
Dragonfly’s Qureshi says AI hasn’t sparked a DeFi “hackpocalypse”
He points to a 2026 median hack size below $500,000 despite record incident counts and lingering outlier-driven loss spikes.
Dragonfly managing partner Haseeb Qureshi said fears that AI would trigger a DeFi “hackpocalypse” have not materialized, even as hack incident counts reached a record high. He argued 2026’s typical exploit is smaller than 2025’s, while security datasets still show the market remains exposed to large, concentrated loss events.
Key Takeaways
- DeFi hack incident counts hit a record high in 2026, but the median hack size fell below $500,000 versus over $2 million in 2025.
- Haseeb Qureshi said the feared AI-driven DeFi “hackpocalypse” has not materialized, framing the data as a false alarm.
- Outlier months still dominate headline totals, including February 2025’s Bybit-driven spike and April 2026’s Drift Protocol and KelpDAO exploits.
- OpenZeppelin founder Manuel Aráoz called “all of DeFi unsafe,” arguing AI coding agents are improving at finding smart contract vulnerabilities.
Qureshi: AI Didn’t Deliver the DeFi “Hackpocalypse”
Qureshi’s core claim is straightforward: AI tools have not translated into a wave of catastrophic DeFi exploits. The data point he leaned on is the split between frequency and severity. Hack incident counts have climbed to a record high in 2026, but the median hack size has dipped below $500,000, down from over $2 million in 2025.
That combination matters because it describes a market where the “typical” exploit is smaller even as the tape prints more incidents. It also sets up the central disagreement. Qureshi reads the numbers as evidence that AI hasn’t meaningfully increased attackers’ ability to land large wins against the parts of DeFi that matter most for systemic risk.
Median Losses Down, But Incident Counts Up: What the 2026 Mix Suggests
For traders, median is the cleaner signal than totals. A few giant events can swamp year-on-year comparisons, while the median better captures what LPs, perps venues, and on-chain yield strategies are likely to face on an average day.
Qureshi explicitly argued that if outlier months are excluded, 2026 still shows less value hacked per month than 2025. The outliers he named are the February 2025 Bybit hack and the April 2026 Drift Protocol and KelpDAO exploits.
The catch is that “less value hacked per month” is directionally informative but not fully auditable from the excerpt alone. No monthly table, no outlier-excluded averages, and no definition for the “record high” incident count were provided. That leaves traders with a plausible regime shift narrative, but incomplete sizing on how structural it is.
Attackers Shift to “Small Protocols and Abandonware,” While Majors Fortify
Qureshi’s explanation for the smaller median is a targeting shift. He said AI-enabled attackers are focusing on “small protocols and abandonware,” while “larger DeFi protocols have fortified themselves” against AI’s threat.
If that’s right, the risk surface becomes more dispersed. The largest venues may be harder to crack, but the long tail becomes a steady source of smaller losses and sudden liquidity shocks. That is a different kind of tradable risk than a single mega-exploit. It shows up as repeated idiosyncratic drawdowns, rushed de-risking, and collateral haircuts across smaller tokens and pools.
The counterweight is the security view that tooling progress still raises baseline danger. OpenZeppelin founder Manuel Aráoz said he considers “all of DeFi unsafe,” pointing to AI coding agents getting better at identifying smart contract vulnerabilities.
Numbers That Still Bite: Bybit, April 2026 Losses, and North Korea-Linked Concentration
Broader datasets still print uncomfortable totals. DefiLlama data showed April 2026 losses around $644 million across centralized platforms, wallet compromises, phishing, and DeFi exploits. The prior comparable peak referenced was February 2025, when monthly losses hit $1.46 billion after the $1.4 billion Bybit hack.
CertiK reported H1 2026 hack losses fell 46.8% year-on-year to $1.32 billion, while cautioning that lower headline losses do not necessarily mean the industry is safer. CertiK also noted 2025’s base was skewed by the Bybit event.
Concentration is the other tail-risk signal. CertiK said over 70% of Q2 2026 losses came from the KelpDAO and Drift Protocol exploits, largely attributed to North Korean state-sponsored hackers. TRM Labs estimated in April that North Korean hackers have stolen more than $6 billion since 2017.
The forward test is whether the “smaller typical losses” pattern survives another outlier month. A print near or above DefiLlama’s ~$644 million April 2026 figure would challenge the median-driven comfort story. Traders also need the next CertiK-style quarterly breakdown to see if losses remain concentrated in a handful of incidents, plus any new public attribution or enforcement actions tied to Drift and KelpDAO. The threshold that matters for regime is whether the median stays below $500,000 through the rest of 2026 or reverts toward 2025’s >$2 million.
The Tradeable Read Is Dispersion—Smaller Typical Hits, Fatter Tail Risk
I don’t read this as “DeFi is safe now.” I read it as a dispersion regime: more incidents, smaller median damage, and a fat tail where a couple of months can still rewrite the year’s PnL. That’s consistent with Qureshi’s “small protocols and abandonware” framing and with CertiK’s warning that lower totals can be a mirage when the distribution is dominated by rare monsters.
The real test is whether the market can go multiple quarters without another outlier month and without losses re-concentrating into a couple of incidents attributed to state-linked actors. If the sub-$500,000 median holds while quarterly loss share stays diversified, the setup starts to look structural rather than narrative-driven, and that would matter because it changes how traders price smart-contract risk across the long tail versus the majors.