Crypto News Ethereum Exchanges

Q2 2026 Becomes Record-Breaking Most-Hacked Quarter with 83 Incidents

Q2 2026 Becomes Record-Breaking Most-Hacked Quarter With 83 Incidents
Q2 2026 Becomes Record-Breaking Most-Hacked Quarter With 83 Incidents

Cryptocurrency security continues to deteriorate into 2026’s second quarter, with incident counts already marking the period as the most-hacked quarter on record. Unfolded’s analysis—based on DefiLlama hack data—tracks 83 exploits targeting crypto protocols so far in Q2 2026.

Even with the spike in attacks, the quarter’s total losses of $755.3 million are still far below the record loss quarter of Q4 2020, when hacks totaled $3.56 billion. The contrast between rising exploit frequency and comparatively lower aggregate damage is becoming a defining feature of the current cycle.

Key takeaways

  • Q2 2026 has logged 83 protocol exploits already, the highest incident count for any quarter in the dataset cited by Unfolded.
  • Total stolen value so far stands at $755.3 million—materially lower than Q4 2020’s $3.56 billion, which remains the costliest quarter on record.
  • Bridge attacks drove the quarter’s losses, with $351 million stolen via cross-chain bridges—led by the LayerZero OFT-related KelpDAO incident.
  • Industry risk experts point to a mismatch between faster protocol redesign and the complexity of robust risk controls.
  • Some security stakeholders argue attacker capabilities are improving amid a broader shift in the cyber landscape, while DeFi value appears to be smaller than in prior peaks.

More hacks, less value stolen than the 2020 high

The numbers underscore a persistent problem: crypto remains an attractive target, but the payoff per exploit may be changing. Unfolded’s incident-based tally shows the quarter is already number one by frequency, while the $755.3 million in stolen funds so far remains below the all-time high-water mark from Q4 2020.

At the top end of Q2’s damage, two single incidents dominate the current quarter’s storyline. KelpDAO’s $293 million hack and Drift Protocol’s $280 million exploit were the largest attacks reported so far, together accounting for a substantial portion of the quarter’s total losses.

Exploit activity appearing “more frequent” with lower total losses has also been attributed to the size of the available target pool. Dmytro Tarasiuk, product director at risk intelligence platform CORE3 and crypto security rating platform CER.live, suggested to Cointelegraph that total value locked (TVL) in DeFi appears to have fallen sharply—citing a drop from $164 billion before the Oct. 10 liquidation event to about $73 billion at the time of reporting. If less value is deployed, attackers can still run exploits, but the maximum extractable value may be constrained.

Tarasiuk also pointed to a structural vulnerability in how protocols are built. In his view, the industry’s most urgent weakness is that teams often re-engineer systems faster than they can properly align them with the underlying complexity of risk management. He described operational practices that can multiply exposure, including setups where a three-of-six multisig exists alongside key storage arrangements that concentrate risk—such as keeping multiple keys on the same device—creating additional attack surface beyond pure smart-contract logic.

Bridge exploits take the lead as the primary attack vector

Cross-chain bridges were the dominant technique in Q2 2026. According to the DefiLlama hack breakdown used in Unfolded’s analysis, $351 million in value was hacked through bridges during the quarter.

Within that category, the LayerZero OFT bridge exploit tied to the KelpDAO incident accounts for more than 38% of all value stolen in Q2. The same DefiLlama-based breakdown attributes 37% of losses to compromised admin attacks and fake token price manipulation, while private key compromises represented 5.66%.

This allocation is important for investors and protocol operators because it helps narrow where defenses must be strengthened first. If bridges remain the largest source of stolen value, then monitoring and hardening of cross-chain verification, administrative pathways, and token integrity mechanisms becomes a priority—not just after an exploit, but as part of ongoing control design.

The quarter also shows that bridge risk is not confined to a single ecosystem. Earlier coverage noted that Ethereum layer-2 network Taiko was the latest to experience a bridge-related incident, where hackers stole $1.7 million after compromising Taiko’s chain state verification mechanism.

Notable incidents highlight recurring weaknesses across ecosystems

Beyond bridges, the quarter included several high-profile thefts that point to the breadth of attack methods across DeFi. Cointelegraph reports that Humanity Protocol lost $36 million on June 8, while THORChain suffered an exploit of $10.7 million on May 15. The pattern suggests attackers are willing to probe different protocol architectures—from liquidity networks to cross-chain integrations—rather than concentrating exclusively on one style of vulnerability.

More examples from the same period also reinforce how adversaries can monetize weaknesses that extend beyond active code paths. Cointelegraph noted two exploits targeting Aztec Connect’s abandoned smart contracts, with $2.1 million stolen in one incident and $1.3 million stolen in another tied to decentralized exchange Raydium earlier in June. These cases matter because they indicate that “abandoned” or legacy components still have security implications, particularly when they remain discoverable or externally reachable.

Security debate turns to AI-enabled attacker advantage

As exploit frequency rises, the industry is continuing to debate whether recent advances in artificial intelligence have changed how attacks are conducted. Cointelegraph reports that Mitchell Amador, CEO of bug bounty platform Immunefi, told the outlet in a recent interview that the proliferation of new AI models shifted the cybersecurity playing field in favor of attackers.

Amador described this as a “vulnerability apocalypse,” linking the resurgence in exploits to the increased ability to identify and exploit weaknesses more efficiently. While that framing is not quantified in the figures cited here, it provides context for why Q2 2026’s incident count can rise even if total stolen value does not track proportionally with frequency.

For participants in crypto markets—whether traders managing exposure to risky venues, users choosing custody and on-chain interactions, or builders deciding where to spend engineering time—the takeaway is that risk is evolving on multiple fronts. DeFi’s shrinking TVL may reduce the size of the loot in aggregate, but attacker persistence and rapid exploitation cycles can still produce outsized disruption, especially where bridge infrastructure or operational controls are fragile.

Going forward, readers should watch whether bridge-related losses remain dominant in subsequent quarters, and whether any recovery in DeFi TVL leads to both higher incident counts and larger absolute losses—or if the current “more frequent, less total value” pattern persists as protocols adapt and security budgets shift.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure

The Crypto Breaking News editorial team curates the latest news, updates, and insights from the global cryptocurrency and blockchain industry.

Related Posts