Crypto hacks hit record high; operational failures drive losses
TRM Labs recorded 207 crypto hacks in H1 2026, a six-month high, with $972 million stolen. Most losses came from operational failures such as compromised keys and signing systems.
TRM Labs’ H1 2026 review found 207 reported crypto hacks in the first half of 2026, the most attacks the firm has recorded in any six-month period. Total stolen value in the period was about $972 million.
Incidents rose from 83 in H1 2025 to 207 in H1 2026. The second quarter produced 123 events after a record first quarter. Smart-contract exploits accounted for 125 of the 207 incidents.
The report put the median theft at about $219,000 and the mean at $4.7 million, indicating a small number of large incidents drive overall losses. Infrastructure and operational compromises made up roughly 15% of incidents but accounted for about 76% of stolen value.
Activity linked to North Korean actors accounted for roughly $643 million, or about 66% of funds taken in H1 2026, down from about $1.7 billion in H1 2025. Nearly all of the H1 2026 total came from two April operations that targeted operational controls: losses at Drift were estimated at about $285 million and at KelpDAO about $292 million, for a combined sum near $577 million.
The review identified compromised private keys, signing infrastructure, approval workflows and custody controls as the operational weaknesses exploited in those attacks rather than flaws in smart-contract code alone.
TRM listed operational controls to reduce risk, including stronger key management and hardware-backed signing, multi-party approval for large transfers, limits on privileged access, continuous monitoring of developer devices, deeper vendor reviews and rehearsed incident-response plans. The report also recommended treasury plans that assume an infrastructure compromise.
The report notes attackers often move stolen assets across cross-chain bridges and through no-KYC swap services before funds reach exchanges, which can make first-hop screening insufficient. Faster sharing of wallet intelligence, multi-hop transaction monitoring and closer coordination among protocols, exchanges, stablecoin issuers, analytics firms and law enforcement were recommended to improve the chance of freezing or tracing stolen funds.
TRM cautioned that the lower aggregate theft total in H1 2026 compared with H1 2025 reflects the absence of a single very large outlier in 2026, not a decline in attacker capability. The report concluded future large losses are more likely to stem from operational and human failures and advised teams to rebalance security measures to address systems that govern movement of funds.








