Crypto hack counts simply set a report. The warning in TRM Labs’ newest information is the place the cash is definitely being misplaced.
In its H1 2026 crypto hack evaluate, TRM Labs stated attackers carried out 207 separate hacks within the first half of the 12 months, probably the most the agency has recorded in any six-month interval.
But complete losses fell to $972 million, lower than half the $2.3 billion stolen throughout the first half of 2025.
That break up modifications the safety story. Extra protocols, tokens, and decentralized functions are being hit, however the losses that also outline the 12 months are concentrated in operational techniques: keys, custody, signing infrastructure, approval flows, and different controls across the code slightly than the code alone.
For DeFi groups, smart-contract audits stay vital as a result of smart-contract exploits accounted for many incidents. The losses that may erase tons of of tens of millions of {dollars} more and more come from techniques that resolve who can transfer funds, how signatures are authorized, and the way infrastructure round a protocol is trusted.


Extra incidents, smaller typical losses
TRM stated the variety of hacks greater than doubled from 83 incidents in H1 2025 to 207 in H1 2026. Q2 alone produced 123 incidents, after a record-setting first quarter.
Most of that improve got here from smart-contract exploits, which accounted for 125 of the 207 incidents.
The everyday loss, nevertheless, was a lot smaller than the headline complete suggests. TRM put the median hack at about $219,000, whereas the imply was $4.7 million.
That hole reveals how just a few very giant incidents can dominate mixture losses, even because the day-to-day menace atmosphere turns into extra crowded with smaller exploit makes an attempt.
The result’s a break up safety image. On the one hand, DeFi continues to be coping with code-level vulnerabilities, advanced protocol logic, and multi-step manipulations that result in frequent losses.
However, the most important harm is coming from failures within the techniques that maintain or authorize management of funds.
TRM stated infrastructure and operational compromises accounted for less than about 15% of incidents in H1 2026 however roughly 76% of stolen worth.
That ratio turns the report from a hack-count story right into a security-priority story.
If a protocol treats audits as the entire safety program, it’s defending solely a part of the chance. An attacker can skip the core contract by compromising a signer, manipulating a bridge validation path, poisoning an operational dependency, or acquiring approval for a malicious switch.
The clearest instance is the focus of North Korea-linked exercise. TRM assesses that about $643 million, or roughly 66% of all funds stolen in H1 2026, was attributable to North Korea-linked exercise.
That determine was down from about $1.7 billion within the first half of 2025, but it surely nonetheless made North Korea-linked actors the most important supply of stolen worth within the interval.
Almost all of that H1 2026 complete got here from two April operations involving Drift Protocol and KelpDAO. TRM put the Drift loss at roughly $285 million and KelpDAO at roughly $292 million, for a mixed complete close to $577 million.
These incidents mirrored the identical broader sample: attackers focused the infrastructure and human layers round DeFi techniques slightly than merely hammering at core good contracts.
That distinction issues as a result of North Korea-linked operations are greater than one other exploit class. They mix technical intrusion, social engineering, operational endurance, laundering infrastructure, and state-directed monetary objectives.
A single profitable operation can outweigh months of smaller non-state exploits.
TRM’s warning is that the decrease greenback complete in H1 2026 displays the absence of one other theft on the dimensions of 2025’s largest assaults, not a discount in attacker functionality.
In different phrases, the mixture quantity fell as a result of the most important outlier was smaller, whereas the category of threat that creates outliers stays unresolved.
That makes the following giant loss much less more likely to seem like a easy bug report. It’s extra more likely to expose a weak approval course of, a compromised non-public key, a signer that may very well be socially engineered, a vendor or infrastructure dependency that was trusted too broadly, or a response plan that moved too slowly as soon as funds started crossing chains.
Audits want an operational layer
Good-contract work stays vital, but it surely wants controls across the techniques that transfer funds. TRM says code exploits stay the commonest incident sort, and DeFi protocols nonetheless want audits, formal evaluate, monitoring, and incentives for disclosure.
The change is that audits can’t be the ceiling of the safety program.
The controls that matter most for catastrophic loss sit round asset motion. TRM particularly pointed to key administration, signing infrastructure, approval workflows, and custody as areas requiring larger consideration.
These are operational disciplines as a lot as technical ones.
A hardened protocol now must know who can provoke giant transfers, who can approve them, which units and repositories can contact signing paths, how governance modifications are delayed or challenged, and what occurs if a trusted operator, contributor, or vendor account is compromised.
A static audit report can not reply these questions after the operational atmosphere modifications.
That’s the reason current CryptoSlate safety protection has stored returning to the identical theme: operational safety, signing practices, governance, bridge validation, and infrastructure controls have gotten a part of the business’s policy-facing protection posture.
A separate CryptoSlate evaluation warned that DeFi’s older exploit patterns could also be fading, however newer dangers can journey throughout chains and infrastructure layers when protocols reuse techniques or belief assumptions too broadly.
For safety groups, the following finances dialogue ought to subsequently cowl greater than one other audit cycle.
It ought to embody hardware-backed signing, multi-party approval for big transfers, limits on privileged entry, monitored developer units, stronger vendor evaluate, examined incident-response playbooks, and treasury planning for a worst-case infrastructure compromise slightly than a mean exploit.
The identical shift impacts exchanges, custodians, and monetary establishments which will by no means be the preliminary goal. TRM stated stolen belongings usually transfer by means of cross-chain bridges and no-KYC swap companies earlier than reaching exchanges.
That makes first-hop screening insufficient when attackers can rapidly transfer worth throughout chains and companies.
Multi-hop transaction monitoring, quicker pockets intelligence sharing, and coordination between protocols, exchanges, stablecoin issuers, analytics companies, and legislation enforcement grow to be a part of the safety stack.
TRM pointed to information-sharing networks as one reply as a result of response time can decide whether or not stolen funds are frozen, traced, or laundered past straightforward restoration.
For protocols, this creates a second operational burden. The safety plan has to imagine that prevention can fail.
It should outline who can pause techniques, who can contact counterparties, how attacker addresses are distributed, and which switch paths are watched within the first minutes after detection.
That’s the actual that means of TRM’s H1 2026 information. Crypto skilled extra hacks and fewer losses, but it surely additionally uncovered a break up between the rising quantity of smaller smart-contract incidents and the concentrated operational compromises that also set the business’s loss profile.
The following check is whether or not DeFi groups and custodians deal with that break up as a purpose to rebalance safety priorities.
If the most important losses proceed to stem from compromised keys, signing workflows, custody techniques, and infrastructure dependencies, catastrophic threat will fall solely when the motion of funds turns into more durable to compromise, slower to abuse, and simpler to interrupt as soon as an attacker is inside.





