Crypto losses from hacks and scams dropped in the first half of 2026, according to new figures cited by CertiK. In the period, overall losses fell 46.8% year-on-year to $1.32 billion—yet the
Crypto losses from hacks and scams dropped in the first half of 2026, according to new figures cited by CertiK. In the period, overall losses fell 46.8% year-on-year to $1.32 billion—yet the security firm argues the headline decline is deceptive, pointing to a shift toward more targeted and destructive attacks.
CertiK’s report breaks the half-year down by quarter: phishing drove $508.2 million in losses in Q1, while wallet compromises became the dominant threat in Q2 with $807.5 million attributed to that attack vector. The firm also highlighted that more than 70% of Q2 losses came from two major incidents—KelpDAO and Drift Protocol—events tied to North Korean state-sponsored hacking activity.
Key takeaways
- First-half 2026 crypto losses fell 46.8% year-on-year to $1.32 billion, but CertiK says the reduction does not indicate a safer ecosystem.
- Attack dynamics shifted: phishing dominated Q1 ($508.2M), while wallet compromises were the largest driver in Q2 ($807.5M).
- Over 70% of Q2 losses were linked to the KelpDAO and Drift Protocol hacks, which are believed to involve North Korean state-sponsored actors.
- CertiK warns attackers are becoming more “targeted and more financially destructive per event,” even if total dollars stolen appear lower.
- TRM Labs reported a sharp rise in the number of incidents in H1 2026 (83 to 207), reinforcing that volume—not just dollar totals—matters.
Why “losses down” may be the wrong signal
At first glance, the year-on-year decline looks encouraging. CertiK, however, cautions against interpreting the data as evidence that security has improved. The firm told Cointelegraph that a “headline reading” of losses down nearly 50% could mislead readers because the prior-year comparison was distorted by an exceptionally large theft.
CertiK specifically referenced the $1.4 billion Bybit hack as the type of outlier that can skew year-over-year comparisons. In the same reporting, CertiK noted that such comparisons can mask underlying changes in attacker behavior—particularly as threat actors adapt tactics and select targets more precisely.
This is where the firm’s analysis becomes investor- and operator-relevant: if the ecosystem is seeing fewer total dollars stolen but more attacks that are more damaging per incident, then risk is not actually decreasing. Traders may feel this first as volatility tied to exploit headlines, but the deeper impact lands on protocols, custodians, and institutions that must continually adjust defensive controls.
Phishing vs. wallet compromise: Q1 and Q2 split
CertiK’s quarterly breakdown shows how different attack categories shaped the first half of the year. In Q1, phishing was responsible for the bulk of losses, totaling $508.2 million. By Q2, the picture changed significantly: wallet compromises contributed $807.5 million, making that category the largest single driver of losses during the quarter.
For market participants and builders, that shift matters because it points to different failure modes. Phishing typically targets human behavior—seed phrases, approvals, and credentials—while wallet compromise often reflects deeper weaknesses around key custody, multisignature operations, signing procedures, and operational security. The change in the dominant vector suggests defenders cannot rely on improvements in one area alone; they have to treat the security stack as layered.
North Korean hacking remains central, and volume may be rising
CertiK’s report places disproportionate emphasis on state-linked activity during Q2. More than 70% of the losses in the quarter came from the KelpDAO and Drift Protocol hacks. Cointelegraph previously reported on both incidents, including coverage of KelpDAO being exploited and the Drift Protocol hack raising questions about the protocol’s response.
Beyond the immediate losses, the incidents also intersect with government-level discussion. The attacks reportedly even prompted a late-month meeting between US, Japanese and South Korean authorities focused on mitigating North Korea’s cyber activity and illicit revenue generation. Officials also acknowledged that North Korean IT workers are increasingly using AI to improve their schemes—an issue cybersecurity leaders believe can increase the scale, speed, and sophistication of protocol exploitation.
CertiK’s broader warning aligns with another dataset. TRM Labs, in its H1 2026 reporting, argued that declining total dollars stolen should not be mistaken for a safer environment. In TRM’s analysis, the number of incidents more than doubled from 83 to 207 in the first half of 2026, the highest number TRM has recorded across a six-month period. TRM also found that smart contract exploits accounted for 125 incidents—about 60% of all events—in H1.
That juxtaposition is important: even if fewer dollars are being stolen than in a year with record outliers, the ecosystem can still be exposed to a higher frequency of attacks. More incidents mean more operational disruptions, more incident response overhead, and more opportunities for failures—especially in fast-moving DeFi environments.
Private key management: the “most consequential” security surface
CertiK singled out private key handling as the area most likely to determine outcomes for attackers. According to the firm, private keys and multisignature wallet management remain the “most consequential security surface” for exploitation—particularly because weaknesses there can enable large transfers even when other controls appear in place.
To address this, CertiK urged protocols and institutions holding significant onchain assets to harden every layer of private key management. The recommendations span hardware security, multisignature governance, and even the geographic distribution of signers. The core argument is that defenses should be designed to reduce the chance that a single point of compromise results in irreversible loss.
CertiK also framed security investment as asymmetric: it said this is an area where spending on the right controls can produce unusually large risk reduction relative to the cost. That theme echoes long-standing guidance from hardware wallet providers. For example, Ledger has previously warned users to keep seed phrases offline and never share them, emphasizing that basic operational discipline remains one of the most effective barriers to phishing-driven theft.
While these recommendations may sound familiar, the data behind them—especially Q2’s wallet compromise losses—underscores that key management is not a “set it and forget it” task. Attackers often shift tactics toward whatever control surface shows the most leverage, and wallet compromise outcomes suggest that leverage is still available to criminals and state-linked groups.
Looking ahead, the key question is whether the first-half pattern persists: phishing-heavy losses in the first quarter followed by wallet compromises and concentrated state-linked incidents in the next. Readers should watch not only aggregate loss totals, but also incident frequency, which TRM’s reporting suggests is rising—an indicator that the threat environment may be intensifying even when dollar figures temporarily fall.
This article was originally published as Crypto Hacks Drop 47% in H1, but Smart-Contract Risks Persist: CertiK on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.