Sign Up Free
Cracked layered crypto trust stack over modular blocks, showing how Q2 2026 crypto hacks exposed wider security failures

Q2 2026 Crypto Hacks: Why the Record Incident Count Changed the Risk Story Since Q1

adoption defi intermediate security

Q2 2026 crypto hacks set a record by incident count in more than one dataset, but the more useful story is what changed in the way trust is failing.

Key Takeaways

  • Q2 2026 was record-setting by incident count in at least one dataset, but the exact number depends on scope. DefiLlama-derived tracking put late-June Q2 at about 83 protocol exploits and $755.3 million in losses. End-of-quarter DefiLlama-derived analysis showed 88 known-loss entries and about $780.3 million. TRM Labs, using a broader crypto hack dataset, counted 123 Q2 incidents.
  • Total dollar losses were not a record. TRM reports about $972 million stolen in H1 2026, less than half of the roughly $2.3 billion lost in H1 2025.
  • The two dominant Q2 incidents were the KelpDAO exploit on April 18 (about $292 million and about 116,500 rsETH, per LayerZero's incident report) and the Drift Protocol attack on April 1 (about $285 million, per TRM and Chainalysis).
  • KelpDAO was best described as a cross-chain verification and infrastructure compromise. Drift was best described as a signing-authority and social engineering compromise. Neither was a straightforward smart contract bug.
  • The Q1 baseline from Hacken was about $482.6 million across 44 incidents. Q2 shows more frequent failures with a wider attack surface: code, bridge infrastructure, signing and control-plane authority, and social engineering.

Q2 2026 crypto hacks reached a record incident count in more than one dataset, but the record incident count changed the risk story less through the totals and more through the shape of what broke. At Blockready, we treat quarterly security data as a source of pattern recognition, not headline recognition, and Q2's patterns are worth reading slowly. Most Q2 coverage stops at one number and one line about bridge losses. That framing skips the part that actually helps a reader make better decisions: which datasets are being counted, what kind of trust the biggest incidents broke, and how the Q1 audit-paradox story from earlier in the year expanded into a wider set of failure modes.

If a Q2 recap left you unsure whether "83 hacks" or "123 hacks" was the real number, or whether the quarter was actually the worst on record, that is not a reading problem. It is a reporting problem. Different sources measured different things over different cutoffs, and very few reconciled them. This article walks through the datasets in plain language, compares Q1 to Q2, contrasts the two dominant incidents, and translates the pattern into what changed for a normal wallet or DeFi user. It is not financial advice, not a chain ranking, and not a claim that audits are useless. It is a mechanism-first read of what Q2 actually says about crypto trust.

What Q2 2026 Actually Showed About Crypto Risk

Q2 2026 was record-setting by incident count and moderate by dollar losses, and the interesting part of the quarter is the gap between those two facts. More things broke. The biggest breaks were not ordinary contract bugs. Attackers used more paths and hit smaller pools more often, while two large operations dominated the value column.

The clearest way to see the shape is through three numbers that all describe Q2, all come from credible sources, and all mean slightly different things.

Q2 2026 by the Numbers

Three counts, three scopes, one directional agreement that Q2 was record-setting.

83

Q2 protocol exploits tracked in DefiLlama data as of late June, with about $755.3 million in reported losses. This is the count behind the "most-hacked quarter" headline that circulated in mid-2026.

88

Known-loss Q2 entries in end-of-quarter DefiLlama-derived analysis through June 30, with about $780.3 million in losses. This is a slightly larger snapshot that captured more entries after the initial June tally.

123

Q2 incidents in TRM Labs' H1 2026 crypto hack dataset, which counts a broader set of crypto security incidents than DefiLlama's protocol-exploit tracker. TRM reports 207 H1 incidents and $972 million in total H1 losses.

Sources: DefiLlama Hacks Dashboard, retrieved June 22 and June 30, 2026; Unfolded summary via Cointelegraph and Cryptopolitan, June 22, 2026; TRM Labs, H1 2026 Crypto Hacks Reach Record High as Losses Fall Below USD 1 Billion, July 2026. Metric: Q2 crypto hack incidents by source scope. Notes: figures may revise as dashboards and investigations update.

Two things are true at once. Q2 set a record for how often crypto systems failed. It did not set a record for how much money attackers pulled out in aggregate. TRM's H1 report puts the median hack at about $219,000, while the two dominant April incidents together stole roughly $577 million. That combination, many small failures with a few outsized ones, is what a reader should keep in mind when a single headline number is quoted without context.

Why Three Different Datasets Give Three Different Counts

"Was Q2 the worst hack quarter ever?" is answered fairly by "yes, by incident count in more than one dataset, no by total dollars, and the exact incident count depends on what a source is counting." That is longer than a headline, but it is what the evidence supports.

The datasets differ in three ways: what they include, when they were cut off, and how they classify an incident. DefiLlama tracks protocol exploits in DeFi. TRM Labs tracks a broader set of crypto hacks and security incidents. Unfolded and news outlets like Cointelegraph pulled DefiLlama numbers at specific cutoffs. Later analyses recounted after more incidents were entered. None of these methods are wrong. They simply do not measure the same population.

Q2 2026 Dataset Reconciliation

Same quarter, different counts, different scopes. A record incident count by DefiLlama-derived tracking, and a separate broader record by TRM.

Dataset view
DefiLlama-derived, late June
DefiLlama-derived, end of quarter
TRM Labs, H1 dataset
What is counted
Protocol exploits tracked in the DefiLlama hacks dashboard, summarized by Unfolded
Known-loss Q2 entries in DefiLlama-derived analysis through June 30
A broader crypto hack and security incident dataset maintained by TRM Labs
Q2 incident count
About 83
88 known-loss entries
123 incidents
Reported Q2 losses
About $755.3 million
About $780.3 million
Part of $972 million reported across H1 2026
Cutoff
Around June 22, 2026
June 30, 2026
Six months through June 2026

Sources: DefiLlama Hacks Dashboard; Unfolded summary via Cointelegraph, June 22, 2026; CryptoSlate and CoinMarketCal-syndicated end-of-quarter analysis, early July 2026; TRM Labs H1 2026 report, July 2026. Notes: DeFi-focused protocol tracking and broader crypto incident tracking are not directly comparable. Do not add or subtract them.

The practical takeaway is that "83 hacks" describes DefiLlama-derived DeFi protocol exploits at a specific late-June cutoff, not a universal industry-wide Q2 total. TRM's 123 does not contradict the 83 figure. It counts more categories. If a Q2 recap gives one of these numbers without disclosing scope, the number is not wrong, but the framing does not help the reader compare apples with apples.

The Q1-to-Q2 Shift

Reading Q2 well means reading Q1 first. Hacken's Q1 2026 Security and Compliance Report set the recent baseline at about $482.6 million stolen across 44 incidents, a 20.9% rise in losses over Q4 2025. Six audited protocols were exploited in Q1, one of them with 18 prior audits on record. Phishing and social engineering drove about $306 million of Q1's total, dominated by a single hardware wallet scam. If you have already read our earlier coverage of what Hacken's Q1 2026 crypto security report meant for learners, the Q2 story is not a reversal of that lesson. It is an extension of it.

Q1 2026 vs Q2 2026: What Changed

Frequency rose sharply, typical loss size fell, and the biggest incidents shifted from social engineering-only failures to bridge and control-plane failures.

44 → 123
Incident count, Q1 to Q2
Hacken Q1 count vs TRM's Q2 count. DefiLlama-derived Q2 sits at 83 to 88 depending on cutoff.
$482.6M → ~$780M
Reported losses, Q1 to Q2
Hacken Q1 total vs end-of-quarter DefiLlama-derived Q2 estimate. TRM reports $972M across all of H1 2026.
~$219,000
Typical H1 2026 hack, per TRM
Median, not mean. Two large April incidents pull the average sharply upward.

Sources: Hacken Q1 2026 Security and Compliance Report, April 2026; TRM Labs H1 2026 report, July 2026; DefiLlama-derived Q2 summaries, June and July 2026. Notes: incident counts across Hacken, DefiLlama, and TRM are not directly comparable. Compare directional shifts, not raw column totals.

Three shifts stand out. First, more things failed. Q2 produced more incidents than Q1 in every credible dataset, even though several very large single events pulled the loss total below H1 2025's roughly $2.3 billion. TRM described the H1 pattern as "activity dispersed, losses concentrated," which is a useful summary. The number of hacks more than doubled year over year, but the biggest slice of stolen value still came from a small handful of large events, not from a shift toward larger typical hacks.

Second, the biggest dollar losses moved. In Q1, one hardware wallet social engineering scam alone accounted for $282 million and the "audit paradox" story centered on protocols that had passed audits but still lost funds. Phishing and social engineering drove roughly $306 million of Q1 losses, or about 63.4% of the quarter. In Q2, the two dominant incidents were structurally different: KelpDAO was a compromise of the infrastructure that verifies cross-chain messages, and Drift was a compromise of the humans and workflows that hold administrative authority. TRM's H1 report puts a striking framing on the shift, noting that infrastructure and operational compromises made up only about 15% of incidents but roughly 76% of losses, while the more than 100 smaller smart contract exploits contributed a much smaller share of stolen value.

Third, DeFi liquidity dropped over the same period. That last shift is worth noting as context, not causation. Some industry commentary quoted a DeFi total-value-locked (TVL) fall from about $164 billion before the October 10, 2025 liquidation event to roughly $73 billion by late June 2026. A smaller DeFi pool may change attacker economics at the margin, freeing up attention for smaller and more opportunistic targets, but the current evidence does not prove it caused the incident-count spike.

This is the moment where "audited" stops being enough as a shorthand for safety. The natural next question is where the additional risk sits, and how to think about it without becoming paralyzed. Blockready's DeFi module teaches the DeFi stack layer by layer, from smart contracts and liquidity pools through oracles, stablecoins, staking, bridges, and MEV, precisely so that a learner can put an incident like KelpDAO in the right box instead of collapsing every hack into "a smart contract got broken." When Q2 changed the shape of the risk, it also changed which layer of the stack a serious reader needs to understand next.

KelpDAO vs Drift: Two Big Hacks, Two Different Trust Failures

KelpDAO and Drift were the two dominant Q2 incidents by dollar value. They are often listed together because they happened in the same month and both were attributed to North Korea-linked activity. Under the hood, they broke different parts of the trust stack, and treating them the same way misses the point.

The KelpDAO exploit on April 18 drained approximately 116,500 rsETH, worth about $292 million at the time. LayerZero's incident report, published May 18 and prepared with Mandiant, CrowdStrike, and independent researchers, attributes the operation with high confidence to DPRK threat actor TraderTraitor, also known as UNC4899. According to the report, the breach began on March 6, when a LayerZero Labs developer was socially engineered into cloning a malicious repository. From there the attacker harvested session keys, moved into LayerZero's RPC cloud environment, and poisoned two internal RPC nodes so that they returned true responses to monitoring tools while returning tampered blockchain state to the LayerZero Labs verifier. A simultaneous denial-of-service attack against an external RPC provider forced the verifier to rely only on the two poisoned internal nodes. Because the KelpDAO rsETH configuration required only one verifier attestation, the destination contract accepted the forged message and released the funds. Chainalysis frames this succinctly in its bridge exploit analysis as targeting off-chain verification infrastructure rather than a smart contract bug.

The single-verifier configuration deserves a closer look because it is where the incident becomes an education case. LayerZero's protocol supports multiple decentralized verifier networks that must independently attest to a cross-chain message before funds move. When more than one verifier is required, poisoning one still is not enough to forge a valid message. KelpDAO's rsETH bridge was configured to require only the LayerZero Labs verifier. Whether that configuration was chosen by KelpDAO from the start or was a default that carried over from an earlier setup became the subject of a public back-and-forth, and LayerZero later stated that its verifier would no longer sign attestations for any application using a 1-of-1 configuration. The mechanism-level takeaway does not require picking a side in that dispute. Any cross-chain route that trusts a single verifier concentrates trust, and Q2 showed how expensive that concentration can be when a determined attacker targets the off-chain plumbing rather than the on-chain code.

The Drift Protocol attack on April 1 was a different animal. Attackers drained about $285 million from the largest decentralized perpetual futures exchange on Solana in roughly 12 minutes, using a combination that Chainalysis and TRM describe as social engineering of multisig signers, Solana's durable nonces feature, a fake CarbonVote (CVT) collateral token, and a zero-timelock Security Council migration. Preparation ran from March 11 through late March, with attackers building relationships with Security Council members, tricking two of them into pre-signing what appeared to be routine transactions but actually granted admin authority, then executing pre-staged withdrawals against manipulated oracle pricing. Both Drift and Chainalysis note likely DPRK involvement, though formal attribution language remained cautious in early reporting. As with the DPRK-linked social engineering that reshaped crypto security risk at Bybit in early 2025, the failure was not in code. It was in humans and in the assumption that a valid signature meant a safe transaction.

The durable-nonce mechanism itself is worth understanding because it is a legitimate feature, not a vulnerability. On Solana, standard transactions expire quickly through a recent blockhash. Durable nonces let a transaction stay valid indefinitely once signed, which is useful for cold-wallet workflows and multi-party approvals. The attackers weaponized that feature by pre-drafting transactions that transferred admin authority and then getting real Security Council members to sign them, presenting the transactions as routine while hiding the payload that actually mattered. On execution day, those pre-signed transactions were already valid on the network. Drift's own statement was clear that the exploit did not involve a bug in Drift's programs or a compromised seed phrase. The attack path lived in workflow design, oracle validation, and the small window created when Drift's Security Council migrated to a new setup with no timelock, which removed the delay that would normally let a defender catch a hostile admin action.

KelpDAO vs Drift: Different Failure Modes

Same quarter, similar dollar sizes, different parts of the trust stack broken.

Aspect
KelpDAO (April 18)
Drift Protocol (April 1)
Reported loss
About $292 million (116,500 rsETH)
About $285 million
Where trust broke
Off-chain infrastructure and single-verifier bridge configuration
Signing authority, social engineering, and control-plane workflows
Attack mechanics
RPC node poisoning, DDoS on external RPC, forged cross-chain message accepted by a 1-of-1 verifier setup
Pre-signed transactions via durable nonces, hidden authorization, fake collateral, zero-timelock migration
Attribution
Mandiant, CrowdStrike, and independent researchers attribute to DPRK's TraderTraitor / UNC4899, per LayerZero's incident report
TRM and Chainalysis describe likely DPRK involvement; formal attribution described as preliminary in early reporting
What it was not
Not a KelpDAO smart contract bug and not a LayerZero protocol bug
Not a Solidity bug, not a Solana chain failure, and not a routine bridge exploit

Sources: LayerZero Labs, KelpDAO Incident Report, May 18, 2026; Chainalysis, Inside the KelpDAO Bridge Exploit, June 2026; Chainalysis, The Drift Protocol Hack: How Privileged Access Led to a $285M Loss, April 2026; TRM Labs, North Korean Hackers Attack Drift Protocol in $285 Million Heist, April 2026. Notes: attribution wording preserved from the cited sources.

Reading them side by side helps in the same way that comparing two different fires helps a fire investigator. The dollar losses are similar, but the response should be different. The KelpDAO story pushes toward hardening cross-chain verification setups, resisting single-verifier bridges, and treating off-chain infrastructure as part of the security surface. The Drift story pushes toward multisig hygiene, timelocks, oracle sanity checks, and treating any high-authority signature as something to be verified, not routined.

What Q2 Means for a Normal Crypto User

Q2 2026 did not turn every wallet holder into a bridge operator or a Security Council member. The relevance is more indirect. A normal user does not run RPC nodes or sign multisig admin transactions. But most people who hold a token, use a DeFi protocol, or bridge between chains are still trusting some version of the four layers that Q2 broke.

The Q2 2026 Risk Stack

Four layers where trust can fail, drawn from the incidents that dominated the quarter.

Core insight

Audits cover code. Q2 broke more than code.

"Audited" is one signal, not a safety guarantee. Q1 already showed six audited protocols being exploited. Q2 extended the story into infrastructure and signing authority, which routine audits usually do not touch.

Layer 1

Code risk

Smart contract bugs still drive the largest number of incidents. TRM counted 125 smart contract exploits out of 207 H1 hacks. This is the layer audits address most directly.

Layer 2

Bridge and cross-chain infrastructure risk

Watchers, verifier networks, RPC nodes, and finality assumptions. KelpDAO showed that a single-verifier configuration and poisoned RPC data can move nine-figure value without a code exploit.

Layer 3

Signing and control-plane risk

Multisig authority, admin keys, timelocks, and workflow design. Drift showed that valid signatures obtained through social engineering can authorize actions the signers never intended to approve.

Layer 4

Social engineering risk

Humans and operational workflows as the exploit path. Both April incidents began with attackers building relationships and access weeks in advance. This is the layer where individual users are most exposed too, through phishing, fake support, and drainer prompts.

Framework: Blockready educational synthesis grounded in the Q1 Hacken report, LayerZero's KelpDAO incident report, and TRM and Chainalysis analyses of Drift.

One of the most common beginner mistakes we see is treating an "audited" badge or a large TVL number as a proxy for safety. It happens because those are the loudest signals available on a project's homepage, and because the alternative feels overwhelming. Q1 2026 already showed that a protocol with 18 audits can still lose funds. Q2 goes a step further: even a well-audited protocol depends on bridges it did not audit, oracles it did not build, verifier networks it did not run, and signers whose devices it does not control. The correct response is not to distrust everything. It is to read an audit badge as evidence rather than a safety guarantee and to widen the list of questions you ask before you trust a route with meaningful value.

For someone using a normal wallet, the practical translation runs closer to signing habits and route choice than to code review. Before you sign a transaction, ask what authority the signature grants and whether the request came through a channel you trust. Before you bridge, take a minute to check whether the route depends on a single verifier or many. Before you deposit into a new protocol, ask what happens if an admin key is compromised or a timelock is removed. That is the tone of an evidence-first framework for evaluating crypto risk claims, and it becomes more useful as the attack surface widens, not less. If you are still building the underlying literacy, the fundamentals of securing your crypto wallet and the mechanism-first map of DeFi are the shortest paths to being able to ask those questions with any confidence.

What This Quarter Does Not Mean

The Blockready View

Q2 2026 does not mean audits are useless, DeFi is doomed, or a specific chain is now unsafe. It means the attack surface visibly widened, from code alone into bridge configuration, control-plane authority, and social engineering. Our editorial view is that a serious reader should stop asking "is this protocol audited" as if that is one question, and start asking three: what did the audit cover, who can move value here without triggering the code path an audit reviews, and what happens if a trusted human is fooled. We do not recommend abandoning bridges or self-custody. We do recommend treating any cross-chain route or high-authority signature as a decision to be evaluated in context, not a habit to be executed. And we would rather see a reader stay calm and structured than react to a quarterly headline as if crypto trust had collapsed. It has not. It has become more layered, and it now rewards readers who can name the layers.

Frequently Asked Questions

Was Q2 2026 really the worst quarter ever for crypto hacks?

Yes, by incident count in at least one credible dataset, but not by dollar losses. DefiLlama-derived tracking placed Q2 at about 83 protocol exploits in late June and 88 known-loss entries by end of quarter. TRM's broader hack dataset counted 123 Q2 incidents. Total Q4 2020 losses of about $3.56 billion remain higher in dollar terms.

Why do some sources say 83 crypto hacks and others say 123?

Because they are counting different things. The 83 figure is from DefiLlama's protocol exploit tracking as summarized by Unfolded on June 22, 2026. The 88 figure is a slightly later end-of-quarter recount from the same source family. The 123 figure is TRM Labs' broader dataset that includes crypto security incidents beyond DefiLlama's protocol scope. All three describe Q2 2026. They do not measure the same population.

What happened in the KelpDAO hack?

On April 18, 2026, attackers drained about 116,500 rsETH from KelpDAO's LayerZero-based cross-chain bridge, worth roughly $292 million. According to LayerZero's incident report, the breach began on March 6 with social engineering of a LayerZero Labs developer. The attackers compromised internal RPC nodes and used a denial-of-service attack on an external RPC provider to trick the LayerZero Labs verifier into signing a forged cross-chain message. Because the KelpDAO configuration required only one verifier attestation, the destination contract released the funds. Mandiant, CrowdStrike, and independent researchers attribute the operation to DPRK threat actor TraderTraitor.

What happened in the Drift Protocol hack?

On April 1, 2026, attackers drained about $285 million from Drift Protocol, a Solana-based perpetuals exchange, in roughly 12 minutes. According to TRM Labs and Chainalysis, the operation used weeks of social engineering, Solana's durable nonces feature to pre-sign hidden authorizations, and a fake CarbonVote token used as collateral. A zero-timelock migration of the Security Council removed the delay that would normally allow intervention. Drift stated the attack did not exploit a smart contract vulnerability. Formal attribution to North Korea-linked actors was described as likely or preliminary in early reporting.

Do crypto audits prevent hacks?

Not on their own. Audits check specific code at a specific time. Hacken's Q1 2026 report noted that six audited protocols were exploited in Q1, including one with 18 prior audits. Q2 extended the pattern by showing that major losses can come from off-chain infrastructure, single-verifier bridge configurations, admin authority, and social engineering, none of which are the main focus of a routine smart contract audit. Audits are useful evidence, not a safety guarantee.

What should a normal wallet or DeFi user learn from Q2 2026?

Read every high-authority signature and every cross-chain route as a decision, not a habit. Ask what an "audited" badge actually covers, whether a bridge relies on one verifier or many, and what would happen if a signer were tricked. Q2 did not make crypto more dangerous overnight. It made the trust stack more visible, and users who understand the layers will make better decisions than those who react to the headline number.

Not Sure Where to Start?

Answer a few quick questions about your goals and experience level, and Blockready will recommend the learning path that fits you best.

Find Your Starting Point