- Q2 2026 records 70 crypto exploits, double the previous quarterly record per DefiLlama data.
- Total losses sit at $746M, far below 2021 peaks as frequency rises but individual hacks shrink.
- Key compromise and social engineering now dominate, replacing smart contract bugs as an attack type.
Q2 2026 has become the most hacked quarter in crypto history. DefiLlama recorded approximately 70 separate incidents through mid-June, roughly double the previous record for any single quarter. The hack count is unprecedented. The dollar losses are not.
Total stolen funds for the quarter sit at approximately $746 million. A single quarter in 2021 saw losses exceeding $3.6 billion. The February 2025 Bybit breach alone reached $1.4 billion. What Q2 2026 represents is not the biggest quarter by losses. It is the busiest quarter by incident count by a wide margin.
How the Quarter Broke Down
April set the tone and accounted for the bulk of quarterly losses, recording a monthly record of 28 to 30 confirmed incidents and more than $625 million in stolen funds.
May told a different story. Rather than one or two catastrophic events, $84.2 million spread across 41 incidents on 16 separate blockchains. The five largest May incidents collectively accounted for about 60% of monthly losses. Infrastructure attacks, including multisig tampering, bridge verification bypasses, and vault address poisoning, represented 63% of May’s total dollar losses.
Ethereum-connected protocols accounted for $61.9 million of May’s $84.2 million total, approximately 74% of the monthly figure. Bridge-related incidents have totaled over $328 million across all of 2026, with the KelpDAO wallet compromise alone representing $291.3 million of that figure.
Q1 2026 for context recorded 34 incidents totaling $169 million. April’s surge was 3.7 times larger than the entire Q1 total.
The Shift From Code to Keys
The rising incident count reflects a fundamental change in how crypto gets stolen. Early losses across the industry’s history came from smart contract bugs, re-entry exploits, faulty mathematics, and mispriced collateral. Recent losses increasingly come from compromised private keys, social engineering, and access control failures, where the contract functioned exactly as designed, but the wrong person held the signing rights.
The $36 million Humanity Protocol exploit traced to a multisig configured on a single laptop is the clearest recent example. Raydium’s $1.34 million loss from a deprecated pool followed the same pattern. The attack surface has moved from the code to the people and keys surrounding it.
The figures reflect data through mid-June and may be updated as additional June incidents are recorded.
Related: Billions Lost as Crypto Hackers Shift Focus Beyond Code Flaws
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
