Record 207 Crypto Hacks in H1 2026 Reveal Security Shift: It's Not Just the Code
Crypto hacks hit a record high in H1 2026 with 207 incidents, yet total losses dropped to $972 million. The focus shifts to operational security as the largest thefts are linked to failures in key management and custody systems.
Crypto hacks just reached a record-breaking count, with 207 incidents reported in the first half of 2026. Despite the surge in attacks, total losses fell to $972 million, less than half of the $2.3 billion stolen during the same period last year. This paradoxical situation raises a critical question: How did more hacks lead to fewer financial losses?
The Growing Threat of Operational Vulnerabilities
The answer lies not in the frequency of hacks but in their nature. As it turns out, the biggest thefts are no longer stemming from simple smart-contract exploits. Instead, they're coming from cracks in the operational infrastructure. We're talking about weaknesses in keys, custody, signing infrastructure, approval flows, and other control systems that sit around the core code rather than within it.
While smart-contract audits remain essential, they're no longer sufficient. In fact, the majority of incidents, 125 of them, were due to smart-contract exploits. Yet, these weren't the ones draining the most value. Operational compromises, though only accounting for 15% of incidents, were responsible for a staggering 76% of the stolen value. DeFi teams are learning that protecting just the code isn't enough if you're leaving the door unlocked elsewhere.
Implications for DeFi and Security Priorities
What does this mean for the crypto industry? For starters, it's a wake-up call for DeFi teams and custodians to recalibrate their security priorities. Treating audits as a complete security program is like locking the front door while leaving the back wide open. An attacker doesn't need to brute-force a smart contract if they can bypass it through weak signing infrastructure or compromised custody systems.
North Korea-linked operations exemplify this. They accounted for a whopping $643 million of the stolen funds in H1 2026. With incidents involving Drift Protocol and KelpDAO alone accounting for nearly $577 million, the focus of these attackers was on peripheral infrastructure rather than the heart of the code. These aren't just isolated incidents. they're a clear indication that the largest risks are operational.
Here's the thing: If the crypto industry continues to rely solely on code audits for security, it's only a matter of time before another operational lapse results in even bigger losses. Strengthening operational controls like key management, signing workflows, and custody systems should be at the top of every security agenda.
Shifting Security Strategies for a New Threat market
The crypto industry needs a model shift in how it views security. Smart-contract work is still important, but it can't be the only focus. Security measures need to encompass operational disciplines as well. We're talking about scrutinizing who can initiate and approve large transfers, how signing paths are managed, and what protocols are in place for tracking asset movement across chains.
When you consider the sheer volume of hacks with relatively small median losses, around $219,000 according to the latest data, it's clear the threat market has evolved. The industry now faces a dual challenge: managing a high volume of minor incidents while guarding against catastrophic operational failures.
A complete security overhaul requires more than just technical audits. It demands strong incident-response playbooks, multi-party approval systems, hardware-based signing, and coordinated efforts across exchanges, custodians, and even law enforcement. Look, crypto may be decentralized, but that doesn't mean its security efforts should be fragmented.
The takeaway for crypto stakeholders is clear: operational vulnerabilities are the new frontier in security risks. The next big loss isn't going to be from a simple bug. It's going to be from a weak link in the chain, whether that's a compromised key, a lax signing process, or an under-secured custody system. If DeFi teams and custodians don't adapt, they're setting themselves up for failure when, not if, the next big attack comes.