Crypto hacks hit a record count but the biggest threat isn’t smart contracts
Crypto hack counts simply set a record. The warning in TRM Labs’ newest knowledge is the place the cash is definitely being misplaced.
In its H1 2026 crypto hack review, TRM Labs stated attackers carried out 207 separate hacks in the first half of the 12 months, the most the agency has recorded in any six-month interval.
Yet whole losses fell to $972 million, lower than half the $2.3 billion stolen throughout the first half of 2025.
That break up adjustments the safety story. More protocols, tokens, and decentralized purposes are being hit, but the losses that also outline the 12 months are concentrated in operational programs: keys, custody, signing infrastructure, approval flows, and different controls round the code fairly than the code alone.
For DeFi teams, smart-contract audits stay obligatory as a result of smart-contract exploits accounted for many incidents. The losses that may erase lots of of tens of millions of {dollars} more and more come from programs that determine who can transfer funds, how signatures are accredited, and the way infrastructure round a protocol is trusted.
More incidents, smaller typical losses
TRM stated the variety of hacks greater than doubled from 83 incidents in H1 2025 to 207 in H1 2026. Q2 alone produced 123 incidents, after a record-setting first quarter.
Most of that improve got here from smart-contract exploits, which accounted for 125 of the 207 incidents.
The typical loss, nevertheless, was a lot smaller than the headline whole suggests. TRM put the median hack at about $219,000, whereas the imply was $4.7 million.
That hole exhibits how a few very massive incidents can dominate combination losses, at the same time as the day-to-day threat setting turns into extra crowded with smaller exploit makes an attempt.
The result’s a break up safety image. On the one hand, DeFi continues to be coping with code-level vulnerabilities, advanced protocol logic, and multi-step manipulations that result in frequent losses.
On the different hand, the largest harm is coming from failures in the programs that maintain or authorize management of funds.
TRM stated infrastructure and operational compromises accounted for under about 15% of incidents in H1 2026 but roughly 76% of stolen worth.
That ratio turns the report from a hack-count story into a security-priority story.
If a protocol treats audits as the complete safety program, it’s defending solely a part of the danger. An attacker can skip the core contract by compromising a signer, manipulating a bridge validation path, poisoning an operational dependency, or acquiring approval for a malicious switch.
The clearest instance is the focus of North Korea-linked exercise. TRM assesses that about $643 million, or roughly 66% of all funds stolen in H1 2026, was attributable to North Korea-linked exercise.
That determine was down from about $1.7 billion in the first half of 2025, but it nonetheless made North Korea-linked actors the largest supply of stolen worth in the interval.
Nearly all of that H1 2026 whole got here from two April operations involving Drift Protocol and KelpDAO. TRM put the Drift loss at roughly $285 million and KelpDAO at roughly $292 million, for a mixed whole close to $577 million.
Those incidents mirrored the similar broader sample: attackers focused the infrastructure and human layers round DeFi programs fairly than merely hammering at core smart contracts.
That distinction issues as a result of North Korea-linked operations are greater than one other exploit class. They mix technical intrusion, social engineering, operational persistence, laundering infrastructure, and state-directed monetary objectives.
A single profitable operation can outweigh months of smaller non-state exploits.
TRM’s warning is that the decrease greenback whole in H1 2026 displays the absence of one other theft on the scale of 2025’s largest assaults, not a discount in attacker functionality.
In different phrases, the combination quantity fell as a result of the biggest outlier was smaller, whereas the class of danger that creates outliers stays unresolved.
That makes the subsequent massive loss much less prone to appear like a easy bug report. It is extra prone to expose a weak approval course of, a compromised personal key, a signer that might be socially engineered, a vendor or infrastructure dependency that was trusted too broadly, or a response plan that moved too slowly as soon as funds started crossing chains.
Audits want an operational layer
Smart-contract work stays necessary, but it wants controls round the programs that transfer funds. TRM says code exploits stay the commonest incident kind, and DeFi protocols nonetheless want audits, formal evaluation, monitoring, and incentives for disclosure.
The change is that audits can’t be the ceiling of the safety program.
The controls that matter most for catastrophic loss sit round asset motion. TRM particularly pointed to key administration, signing infrastructure, approval workflows, and custody as areas requiring higher consideration.
Those are operational disciplines as a lot as technical ones.
A hardened protocol now must know who can provoke massive transfers, who can approve them, which gadgets and repositories can contact signing paths, how governance adjustments are delayed or challenged, and what occurs if a trusted operator, contributor, or vendor account is compromised.
A static audit report can not reply these questions after the operational setting adjustments.
That is why latest CryptoSlate safety protection has saved returning to the similar theme: operational security, signing practices, governance, bridge validation, and infrastructure controls have gotten a part of the business’s policy-facing protection posture.
A separate CryptoSlate evaluation warned that DeFi’s older exploit patterns could also be fading, but newer dangers can journey throughout chains and infrastructure layers when protocols reuse programs or belief assumptions too broadly.
For safety groups, the subsequent finances dialogue ought to due to this fact cowl greater than one other audit cycle.
It ought to embody hardware-backed signing, multi-party approval for giant transfers, limits on privileged entry, monitored developer gadgets, stronger vendor evaluation, examined incident-response playbooks, and treasury planning for a worst-case infrastructure compromise fairly than a median exploit.
The similar shift impacts exchanges, custodians, and monetary establishments that will by no means be the preliminary goal. TRM stated stolen property typically transfer by means of cross-chain bridges and no-KYC swap providers earlier than reaching exchanges.
That makes first-hop screening insufficient when attackers can shortly transfer worth throughout chains and providers.
Multi-hop transaction monitoring, quicker pockets intelligence sharing, and coordination between protocols, exchanges, stablecoin issuers, analytics corporations, and regulation enforcement turn out to be a part of the safety stack.
TRM pointed to information-sharing networks as one reply as a result of response time can decide whether or not stolen funds are frozen, traced, or laundered past simple restoration.
For protocols, this creates a second operational burden. The safety plan has to imagine that prevention can fail.
It should outline who can pause programs, who can contact counterparties, how attacker addresses are distributed, and which switch paths are watched in the first minutes after detection.
That is the actual which means of TRM’s H1 2026 knowledge. Crypto skilled extra hacks and fewer losses, but it additionally uncovered a break up between the rising quantity of smaller smart-contract incidents and the concentrated operational compromises that also set the business’s loss profile.
The subsequent take a look at is whether or not DeFi groups and custodians deal with that break up as a purpose to rebalance safety priorities.
If the largest losses proceed to stem from compromised keys, signing workflows, custody programs, and infrastructure dependencies, catastrophic danger will fall solely when the motion of funds turns into tougher to compromise, slower to abuse, and simpler to interrupt as soon as an attacker is inside.
The put up Crypto hacks hit a record count but the biggest threat isn’t smart contracts appeared first on CryptoSlate.

