Q2 2026: Crypto’s Most Active Hack Quarter on Record

The numbers are striking for the wrong reason. The second quarter of 2026 logged between 83 and 85 protocol exploits in the crypto industry. The exact figure varies across datasets, but every source agrees it is the highest quarterly incident count in the crypto industry’s history. Total losses came to roughly $775 million.

That sounds enormous until it is compared with Q4 2020’s $3.56 billion, which still holds the dollar record. What Q2 2026 broke was not the amount stolen, but the frequency of attacks. During the quarter alone, the industry averaged almost one hack per day.

Since January, 121 protocols or platforms have been targeted, with cumulative 2026 losses approaching $942 million. These hacks are adding to the already massive losses that the crypto heatmap has been recording in recent months.

Strip away the smaller incidents and Q2 2026 is essentially a tale of two heists, with the same state sponsor behind both. On April 1, Drift Protocol (Solana’s largest decentralized perpetual exchange) lost approximately $285 million in roughly twelve minutes. No smart contract bug was involved. 

TRM Labs traced a six-month social engineering campaign in which Lazarus Group operators posed as a legitimate trading firm, attended crypto conferences in person, and ultimately compromised the signing keys used by the protocol’s Security Council multisig. On-chain pre-attack staging began as early as March 11 with a Tornado Cash withdrawal.

On April 18, KelpDAO lost roughly $292 million in rsETH tokens via a LayerZero bridge compromise. North Korea’s TraderTraitor subunit hacked two RPC nodes feeding data to LayerZero’s verifier, injected false transaction data while maintaining honest responses to monitoring systems, then DDoSed the legitimate nodes to force a failover. 

Once the verifier approved the fabricated cross-chain message, $290 million in unbacked rsETH was released. The malware then self-destructed.

LayerZero attributed partial responsibility to KelpDAO’s use of a 1-of-1 verifier configuration β€” a setup it had previously warned against and has since refused to sign messages for in any application running it. Together, the two attacks account for 76% of all crypto hack losses worldwide through April 2026, according to TRM Labs.

The structural problem audits cannot fix

Three of the four largest exploits of 2026 involved no flawed Solidity code. Attackers went after people, governance processes, and bridge infrastructure. 

As Gauntlet’s head of security noted after the KelpDAO breach: “DeFi and on-chain asset management operate in a highly adversarial environment. Systems are only as secure as their weakest links.” Smart contract audits, which absorb most security budgets, would not have stopped either April attack.

Total value locked in DeFi fell from $115 billion in January to roughly $70 billion by the end of June: a 39% contraction. Part of that is mechanical: Bitcoin is down 28%, while Ethereum price has fallen 43% since January 1, so much of the dollar-denominated TVL evaporated with asset prices.Β 

But the surge in hack frequency also accelerated withdrawals. After the KelpDAO breach, Aave’s TVL shed $8.45 billion in two days. Among the top ten DeFi chains by TVL, only Tron (+5%) and Hyperliquid (+6.7%) are in positive territory year-to-date.

G7 leaders meeting in Γ‰vian linked crypto theft explicitly to nuclear and ballistic missile financing for the second year running. Their communiquΓ© called on member states to “jointly address North Korea’s cryptocurrency thefts and cybercrime.” 

North Korean actors have stolen an estimated $6.75 billion in crypto since 2017, per Chainalysis figures cited at the summit. No operational measures followed: no new sanctions, no exchange screening mandates, and no action against THORChain, which processed the bulk of KelpDAO’s laundered proceeds. The declaration is political. The threat is not.