A cracked smartphone screen with a wallet icon
Crypto

CertiK: H1 crypto losses fell to $1.32B, but Q2 hacks re-accelerated

TRM Labs logged 207 incidents in H1, while Q2 losses hit $807.5M and wallet compromises led the damage.

By AI News Crypto Editorial Team4 min read

Crypto losses totaled $1.32 billion in H1 2026, down 46.8% year-on-year, but security firms warned the headline drop is a weak signal of improved safety. Losses re-accelerated in Q2 and incident counts hit a six-month record, keeping exploit pressure elevated for DeFi risk pricing.

Key Takeaways

  • H1 2026 crypto losses totaled $1.32 billion, a 46.8% year-on-year decline, but the comparison was skewed by a prior-year outlier.
  • Q2 losses rose 59% quarter-on-quarter to $807.5 million, with wallet compromises overtaking other attack vectors.
  • More than 70% of Q2 losses were tied to the KelpDAO and Drift Protocol incidents, which were believed to be linked to North Korean state-sponsored hackers.
  • Incident frequency climbed sharply in H1: TRM Labs counted 207 events, with smart-contract exploits making up 125 incidents (60%).

The 46.8% YoY Drop: Why CertiK Says the Headline Is Misleading

CertiK pegged total crypto losses at $1.32 billion for the first half of 2026, down 46.8% year-on-year. The firm’s warning was straightforward: the year-on-year comparison flatters the current period because the prior-year window was distorted by the $1.4 billion Bybit hack, described as the largest crypto exploit in history.

CertiK’s framing was explicit. “A headline reading of ‘losses down nearly 50%’ would suggest a meaningfully safer ecosystem. The data does not support that conclusion,” the firm said. The practical implication for traders is that aggregate dollars stolen can fall without any meaningful reduction in attacker capability, especially when the baseline includes a single record-sized theft.

Q2 Re-Acceleration: $807.5M Losses and Wallet Compromises Take the Lead

The quarter-on-quarter tape moved the other direction. CertiK put Q2 2026 losses at $807.5 million, up 59% from Q1. In Q1, phishing drove the bulk of losses and totaled $508.2 million, underscoring that social engineering remained a dominant driver early in the year.

In Q2, wallet compromises became the biggest attack vector. That shift matters because a wallet compromise implies the attacker gained control of keys or the signing process and can move funds without authorization. CertiK also pointed to concentration risk inside the quarter: more than 70% of Q2 losses came from the KelpDAO and Drift Protocol incidents, which were believed to have been carried out by North Korean state-sponsored hackers.

The North Korea linkage remains probabilistic in the available details, but it keeps state-sponsored theft in the risk set. TRM Labs estimated in April that North Korean hackers have stolen more than $6 billion in crypto since 2017.

TRM’s Record Incident Count: 207 Events and Smart-Contract Exploits at 60%

TRM Labs’ H1 2026 report added a second, more structural datapoint: incident count. TRM found the number of incidents more than doubled from 83 to 207 in H1 2026, the highest it has recorded for any six-month period.

By category, smart-contract exploits accounted for 125 incidents, or 60% of the total. Even if the dollar totals are lower than last year’s outlier-skewed period, the frequency data argues the attack surface is broader, not shrinking. TRM’s conclusion matched CertiK’s caution: the “decline in total dollars stolen should not be mistaken for a safer environment,” and “The lower total reflects the absence of another record setting theft, not a reduction in attacker capability.”

What Traders and Protocol Teams Should Track Next in Wallet and Key-Management Risk

The next quarter’s breakdown will matter more than the H1 headline. One key test is whether wallet compromises remain the top attack vector in Q3, or whether losses revert toward phishing-heavy patterns like Q1.

Traders and protocol teams also have a live geopolitical variable. The KelpDAO and Drift Protocol incidents triggered a late-June meeting between US, Japanese, and South Korean authorities focused on mitigating North Korea’s malicious cyber activity and illicit revenue generation. Any official attribution, sanctions, or enforcement actions tied to those incidents would tighten the macro overhang around DeFi exploit risk.

On the defensive side, CertiK called private keys and multisignature wallet management the “most consequential security surface.” It urged hardening key management with hardware security, tighter multisig governance, and geographic distribution of signers. For individuals, hardware wallet providers such as Ledger have long warned users to store seed phrases offline and never share them, a baseline control against phishing.

The Market Signal Is Concentration Risk, Not Comfort From Lower Totals

The year-on-year drop reads clean on a chart, but I treat it as a weak safety signal because it is anchored to an outlier event, not a proven deterioration in attacker capability. The more actionable information is in the Q2 re-acceleration and the shift toward wallet compromises, which puts custody, signer hygiene, and operational security back at the center of near-term risk.

The threshold that matters is whether incident counts stay elevated at anything like H1’s 207 pace while wallet compromises remain the dominant loss driver. If that holds, the setup starts to look structural rather than narrative-driven, and protocols that cannot credibly harden key-management workflows will keep paying a liquidity and valuation tax in the form of persistent tail-risk pricing.

Sources

CertiK: H1 crypto losses fell to $1.32B, but Q2 hacks