The crypto industry lost $1.32 billion in the first half of 2026: what lies behind the numbers

In the first six months of 2026, the crypto industry lost $1.32 billion due to security incidents. At first glance, this is 46.8% less than in the same period in 2025. However, this statistic is misleading: if we exclude the historic $1.4 billion Bybit hack, the reduction in losses would be minimal, and the actual damage for the half-year would have been approximately 28% higher than a year earlier.
Quarterly Dynamics: Attacks Become More Expensive
In the second quarter of 2026, losses increased by 59% compared to the first quarter, reaching $807.5 million. Two attacks—on the KelpDAO and Drift Protocol protocols—made the main contribution to this growth. They accounted for more than 70% of the quarterly damage. Notably, attackers' methods have evolved: while phishing dominated in the first quarter, the second quarter saw wallet compromise, often combined with social engineering and the hijacking of administrative procedures.
Threat Structure: Infrastructure Under Attack
Analysis shows that, despite the increase in the number of incidents (207 cases over the half-year—a record for this period), the majority of losses come from a small number of large attacks. About 15% of incidents related to infrastructure and operational compromises accounted for approximately 76% of all losses. This refers to the theft of private keys, credentials, and the hacking of transaction signing systems.
The North Korean Trail and Geopolitics
According to TRM Labs estimates, groups linked to North Korea are responsible for stealing approximately $643 million, or about 66% of all stolen funds in the first half of 2026. According to CertiK, it is North Korean hackers who are behind the attacks on KelpDAO and Drift Protocol. This confirms that cryptocurrencies remain a key tool for funding Pyongyang's programs, including the development of weapons of mass destruction. At the end of June, delegations from the US, Japan, and South Korea discussed strengthening coordination in Washington to counter this threat.
My professional opinion: The figures for the first half of 2026 are a wake-up call for the entire industry. We see that attackers have shifted from mass but less effective attacks to targeted, high-yield operations. Without a radical strengthening of hardware infrastructure protection, signature management, and fund access procedures, the trend of increasing average damage per incident will continue. I recommend that projects prioritize the security of private keys and the distribution of signatories across different jurisdictions.