Crypto thieves stole about $1.32 billion in the first half of 2026, according to CertiK's Hack3D report, across 344 separate incidents. That is a 47% drop from the $2.47 billion lost in the first half of 2025, but CertiK's central warning is that the headline number is misleading. Almost the entire decline is explained by one outlier: last year's $1.45 billion Bybit theft. Strip that out and losses are running roughly 28% higher year over year. The security picture has not improved. In several ways it has gotten worse, and the biggest thefts of the year were not clever code exploits at all.
- $1.32 billion lost across 344 incidents in H1 2026, about $1.2 billion net after recoveries; adjusted for the Bybit outlier, losses are up ~28% year over year.
- Wallet compromise was the costliest vector at $444.5 million across just 33 incidents, an average of more than $13 million each; phishing followed at $366.3 million.
- Code vulnerabilities were the most frequent but least lucrative: 204 incidents for $152 million, increasingly targeting contracts more than a year old.
- The two largest thefts, Kelp DAO ($291M) and Drift Protocol ($285M), were infrastructure failures, not smart-contract bugs, and bear the marks of North Korean state hackers.
What did CertiK's H1 2026 report find?
CertiK, a blockchain security firm that audits smart contracts and tracks on-chain thefts, logged $1,315,676,432 in losses across 344 incidents in the first six months of 2026. After funds returned by white-hat negotiations and protocol recoveries, the net figure sits near $1.2 billion. On the surface that reads like progress, a nearly 47% fall from H1 2025. But CertiK is blunt that the comparison is distorted by a single event, the $1.45 billion Bybit exchange hack that dominated early 2025. Remove that one incident and the underlying trend reverses: comparable losses are up about 28%. The industry, CertiK writes, is absorbing a structurally higher rate of attack activity than a year ago.
RelatedAssuranceAmerica Breach Hit 6.9M Driver's Licenses
Why is a 47% drop actually bad news?
Because the composition got worse even as the total fell. In the second quarter alone, losses jumped 59% from the first quarter to $807.5 million. And the attacks are becoming fewer but far more surgical. Phishing is the clearest example: incident volume dropped 52% year over year, yet phishing losses fell only 11%, because four targeted operations accounted for roughly 85% of all phishing theft in the period. Attackers are running fewer, more precise campaigns against higher-value targets and getting more money per hit. A falling incident count with a rising loss-per-incident is not a sign of a safer ecosystem. It is a sign of professionalization.
Where did the money actually go?
Not into exotic smart-contract exploits. Wallet compromise was the single costliest attack vector at $444.5 million across just 33 incidents, an average of more than $13 million each. Phishing was second at $366.3 million across 63 incidents. Code vulnerabilities, the thing most people picture when they hear "crypto hack," were the most frequent category with 204 incidents but produced only $152 million in losses, the lowest average per hit of the major vectors. The uncomfortable takeaway is that the crypto industry's biggest security surface is not its code, it is the private keys and the humans who hold them.
There is a worrying wrinkle inside the code-vulnerability data too: a growing share of those exploits target contracts more than a year old. Monthly incidents in that legacy cohort climbed from 7 in October 2025 to 18 in May 2026. Attackers are systematically revisiting old, deployed codebases that nobody is actively maintaining, looking for flaws that were always there.
Are AI tools making crypto hacks worse?
CertiK flags AI as an emerging risk rather than a top-line loss driver so far, and that nuance matters. The report highlights AI agents with wallet access as a growing exposure: as autonomous agents start holding keys and moving funds, they become a new class of target, and CertiK has launched a Skill Scanner product to vet third-party AI skills before they execute. Separately, security researchers warn that AI tooling is lowering the cost of the reconnaissance phase, letting attackers scan thousands of contracts in minutes to hunt for dormant flaws. That aligns exactly with the legacy-code trend in CertiK's numbers. The AI angle is not yet a line item in the losses, but it is quietly making the cheapest part of an attack, finding a target, nearly free.
Who is behind the biggest thefts?
The two defining incidents of the half, the Kelp DAO RPC compromise ($291 million) and the Drift Protocol breach ($285 million), both landed in April and together accounted for nearly 44% of all H1 losses. Neither was a smart-contract bug. Both were failures of operational and infrastructure security, the kind of compromise that comes from stolen credentials and poisoned deployment pipelines rather than flawed code. More than 70% of second-quarter losses trace to these two events, and CertiK says the Drift breach bears characteristics consistent with prior Lazarus Group operations, the North Korean state-sponsored crew, though it stopped short of formal attribution. State actors chasing nine-figure sums through infrastructure, not contracts, is the defining threat of the year.
RelatedCisco UCM SSRF Flaw CVE-2026-20230 Is Under Active Attack
What should builders and users do?
CertiK's own recommendation is unusually specific: focus defenses on private-key and multi-signature wallet management, which it calls the most consequential security surface for attackers to exploit. For protocol teams that means treating deployment infrastructure, RPC endpoints and admin keys as the primary attack surface, not just the contract code an auditor reviews. For individuals it means the boring advice remains the correct advice: hardware wallets, verified transaction signing, and deep suspicion of any interface asking you to connect and approve. The vectors that took the most money this year are the ones a code audit never touches. We track named exploits and their status on our CVE & exploit watchlist.
- Infrastructure over code. If Q3 repeats Q2, the next nine-figure loss is far likelier to be a key or RPC compromise than a contract bug.
- Legacy-contract sweeps. The rising attacks on year-old contracts suggest a systematic campaign; unmaintained protocols are the soft targets.
- AI-agent wallets. As agents gain spending authority, expect the first major theft that routes through a compromised autonomous agent.
- North Korean tempo. With Lazarus-linked crews taking 70% of Q2 losses, sanctions and exchange freezes are the only real brake.
Our take
This report is a useful antidote to a comforting headline. "Crypto hacks down 47%" is technically true and almost entirely wrong as a takeaway. The Bybit hack was a once-in-a-cycle event, and pretending the year improved because it did not recur ignores that everything underneath got more dangerous: bigger average hits, more professional phishing, state actors owning the leaderboard, and attackers now mining old code with cheap AI reconnaissance. The single most important sentence in the whole report is that the biggest losses came from operational and infrastructure failures, not smart-contract bugs. The industry has spent years auditing code while the money walked out through the keys. That is the gap that needs closing.
- OfficialCertiK: Hack3D H1 2026 Report , the full dataset and methodology.
- ReleaseGlobeNewswire , CertiK's headline figures and vector breakdown.
- ReportForbes , CertiK CEO on "fewer but far more surgical" attacks.
- DataGENZ TECH: CVE & exploit watchlist , tracked vulnerabilities and their exploit status.
Original analysis by GenZTech. Reporting drawn from CertiK and Forbes.
