The cryptocurrency sector recorded 40 major hacking incidents in June, with reported losses totaling 75.87 million US dollars, as attackers targeted not only smart contracts but also wallets, layer-2 systems, block production logic and third-party website dependencies.
The incidents showed a widening security problem across Web3 infrastructure. Instead of relying only on traditional protocol exploits, attackers increasingly moved through the full transaction process, from wallet signatures and proof systems to browser-based interfaces used by traders. The month’s activity highlighted a difficult reality for the sector: a secure blockchain or audited smart contract can still be undermined if any connected layer fails.
Several of the largest June cases involved technical weaknesses deep inside transaction verification systems. These included a wallet-signing flaw in the Cardano ecosystem, bugs affecting older rollup deployments linked to Aztec, a compromised verification process at Taiko, and a malicious third-party script affecting Polymarket’s website interface. Base also suffered consecutive block production halts, though no funds were reported lost in that incident.
Security specialists said the pattern reflects a more complex risk environment. Attacks are no longer limited to poorly written smart contracts or obvious phishing links. They now include cryptographic implementation errors, outdated infrastructure, weak proof validation, exposed signing keys and compromised front-end software. For traders, that means checking only whether a website looks legitimate is no longer enough.
Wallet flaw exposes Cardano traders
One of June’s most serious wallet-related breaches occurred in the Cardano ecosystem, where SecondFi wallet accounts were affected between June 21 and June 23. The incident led to the loss of about 16 million ADA, worth approximately 2.4 million US dollars, across 374 addresses.
According to findings from blockchain security firm BlockSec, the weakness came from an error in nonce derivation during the wallet’s signing process. In simple terms, a nonce is a one-time value used during cryptographic signing. If it is generated incorrectly or repeated in a predictable way, it can expose enough mathematical information for attackers to reconstruct a private key.
That is what made the SecondFi case especially damaging. The attackers did not need to steal seed phrases, compromise devices or trick traders into entering passwords on a fake website. Instead, public transaction data reportedly provided enough information to recover private keys because of the flawed signing implementation.
The case was a reminder that even careful behavior by traders cannot always protect funds if the software handling signatures is defective. A trader could approve a transaction normally, use the correct website and keep a seed phrase offline, yet still be exposed if the wallet leaks sensitive cryptographic information through every signature.
Developers responded by moving to protect roughly 129 million ADA that may have been at risk. The incident added urgency to calls for more transparent and reviewable wallet code, especially for software responsible for key generation and transaction signing. In wallet security, small mathematical errors can become complete account takeovers.
Layer-2 attacks point to deeper infrastructure risk
Layer-2 platforms were another major focus of attacks in June. These networks are designed to improve blockchain scalability by processing transactions outside the main chain and then settling results back to layer 1. But their complexity can create additional points of failure, particularly in bridges, proof systems and state verification.
Two outdated rollup deployments under the Aztec ecosystem were attacked on June 14 and June 18, causing combined losses of about 4.35 million US dollars. The exploited issues involved discrepancies between deposit records and actual on-chain balances, along with weak constraints in zero-knowledge proof circuitry.
Zero-knowledge systems allow one party to prove that information is valid without revealing the underlying data. They are widely viewed as an important technology for scaling and privacy. However, they require extremely strict circuit design. If the proof system does not enforce all required conditions, attackers may be able to create proofs that appear valid while representing false states or unauthorized withdrawals.
In the Aztec-linked incidents, the weakness reportedly allowed forged proofs to extract assets from layer-1 contracts. The attacks showed how older or inactive deployments can remain dangerous if they continue to hold value or retain contract permissions. Even if a newer version of a system is more secure, legacy deployments can stay exposed.
Taiko, another layer-2 platform, faced a separate incident on June 22 involving its trusted execution environment, known as SGX. In that case, a previously exposed SGX signing key was abused, while the relevant contract did not reject proofs from enclaves operating in debug mode, according to a postmortem cited by security researchers.
The breach allowed attackers to create a falsified layer-2 state, leading to losses of about 1.7 million US dollars. The incident underlined the importance of not only cryptographic soundness but also operational key management. A secure design can fail if compromised keys remain trusted or if contracts do not enforce strict checks on the environments producing proofs.
Base halts show reliability is part of security
Not every June incident involved stolen funds. Base experienced consecutive block production halts on June 25 and June 26 after a flaw in its block construction logic produced invalid state transitions.
No funds were reported lost, and the chain’s integrity remained intact. Still, the incident drew attention because reliability is closely connected to security in blockchain networks. When block production stops, traders can face delayed transactions, temporary inability to move funds and uncertainty about settlement.
For fast-moving markets, downtime can create real economic risk even without a direct theft. It can prevent traders from closing positions, moving collateral or responding to price changes. It can also weaken confidence in network resilience, especially if failures happen repeatedly or without clear communication.
The Base case showed that blockchain security is not only about preventing hacks. It also includes ensuring that networks continue operating correctly under stress and that errors in transaction ordering, block construction or state execution do not interrupt the system.
Polymarket breach highlights front-end danger
June also brought a major supply chain compromise involving Polymarket, where a third-party service provider allegedly injected malicious JavaScript into the platform’s website interface. The script redirected about 3 million US dollars from user wallets.
The stolen funds were moved from Polygon to Ethereum and converted into roughly 1,893 ETH before the compromised dependency was removed. Polymarket later pledged to fully reimburse affected accounts.
The incident was especially important because it did not require attackers to break the platform’s core smart contracts. Instead, the attack targeted the website layer that traders used to interact with the protocol. People visiting the legitimate Polymarket domain could still be exposed because the malicious code was delivered through a trusted-looking interface.
That type of compromise is difficult for traders to detect. A website may load correctly, show the right brand and connect to a familiar wallet, while silently altering transaction instructions before they are signed. If a wallet interface does not clearly display the true destination, amount and contract interaction, a trader may approve a transaction that differs from what the website appears to show.
The Polymarket case showed that front-end security is now central to digital asset protection. Smart contract audits are important, but they do not protect against malicious scripts, compromised software packages, content delivery weaknesses or third-party service failures.
First-half data shows changing attack patterns
The June incidents fit into a broader trend seen during the first half of 2026. Blockchain security firm SlowMist reported 182 security incidents from January through June, up by roughly 50 percent from comparable earlier periods. At the same time, total reported losses fell by about 60 percent to around 956 million US dollars, down from the multibillion-dollar totals seen in prior years.
That combination suggests a shift in attacker behavior. Instead of only pursuing a few extremely large exploits, attackers appear to be spreading activity across more targets, including wallets, operational systems, front-end services and infrastructure components.
Separate research from TRM Labs counted a record 207 hacks in the first six months of the year. Its findings indicated that infrastructure and operational compromises accounted for about 76 percent of total losses, even though they represented only around 15 percent of all incidents.
The figures point to a changing threat model. Core smart contracts may be improving in some areas because of audits, formal verification and hard-won lessons from earlier failures. But the broader ecosystem around those contracts has become more attractive to attackers. Wallets, bridges, signing services, developer tools, proof systems, cloud infrastructure and web applications now form a long chain of dependencies.
If one link fails, traders can still lose funds.
Security practices are changing
Security researchers said the latest incidents should push traders to think beyond basic wallet protection. Keeping a seed phrase private remains essential, but it is no longer sufficient on its own.
Traders are increasingly encouraged to separate long-term storage from active wallets used for daily transactions. Cold wallets should not be used casually with new applications, untested protocols or unknown websites. Daily-use wallets should hold only the funds needed for immediate activity.
Transaction verification is also becoming more important. Traders should review the details shown on a trusted hardware wallet screen, not only the prompts displayed in a browser. Browser-based interfaces can be manipulated, while a hardware device can provide a more reliable view of what is actually being signed, assuming the device itself is secure and properly used.
Permission management is another key defense. Many decentralized applications ask for broad token approvals, allowing contracts to move funds later without repeated approval. If a contract or front-end is later compromised, those permissions can become dangerous. Revoking unused approvals and disconnecting applications after use can reduce the potential damage.
Developers and project teams are under pressure as well. The June attacks showed the need for stronger review of cryptographic code, stricter validation of proof systems, better monitoring of legacy deployments, safer key management and more controlled use of third-party web services. Projects that rely on external scripts or software packages must treat those dependencies as part of the security perimeter.
Full-chain protection becomes the new standard
The main lesson from June is that digital asset security now depends on the entire workflow, not only the blockchain at the center of it. Private key generation, wallet signing, proof validation, network reliability, contract permissions and front-end delivery all have to work safely at the same time.
The SecondFi incident showed how a wallet-signing flaw can expose private keys without phishing or device theft. The Aztec-linked and Taiko attacks showed how layer-2 proof and verification systems can become high-value targets. The Base halts showed that reliability failures can carry serious operational consequences. The Polymarket breach showed that a legitimate website can still deliver malicious code through a compromised dependency.
For traders, the environment now requires constant caution. For developers, it requires security reviews that cover the full stack, from cryptography to user interface. For the broader market, June’s 75.87 million US dollars in losses served as another warning that Web3 risk is becoming more distributed, more technical and harder to contain with traditional defenses alone.
Want to avoid similar breaches? Learn essential safety practices in crypto safety standards every trader should know to protect your assets.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.

