The first half of 2026 produced 344 confirmed security incidents across the Web3 ecosystem, resulting in over $1.31 billion in gross losses. After $115.3 million in frozen and recovered funds, net adjusted losses stood at approximately $1.20 billion.
This report covers the key trends, attack vectors, affected chains, and incidents that defined the period, drawing on data from the industry's leading security research firms. It also covers the five incidents we reported on in detail at Procur3.io and what they collectively reveal about the dominant security failures of the year so far.
The Headline Numbers
- $1.31 billion lost across 344 incidents in H1 2026.
- $1.20 billion in net losses after recovered and frozen funds are removed.
- 207 confirmed hacks recorded across the period, the highest six-month count on record by incident frequency, with attacks occurring at an average rate of roughly one every 10 hours.
Q2 was substantially worse than Q1 by dollar loss. The second quarter recorded $807.5 million in losses, a 59% increase over Q1's $508.2 million. A significant portion of that Q2 figure came from two incidents in April, which together accounted for nearly 44% of all H1 losses.
How Attacks Broke Down by Vector
The split between attack types in H1 2026 tells a clear story about where the risk actually sits.
Wallet compromise was the most financially destructive attack vector of the half, generating $444.5 million in losses across just 33 incidents. This represents the highest per-incident average of any attack category, and reflects a shift toward attacks targeting the infrastructure and access controls around protocols rather than the protocol code itself.
Phishing was the second largest vector by dollar loss, responsible for $366.3 million across 63 incidents. Phishing incident volume fell more than 52% compared to H1 2025, but losses declined by only around 11%. The gap between those two numbers points to a structural shift: fewer campaigns, but targeting higher-value individuals with access to significant on-chain assets. Four phishing incidents accounted for approximately 85% of all phishing losses in the period.
Code vulnerabilities remained the most prolific attack category by incident count, with 204 incidents recorded. They generated approximately $151.6 million in losses, the lowest total of the three major categories despite accounting for the majority of incidents. The implication is that smart contract security, while not solved, has improved enough that the largest financial losses are now coming from elsewhere.
Infrastructure and operational compromises, while representing only around 15% of total incidents, accounted for approximately 76% of total dollar losses. The contracts, in many cases, were not the problem.
The Quarter-on-Quarter Shift
Phishing drove the bulk of Q1 losses. By Q2, the dominant vector had shifted to wallet compromise and key management failures.
This matters because it points to two distinct failure modes that require different defensive responses. Phishing targets human behaviour: credentials, approvals, seed phrases, and social engineering of individuals. Wallet compromise and key management failures reflect structural weaknesses in how protocols govern access to privileged functions, how private keys are stored, and how signing authority is distributed and protected.
A security posture built around preventing phishing addresses Q1's threat profile. A security posture built around key management and multisig governance addresses Q2's. Both are necessary. They address different layers of the stack.
North Korea and the State Actor Dimension
Approximately $643 million in losses across H1 2026 are attributed to North Korean state-sponsored hacking operations, representing around 66% of all funds stolen in the period.
The two largest incidents of the half year, the KelpDAO exploit ($291 million, April 18) and the Drift Protocol breach ($285.3 million, April), are both linked to these operations. Neither involved a vulnerability in the core smart contract code. KelpDAO was exploited through a DVN failover mechanism on its bridge infrastructure. Drift was a wallet compromise and administrative access breach.
The financial scale of these operations prompted a significant diplomatic response. In late June, officials from the United States, Japan, and South Korea convened to address North Korea's cyber activity and the illicit revenue it generates. Government representatives acknowledged that North Korean IT workers are increasingly using artificial intelligence to accelerate and scale their operations. Multiple security firms have independently confirmed this trend.
North Korean state actors have now accumulated more than $6 billion in crypto theft since 2017, according to estimates from blockchain intelligence research. The pace of that accumulation has not slowed.
By Chain
Ethereum remained the most targeted blockchain, recording 153 security incidents with losses totalling $522.8 million.
Solana recorded seven incidents in H1, but they generated $315 million in losses, almost entirely due to the Drift Protocol breach. The contrast between Solana's low incident count and high loss total illustrates the concentration risk that comes with large-scale infrastructure compromise, as opposed to the broader-based loss pattern on chains with higher incident volumes and smaller average losses.
BNB Chain saw more than 100 incidents over the period, with considerably smaller average losses per event, reflecting a composition of smaller protocols and a higher frequency of opportunistic attacks rather than large-scale targeted operations.
The Legacy Contract Problem
One finding from H1 2026 security research that is not receiving adequate attention: a growing proportion of code vulnerability incidents targeted contracts deployed more than 12 months ago.
Attackers are increasingly revisiting legacy codebases rather than focusing exclusively on newly launched protocols. Improved automated tooling, including AI-assisted scanning capabilities, is lowering the cost of systematically identifying overlooked vulnerabilities in older code.
The practical implication for protocols is significant. A security audit conducted at launch reflects the contract as it existed at that moment. It does not account for integrations added subsequently, dependencies updated, governance parameters changed, or new attack tooling that did not exist when the review was conducted.
Continuous security coverage is not an optional enhancement over a point-in-time audit. Given the direction of attacker tooling, it is increasingly a prerequisite for maintaining meaningful coverage.
Five Incidents That Illustrate the Year
At Procur3.io, we covered five incidents in detail between May and June 2026. Taken together, they define the dominant attack surface of H1 2026 more clearly than any single statistic.
StablR (May 2026, $10.4M)
A 1-of-3 multisig threshold on a minting function. One private key compromised, the attacker added themselves as owner, removed the other two signers, and minted $10.4 million in unbacked stablecoins. EURR depegged to $0.88. StablR held an EMI licence from Malta's MFSA, MiCA compliance, quarterly reserve attestations by Grant Thornton, and strategic investment from Tether and Kraken. None of that addressed the governance layer of the minting function.
Superfortune (May 2026, $15.18M)
A multisig address substitution attack. The team executed what they believed was a routine token distribution transaction. The destination address was altered between signing intent and on-chain execution. 14.98 million GUA tokens were sent to an attacker-controlled wallet, converted to 2,784 ETH. The signers approved the transaction correctly. The wrong address was the only problem. The defence is hardware-level verification of the full transaction payload on the signing device, not the browser interface presenting the transaction.
Humanity Protocol (June 2026, $32M)
Seven private keys on one infected developer laptop. Three simultaneous attack vectors: an admin hot wallet drained directly, three of six Ethereum Gnosis Safe owners compromised giving attacker control of the bridge ProxyAdmin, and three of five BNB Chain Safe owners compromised enabling 300 million new tokens to be minted. Total exposure: 447 million tokens, approximately $32 million in extracted value. The root cause was not the multisig configuration. It was the physical co-location of keys that the configuration assumed were independent.
Taiko (June 2026, $1.7M)
An SGX enclave signing key for the Raiko proof system was exposed in a public GitHub repository. SGX provides hardware-level key isolation, designed so that even the operating system cannot read the keys generated inside the enclave. That guarantee does not extend to what happens to the key after it leaves the enclave environment. The attacker used the exposed key to generate forged bridge proofs, which Ethereum's L1 contracts accepted as valid, releasing real USDC and ETH for deposits that did not exist. Block production was halted. All bridges were declared unsafe. The protocol published a full incident report shortly after.
SecondFi (June 2026, $2.4M confirmed, up to $20M estimated)
SecondFi, the renamed successor to Yoroi and the official self-custody wallet built by EMURGO, a founding entity of the Cardano blockchain, disclosed a critical vulnerability in its key generation software. The wallet generated private keys using a source of randomness that followed a predictable pattern. An attacker who understood the pattern could derive the private keys for wallets the application had already created. The vulnerability is at the address level: importing the same seed phrase into a different wallet application does not resolve the exposure because the derived keys are already compromised. An independent audit of the full loss figure is ongoing.
All five incidents sit in the same layer. Not the smart contract. The key management infrastructure, the signing environment, and the operational security practices governing privileged access to protocol functions.
What the Data Points to for H2 2026
Several trends from H1 2026 are likely to continue or accelerate in the second half of the year.
Key management remains the dominant loss vector. Wallet compromises generated the most losses from the fewest incidents. Protocols that have not formally reviewed their private key management practices, multisig configurations, and signing environments in the past 12 months should treat that as an open exposure.
Phishing is becoming more targeted. The decline in phishing volume alongside stable loss totals reflects a shift toward fewer, higher-value attacks. Individuals with admin access, signing authority, or privileged credentials are now the primary phishing target, not general users.
AI-assisted attack tooling is an active and growing threat. Multiple security firms have independently flagged the use of AI in both social engineering campaigns and automated vulnerability scanning. This is not a speculative future risk. It is affecting incident characteristics now.
Legacy contract coverage is a gap. The increase in attacks on contracts over 12 months old, combined with improved attacker tooling, means that protocols relying on pre-launch audits without subsequent reviews are increasingly exposed.
Monitoring and incident response quality will determine recovery outcomes. The $115.3 million recovered in H1 2026 came disproportionately from incidents where teams had monitoring in place, response plans ready, and exchange relationships established before the incident occurred. These are preventable gaps.
Recommendations
The security research this half-year is consistent in its recommendations. CertiK specifically identified the following as the highest-priority controls for protocols holding significant on-chain assets:
- Harden every layer of private key management, from hardware security and multisig governance to geographically distributing where signers are based.
- Treat key custody and operational security as primary security surfaces, not secondary operational concerns.
- Implement continuous security review processes rather than relying on point-in-time launch audits.
- Establish real-time monitoring on privileged function calls, ownership changes, and large asset movements.
- Ensure incident response plans are documented, tested, and actionable before they are needed.
The SEAL Security Alliance's Multisig Framework documents specific implementation guidance for multisig configuration, signer onboarding, and signing hygiene at frameworks.securityalliance.org/multisig-for-protocols/overview.
Closing
$1.31 billion lost. 344 incidents. A hack every 10 hours. The contracts were not the primary problem.
The security industry has made genuine progress hardening smart contract code over the past several years. The evidence from H1 2026 is that attackers have responded by moving to the layer above: the keys that control the contracts, the governance processes that govern the keys, and the operational environments where those keys are held and used.
Protocols that have addressed their contract security but not their operational security posture are carrying more risk than their audit history suggests.
About Procur3.io
Procur3.io is the leading Web3 security marketplace, connecting protocols with 60+ vetted security firms across 25 ecosystems. More than 100 teams have used Procur3 to identify the right security partners for their protocol, for services spanning smart contract audits, penetration testing, cloud infrastructure reviews, cryptography, multisig and operational security, and compliance.
Every firm on the platform is listed with verified, auditable data on procur3.io/auditors, giving teams the due diligence foundation to make an informed selection rather than relying on reputation alone.
For teams ready to move, Procur3's 1-click RFP system delivers up to 10 competitive quotes in under 24 hours from firms matched to your stack and scope, saving teams up to 40% on security costs compared to sourcing independently.
Start your security review at procur3.io
Sources: CertiK H1 2026 Security Report, TRM Labs H1 2026 Report, DefiLlama, SlowMist Hacked, Blockaid, PeckShield, US State Department. All figures as of July 6, 2026.
