Cryptocurrency thefts from hacks reached about $972 million across 207 incidents in the first half of 2026, marking the highest number of attacks ever recorded by blockchain security firm Immunefi, even as total losses stayed below $1 billion and fell to less than half the amount recorded in the same period last year.
The figures point to a changing threat environment for digital assets. Hackers are striking more often, but the average loss per attack is smaller than in earlier cycles, when a handful of major bridge or protocol failures could wipe out hundreds of millions of dollars in a single event. The first half of 2026 has instead been defined by repeated, smaller breaches, many of them aimed at infrastructure, private keys, access controls and operational weaknesses rather than core smart contract code.
Immunefi’s report said decentralized finance, or DeFi, exploit losses have dropped sharply from their 2022 peak. Losses in the category fell 74%, from $2.62 billion at the height of the previous exploit cycle to $680.3 million in the current half-year period. The median loss per incident also dropped by about three-quarters, suggesting security improvements are reducing the impact of many technical exploits even as attackers continue to probe the market.
The decline in total losses is notable because it comes during a period of record attack frequency. In earlier years, the digital asset sector was often shaken by large, highly visible breaches involving cross-chain bridges, lending markets or liquidity protocols. In 2026, the risk pattern looks more fragmented. The number of attacks has climbed, but fewer incidents have produced the kind of catastrophic losses that once dominated the market’s security headlines.
The shift matters for traders because it changes the way risk is assessed. A single large exploit can still damage confidence in a protocol or sector, but the current pattern suggests operational resilience, key management, internal controls and incident response are becoming as important as smart contract audits.
Smaller attacks are becoming the dominant pattern
Immunefi’s data indicates that the industry is seeing more frequent but less destructive attacks on average. That does not mean the market is safer in a simple sense. It means the nature of the danger is evolving.
In the earlier stages of DeFi growth, attackers often focused on code-level flaws in newly launched protocols, poorly tested smart contracts, oracle manipulation opportunities and bridge mechanisms holding large pools of locked assets. Those attack surfaces have not disappeared, but many leading projects now operate with more mature security processes.
Bug bounty programs, third-party audits and community-led vulnerability research have become more common across larger protocols. Immunefi said these practices have helped reduce losses by encouraging researchers to disclose weaknesses before attackers can exploit them. The presence of large bounty programs can also create an economic incentive for white-hat researchers to report flaws rather than sell or use them maliciously.
Still, the report makes clear that improvements at the smart contract level have not eliminated risk. Instead, attackers have adapted. As protocol code becomes more closely reviewed, malicious actors are shifting toward higher operational layers of crypto infrastructure. These include private key theft, compromised wallets, privileged access abuse, cross-chain configuration mistakes and weaknesses in deployment processes.
This is a major change from the kind of attacks that once defined crypto security. A protocol can have audited smart contracts and still suffer a major breach if administrative keys are poorly protected, if team members fall for social engineering, or if cross-chain permissions are misconfigured.
Operational security is now a central risk
Smart contract vulnerabilities continue to appear, but the most damaging breaches are increasingly linked to infrastructure and human process failures. Immunefi’s findings suggest attackers are no longer looking only for errors in protocol code. They are also looking for mistakes in how teams manage systems, permissions and private credentials.
That has made operational security a central concern. Private keys, multisignature wallets, admin permissions and deployment pipelines can become critical points of failure. If attackers gain access to these areas, they may be able to drain funds, alter protocol settings or move assets without needing to exploit a traditional smart contract bug.
This trend has important market consequences. For traders, technical audits remain useful, but they no longer provide a complete view of project risk. A protocol may pass multiple code reviews and still be exposed if it lacks strict access controls, secure key custody, monitoring systems and clear internal approval procedures.
The same applies to teams operating across several blockchains. Immunefi said the complexity of multi-chain deployments has created new attack surfaces. As protocols expand across networks, they must manage more contracts, bridge connections, permissions, oracles and infrastructure providers. Each added layer can introduce a new point of failure.
Multi-chain expansion can improve liquidity and access, but it also increases operational complexity. A small configuration mistake on one chain can expose funds or create a weakness that attackers can use to move across connected systems. That risk is harder to identify than a simple coding error and may require continuous monitoring rather than a one-time audit.
Bridge and flash-loan attacks decline
One of the clearest developments in the first half of 2026 is the decline in bridge-related exploits. Cross-chain bridges were once among the largest sources of losses in crypto, largely because they often held large amounts of locked assets and depended on complex validation systems. Several of the industry’s largest historical hacks involved bridges or bridge-like infrastructure.
Immunefi’s latest data suggests that bridge exploits no longer dominate the loss landscape in the same way. That may reflect stronger security practices, better monitoring, improved designs and greater caution from protocol teams after years of high-profile failures.
Flash-loan attacks have also fallen to a small share of total incidents. These attacks use uncollateralized loans that are borrowed and repaid within a single transaction, often to manipulate prices, exploit oracle weaknesses or drain vulnerable protocols. They were once a frequent source of DeFi losses, especially in markets with thin liquidity or weak price feeds.
Their decline suggests that many DeFi protocols have become more resilient against common manipulation patterns. Better oracle design, circuit breakers, liquidity checks and risk controls have reduced the effectiveness of some older attack methods. However, the reduced prominence of bridge and flash-loan attacks should not be read as a sign that attackers are retreating. Rather, they are changing tactics.
The current threat environment is more diverse. Instead of concentrating on one dominant exploit type, attackers appear to be spreading across multiple weak points, including wallets, access systems, infrastructure services and operational workflows.
CertiK reports higher losses using broader count
A separate report from blockchain security firm CertiK placed first-half 2026 crypto losses at more than $1.31 billion across 344 incidents, higher than Immunefi’s estimate of about $972 million across 207 incidents. The difference highlights how security firms may classify events differently, including how they count phishing, wallet compromise, protocol exploits, scams, access-control failures or recovered funds.
CertiK’s report said total losses were down 46.8% from the first half of 2025. However, it also noted that the year-on-year comparison is affected by a single major outlier in the prior-year period. Excluding that event, comparable losses would be up 28%, according to CertiK.
That distinction is important. Headline loss totals can decline even if the broader attack environment is worsening. A year with one enormous hack can appear more severe than a year with hundreds of smaller breaches. But for traders, developers and protocol users, a steady increase in attack frequency can still represent a serious deterioration in market safety.
The second quarter of 2026 reportedly set a record for the number of individual hacking incidents, with some estimates placing the count at about 83. The surge supports the view that the sector is dealing with persistent, lower-to-mid-sized attacks rather than only rare catastrophic events.
Methodology differences between security firms are common in crypto reporting. Some firms categorize phishing and wallet compromises separately from protocol hacks, while others include them in broader loss totals. Some reports also differ in whether they subtract recovered funds or include social engineering attacks that target team members rather than code.
Even with those differences, both Immunefi and CertiK point to the same broader conclusion: attacks remain highly active, and the risk profile is moving toward infrastructure, credentials and operational control.
Wallet compromises become a major source of losses
Wallet compromises have emerged as one of the most damaging forms of attack in 2026. According to the security data cited in the reports, wallet-related breaches accounted for more than $444 million in losses across just 33 incidents, making them one of the most destructive categories by average loss.
These incidents are often driven by social engineering, phishing, malware or the compromise of devices and accounts used by team members with privileged access. In some cases, attackers do not need to break complex smart contract logic. They simply need to convince the right person to sign a malicious transaction, reveal credentials or interact with compromised software.
This makes the threat harder to solve through code alone. A smart contract bug can be patched, and a flawed mechanism can be redesigned. But human error, weak internal procedures and poor access management require a different kind of defense. Teams must adopt stronger approval processes, limit administrative privileges, secure private keys and monitor suspicious activity in real time.
Immunefi Chief Executive Mitchell Amador has previously said that industry-wide losses remain high even as decentralized systems improve their security posture. He has also pointed to the role of human error and inadequate internal procedures in recent attacks, noting that these are not problems that can be fixed with a simple code update.
The growing use of artificial intelligence by malicious actors may add to the challenge. AI tools can help attackers produce more convincing phishing messages, automate social engineering campaigns and scale attempts to compromise team members or users. That can increase the number of successful attacks even when each individual attack is smaller than the major exploits seen in previous years.
For traders, this means project risk can no longer be judged only by the presence of audits or the technical reputation of the codebase. The strength of a project’s internal controls, key management and security culture has become a critical part of the risk picture.
Bug bounties continue to expand
One reason losses may be lower than in earlier periods is the wider use of bug bounty programs. Immunefi said its platform awarded about $13.45 million in payouts for 837 verified vulnerability disclosures during the first six months of 2026.
Since its launch, Immunefi said it has distributed more than $140 million to security researchers. The platform supports more than 92,000 contributors who monitor over $180 billion in assets across roughly 650 protocols. The company also said early detection and reporting through its programs have helped prevent more than $25 billion in potential losses.
Bug bounties have become a core defense tool in crypto because decentralized protocols are often open source and hold large amounts of value. Publicly visible code can be reviewed by anyone, including both ethical researchers and attackers. Bounty programs try to turn that openness into a security advantage by rewarding responsible disclosure.
The size of payouts has also grown as the value secured by crypto protocols has increased. In some cases, protocols offer millions of dollars for critical vulnerabilities. Those large rewards may appear costly, but they are small compared with the possible losses from an exploited flaw.
However, bug bounties are not a complete solution. They work best when vulnerabilities can be clearly identified, reported and fixed. Operational weaknesses, such as poor internal access controls or compromised private keys, may be harder for external researchers to detect. That is why the current shift in attack methods is significant.
Market impact may become more selective
The market reaction to crypto hacks may also change as attacks become more frequent and smaller on average. In past years, a major exploit could trigger broad concern across DeFi tokens, bridge projects or layer-1 ecosystems. Today, smaller breaches may have more localized effects unless they reveal a deeper weakness in widely used infrastructure.
Traders may become less reactive to every isolated incident and more sensitive to breaches involving core infrastructure providers, major wallets, cross-chain systems or protocols with broad market connections. A small attack on a little-used project may produce limited market damage, while a compromise involving privileged access at a major protocol could raise wider concerns about governance and operational security across the sector.
The first half of 2026 therefore presents a mixed picture. On one hand, total losses are down sharply from last year by Immunefi’s count, DeFi exploit losses are far below their 2022 peak, and the average impact of attacks has declined. On the other hand, attack frequency has reached a record, wallet compromises are highly destructive, and operational weaknesses are becoming a primary target.
The overall message is not that crypto security has solved its biggest problems. It is that the battlefield has moved. Code quality has improved in many areas, but attackers are increasingly focusing on people, permissions and infrastructure. For a market built on self-custody, automation and rapid deployment, that shift may define the next stage of digital asset risk.
Protect your assets from evolving hacks—learn essential crypto safety standards every trader should know before your next trade.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.

