Web3

Crypto Hacks Fell 47% in H1 but Ecosystem Is No Safer: CertiK

CertiK reports crypto losses fell 46.8% year-on-year to $1.32 billion in H1 2026, but warns attacks are becoming more targeted and financially destructive, with North Korean hackers behind more than 70% of Q2 losses.

⏱ 3 min read Web3
Quick Summary
  • Crypto losses fell 46.8% year-on-year to $1.32 billion in H1 2026, but CertiK warns the drop is misleading due to the prior year's $1.4 billion Bybit hack distorting the baseline.
  • Q2 losses surged 59% quarter-on-quarter to $807.5 million, with over 70% attributable to the KelpDAO and Drift Protocol hacks linked to North Korean state-sponsored hackers.
  • TRM Labs recorded 207 hack incidents in H1 2026, more than double the prior year's 83, with smart contract exploits making up 60% of all cases.

Crypto losses dropped 46.8% year-on-year to $1.32 billion across the first half of 2026, but blockchain security firm CertiK is warning that the headline decline masks a far more dangerous reality. Attackers are growing more sophisticated, more targeted, and more financially destructive per incident.

Q1 Phishing, Q2 Wallet Carnage

The two quarters told starkly different stories. Phishing attacks dominated the first quarter, generating $508.2 million in losses. In the second quarter, wallet compromises became the biggest attack vector, with total Q2 losses reaching $807.5 million, a 59% quarter-on-quarter jump, CertiK said in a report.

More than 70% of Q2 losses traced back to just two incidents: the KelpDAO exploit and the Drift Protocol hack, both attributed to North Korean state-sponsored hackers. The scale of these two events alone skewed the quarterly totals dramatically.

Bybit Effect Distorts the Year-on-Year Comparison

CertiK cautioned against interpreting the year-on-year decline as evidence of a safer ecosystem. The firm explained that the comparison period was inflated by the $1.4 billion Bybit hack, the largest single crypto exploit ever recorded, making the current period look relatively benign by comparison.

‘A headline reading of losses down nearly 50% would suggest a meaningfully safer ecosystem. The data does not support that conclusion,’ CertiK said, adding that the industry is absorbing a ‘structurally higher rate of attack activity’ than in the prior year and that attacks are becoming ‘targeted and more financially destructive per event.’

TRM Labs, in its own H1 2026 report published the same week, arrived at a similar conclusion, stating that the ‘decline in total dollars stolen should not be mistaken for a safer environment.’ TRM added: ‘The lower total reflects the absence of another record setting theft, not a reduction in attacker capability.’

Incident Count Doubles

TRM Labs found that the total number of crypto hack incidents more than doubled from 83 in H1 of the prior year to 207 in H1 2026, the highest six-month incident count the firm has ever recorded. Smart contract exploits accounted for 125 of those incidents, representing approximately 60% of all cases.

North Korea Remains the Dominant Threat

The KelpDAO and Drift Protocol hacks, linked to North Korean operatives, even triggered a trilateral diplomatic response. US, Japanese, and South Korean authorities met late last month to coordinate efforts to counter North Korea’s cyber-enabled revenue generation. TRM Labs estimated that North Korean hackers have stolen more than $6 billion in crypto since 2017.

State officials acknowledged at that meeting that North Korean IT workers are increasingly deploying artificial intelligence to enhance the scale, speed, and sophistication of their operations, a development cybersecurity leaders say has materially elevated the threat level across DeFi protocols.

Private Key Management Identified as Critical Weakness

CertiK pointed to private key security and multisignature wallet governance as the ‘most consequential security surface’ available to attackers. The firm urged protocols and institutions holding significant onchain assets to reinforce every layer of private key management, including hardware security, multisig governance frameworks, and geographic distribution of signing authority across different physical locations.

CertiK described this as an area where security investment yields ‘asymmetric returns.’ Hardware wallet providers including Ledger have long advised users to store seed phrases offline and never share them as a baseline anti-phishing measure.

⚖️ Our Verdict 📉 Bearish Signal

Surging incident counts and North Korean state-sponsored attacks signal a structurally more dangerous crypto security environment despite lower headline loss figures.