into a broader pattern.
The next question is whether security teams respond to the pattern or keep treating each exploit as an isolated code failure. The data suggests audits still matter, but private keys, approval flows and emergency response are now the places where losses become catastrophic.
Crypto Hacks Hit 207 Incidents
TRM said attackers carried out 207 hacks in H1 2026, the highest six-month total the blockchain intelligence firm has recorded. That more than doubled the 83 incidents it counted in the first half of 2025.
The counterintuitive part is that total stolen value fell by more than half. H1 2025 produced about $2.3 billion in losses, while H1 2026 produced about $972 million.
That does not mean attackers pulled back. It means the attack surface widened while fewer incidents reached the scale of last year’s largest thefts. TRM said Q2 set a record with 123 incidents after a record-setting first quarter, showing steady pressure across the half rather than one abnormal month.
Smart contract exploits were still the most common attack type. TRM counted 125 smart contract exploit incidents in the 207 total, and said many attacks now combine multiple manipulations instead of relying on one obvious coding mistake.
For users, that changes how hack headlines should be read. A rising incident count can hurt confidence even when each individual loss is smaller. The same dynamic appeared in Daily Crypto Briefs’ coverage of Aztec legacy contracts losing $4.4 million, where the problem was not the newest product but old code that still held value.
North Korea Drove Most Losses
The largest dollar losses were not evenly distributed. TRM assessed that North Korea-linked activity accounted for about $643 million of the $972 million stolen in H1 2026.
Nearly all of that came from two April operations. TRM put the Drift Protocol breach at about $285 million and the KelpDAO exploit at about $292 million, together representing roughly $577 million.
The concentration matters because it shows how quickly the industry’s loss profile can change. A few successful operations against large targets can outweigh more than 100 smaller smart contract exploits.
It also keeps state-linked cyber activity at the center of crypto market risk. Chainalysis said North Korean hackers stole $2.02 billion in cryptocurrency in 2025, pushing their all-time total to $6.75 billion and showing that the 2026 figures are part of a multi-year trend rather than a one-off spike.
The broader compliance problem is laundering. TRM said stolen assets from the largest thefts typically move through cross-chain bridges and no-KYC swap services before reaching exchanges, which means first-hop screening alone can miss funds after they are routed through several layers.
That puts exchanges and DeFi protocols in the same response chain. If attacker addresses are shared late, frozen late or screened only at the first transfer, the money can move faster than investigation teams can coordinate.
Private Keys Are the Real Blast Radius
The clearest lesson from the H1 report is that smart contracts are not the only control surface that matters. TRM said infrastructure and operational compromises represented about 15% of incidents but roughly 76% of funds stolen.
Those attacks target credentials, signing infrastructure, approval workflows and custody systems. In plain terms, attackers do not need to break a protocol’s math if they can trick or compromise the systems authorized to move the treasury.
CoinDesk reported last week that about 40% of roughly $16.69 billion in historical crypto hack losses were tied to stolen private keys rather than direct flaws in blockchain or smart contract code. That supports TRM’s newer point: the weak link is often operational security around the assets.
The pattern is visible across recent cases. The Humanity Protocol exploit turned compromised control into a market event, while smaller legacy-contract incidents showed that old code and forgotten balances can stay dangerous long after the main product has moved on.
For DeFi teams, the practical read is not to choose between code audits and operational security. Audits remain necessary because smart contract exploits are frequent. The highest-impact losses now require equal attention to hardware-backed signing, multi-party approvals, withdrawal limits, bridge monitoring and incident-response drills.
Market sentiment leaves little room for ambiguity. Alternative.me showed Extreme Fear at 23 on July 5, and security uncertainty can intensify selling when liquidity is already thin.
Fear & Greed Index
July 5, 2026The next checks are whether July incident counts keep rising, whether any of the H1 stolen funds hit major exchanges, and whether protocols disclose stronger controls around keys and signing workflows. Until then, TRM’s confirmed message is narrow but uncomfortable: crypto lost less money than last year, but more systems were breached.
Stay up to date
Get the latest crypto insights delivered to your inbox
Primary sources and further reading
| Source | Title |
|---|---|
| | TRM Labs: H1 2026 crypto hacks reach record high |
| | DefiLlama: DeFi hacks and exploits database |
| | CoinDesk: private keys and crypto hack losses |
| | Chainalysis: 2025 crypto theft and North Korea |
| | Alternative.me: Crypto Fear and Greed Index |
Fact-checked by: Daily Crypto Briefs Fact-Check Desk
Related Articles
Frequently Asked Questions
How many crypto hacks happened in H1 2026?
TRM Labs said attackers carried out 207 crypto hacks in the first half of 2026, the highest six-month count in its dataset.
How much was stolen in crypto hacks in H1 2026?
TRM Labs put H1 2026 crypto hack losses at about $972 million, less than half the roughly $2.3 billion stolen in the first half of 2025.
Were smart contracts the biggest crypto hack risk?
Smart contract exploits were the most common incident type, but TRM said infrastructure and operational compromises caused about 76% of stolen value.
How much did North Korea-linked hackers steal in H1 2026?
TRM assessed about $643 million, or roughly 66% of H1 2026 crypto hack losses, as attributable to North Korea-linked activity.
What should DeFi teams watch after the TRM report?
The key checks are private-key controls, signing workflows, bridge monitoring, treasury approvals, incident response speed and whether smaller smart contract exploits keep rising.



