TodayThursday, July 02, 2026

Crypto Hacks Hit a Record Pace in 2026. The Money Mostly Went to Two Attacks.

TRM Labs data shows crypto hacking hit a record pace in 2026, but two North Korea-linked strikes account for three-quarters of everything stolen.
July 2, 2026
An illustration of a masked hacker working at a computer in a dark room
Illustration. TRM Labs data shows 2026 on pace for the most crypto hacking incidents on record, though two North Korea-linked strikes account for most of the money stolen. [Image Source: CoinDesk]

NEW YORK — By the numbers that usually matter most in crypto security, this should have been a quiet year. Total dollar losses to hacking are running behind the record pace set in 2025. By the number that matters more, it has been the worst stretch the industry has ever tracked: roughly one exploit a day through April, and a second quarter that blockchain analytics firm TRM Labs now counts as the most-hacked quarter in crypto’s history, at about 70 separate incidents.

Both things are true because the money and the attacks stopped moving together. Small exploits, drained wallets, mispriced contracts, forgotten admin keys, are hitting protocols at a pace no earlier year came close to matching. But the dollars are lopsided almost to the point of absurdity: two attacks linked to North Korean state-backed hacking groups, the April 1 strike on Drift Protocol and the April 18 hit on KelpDAO, together accounted for 76 percent of everything stolen from crypto platforms so far this year, according to TRM Labs. Take those two out of the ledger and 2026 looks like an industry quietly getting better at defending itself. Leave them in, and it looks like the worst year on record.

The KelpDAO exploit, attributed to the Lazarus Group, targeted a known single-verifier flaw that LayerZero had previously warned about, and the roughly $292 million taken was laundered within hours through THORChain and Umbra using the same Chinese-intermediary playbook, internally nicknamed TraderTraitor, that North Korean operations have refined since the Ronin Bridge theft in 2022. The Drift Protocol attack four days later took a different route entirely. CoinDesk reported that North Korean proxies spent months conducting in-person social engineering with Drift employees, sitting across a table from them, before executing a $285 million exploit. Ari Redbord, TRM Labs’ global head of policy and government affairs, called the approach “unprecedented in North Korea’s crypto hacking campaign,” a description that undersells how much it breaks from the group’s usual remote, code-first methods.

Pyongyang disputes all of it. A spokesperson for North Korea’s Foreign Ministry dismissed the attribution as “absurd slander” carried by state media, arguing it was a political tool Washington uses to justify hostile policy while sitting on the world’s most advanced offensive cyber capabilities itself. TRM Labs has not responded point by point to the denial, and the attribution rests on blockchain forensics and wallet-clustering analysis rather than a confession, the same evidentiary gap that has surrounded nearly every past claim tying Pyongyang to a crypto theft.

What the alleged shift in tactics signals, if TRM’s account holds, is patience most cybercriminal operations do not have. Spending months building trust with employees at a single target, for a single payout, is a bet that only makes sense for an operation with a state’s time horizon and a state’s tolerance for a failed attempt. TRM Labs puts the cumulative theft it attributes to North Korea since 2017 above $6 billion, and the share it assigns to Pyongyang has climbed steadily under 10 percent from 2020 to 2021, 22 percent in 2022, 37 percent in 2023, 39 percent in 2024, 64 percent last year, and now 76 percent. The trend line, TRM argues, does not describe a group getting lucky. It describes a group getting better, year over year, at a narrower and narrower set of targets.

The other half of the 2026 pattern, the part with no attribution dispute attached, is arguably more disruptive to the average user. Eastern Herald has tracked a run of smaller exploits this year that share little except how ordinary they have become. A $4.67 million infinite-mint exploit hit Secret Network through a bridge contract flaw that went undetected for seven days. A nonce-derivation error in SecondFi’s wallet software, the Cardano platform run by EMURGO, let attackers reconstruct private keys from public blockchain data alone, draining $2.4 million from 374 wallets that never signed a malicious transaction. Neither attack required a state’s resources. Both required only that a smaller flaw go unnoticed long enough.

April alone produced roughly 29 tracked incidents, an 81 percent jump over the previous monthly high of 16 set in January, making it the most-hacked month in the industry’s history before the quarter had even finished. The volume matters because it changes what a security team is actually defending against. A protocol built to withstand one sophisticated attempt a quarter is not the same protocol that can withstand a new exploit attempt roughly once a day, and most mid-sized DeFi projects were never resourced for the second scenario.

The KelpDAO hack carried consequences beyond its own balance sheet. The exploit triggered one of decentralized finance’s largest liquidity crises to date, with roughly $13 billion exiting lending platforms within 48 hours as depositors moved to pull funds before contagion spread. Aave alone saw $8.54 billion in withdrawals in that window, producing a nearly $200 million bad-debt gap that the industry ultimately covered through $300 million in emergency pledges. A single exploit, in other words, did not just cost KelpDAO’s users their funds. It stress-tested the liquidity assumptions of a lending market many times its size.

What TRM Labs has not been able to answer, and what neither the Drift nor KelpDAO disclosures address, is how many other protocols currently have unidentified operatives inside their hiring pipeline or their vendor relationships right now, mid-social-engineering-campaign, with the theft still months away. The in-person approach that worked on Drift leaves little of the digital trail that blockchain analytics firms are built to find until the money actually moves, and the disputed attribution means even the who remains an open question to the accused party.

The industry’s own numbers suggest the smaller half of the problem, the daily drip of routine exploits, is not going away either. Neither trend has an obvious fix on the horizon: more frequent smaller attacks require more auditing capacity than most protocols budget for, and the rare, patient, well-resourced attack is not something auditing catches at all. Crypto security in 2026 has become two separate problems wearing one set of statistics, and the industry is still measuring itself by the total that hides the difference between them.

Economy Desk

Economy Desk

Covering markets, economic policy, inflation, and business news that shapes financial decisions.

Leave a Reply

Don't Miss