Q2 2026 becomes crypto's most-hacked quarter with over 80 exploits
The second quarter of 2026 will go down as the worst quarter on record when it comes to crypto security breaches, more than any three-month period, according to DeFiLlama data. As of June 22, around 83 incidents have been recorded, which is double the previous high for attack frequency.
However, the amount lost is still below the industry’s worst losses. The total value hacked is put at approximately $775 million for Q2; while it is high, it is still a fraction of some of the highs that occurred in certain quarters in previous years.
Crypto market intelligence platform Unfolded described the kind of exploits that constantly fed the bad news during the quarter, writing on X, “Rather than a few giga exploits, it’s been a constant stream of smaller attacks.”
The fourth quarter of 2020 still holds the dollar-loss record at $3.56 billion.
Which exploits account for the most damage that occurred in Q2?
The $293 million KelpDAO breach and $280 million Drift Protocol exploit together accounted for more than three-quarters of Q2’s total stolen funds.
Both incidents occurred in April, which CertiK confirmed as a record-setting month with around $651 million in total industry losses across 28 to 30 separate attacks.
Cross-chain bridge vulnerabilities were responsible for the costliest attacks. Bridge-related exploits accounted for an estimated $351 million in Q2 losses.
The LayerZero OFT bridge flaw behind the KelpDAO incident alone represented more than 38% of all funds stolen during the quarter.
Compromised administrator credentials and fake token price manipulation made up another 37% of losses. Private key theft accounted for about 5.7%.
What was the frequency of attacks on crypto projects month-on-month?
CertiK’s monthly reports show that 58 incidents occurred in April, 60 in May, and 25 in June so far, with over a week remaining, according to DefiLlama’s tracker.
May’s dollar losses came in far lower at $68.3 million across those 60 incidents, per CertiK, reinforcing the pattern of frequent but smaller breaches.
June has already produced several notable exploits, one of which is the Humanity Protocol breach, which lost $32 million to a private key compromise on June 8. Abandoned Aztec Connect smart contracts were exploited twice in the span of a week, with the first incident being a $2.19 million breach on June 14, followed by a separate $2 million drain on June 17, as Cryptopolitan documented.
Taiko confirmed on June 22 that attackers exploited its bridge verification mechanism for $1.7 million, with PeckShield estimating the loss, and Lookonchain tracking 1.99 million TAIKO tokens moved to MEXC.
Decentralized exchange Raydium lost $1.34 million to a fake LP mint attack on June 10.
Deprecated contracts are now a growing target for hackers
Smart contracts that development teams abandoned earlier are now making news again, but not for good reasons, as attackers seem to have turned their focus on them.
The back-to-back Aztec incidents hit products that had been deprecated in 2022 and 2023, with administrative controls renounced on-chain, leaving no mechanism for emergency patches, according to Aztec Labs.
Another attack that involved deprecated contracts was the one that saw $2.1 million leave a legacy vault linked to Thetanuts Finance on June 15.
Security researcher Blockful.eth flagged this emerging pattern on X, noting multiple exploits had hit “old contracts with millions of dollars sitting idle.”
What does this trend mean for the rest of 2026?
The cumulative losses in 2026, from January through the end of May, reached around $1.3 billion, according to CertiK. June’s incidents are adding to that total with the quarter still open.
The latest trend of lower-dollar attacks marks a change from earlier years, when a single bridge exploit or exchange breach could account for billions.
Frequent attacks now target admin access, bridge infrastructure, and abandoned code, unlike what used to be the occasional catastrophic event in the past.
However, response capabilities have improved, with the KelpDAO incident in April being a notable example. The Arbitrum Security Council froze $71 million of the KelpDAO attacker’s funds using emergency powers, as Cryptopolitan reported.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Recommended Articles
