Crypto losses fell 46.8% year-on-year to $1.32 billion in the first half of 2026, but crypto security firm CertiK says the drop is misleading, warning that attackers are becoming more sophisticated and destructive.
Phishing drove the bulk of losses in the first quarter, totaling $508.2 million. Wallet compromises were the biggest attack vector in the second quarter, contributing to $807.5 million in losses, CertiK said in a report.
More than 70% of the losses in Q2 came from the KelpDAO and Drift Protocol hacks, which are believed to have been carried out by North Korean state-sponsored hackers.
“A headline reading of ‘losses down nearly 50%’ would suggest a meaningfully safer ecosystem. The data does not support that conclusion,” CertiK told Cointelegraph, explaining that the losses in the prior year period were skewed by the $1.4 billion Bybit hack — the largest crypto exploit in history.
The data shows that North Korean hackers continue to pose one of the biggest threats to the crypto industry, having stolen more than $6 billion worth of crypto since 2017, TRM Labs estimated in April.

Monthly change in crypto exploit amounts and number of incidents across H1. Source: CertiK
North Korean state actors blamed for crypto attacks
The KelpDAO and Drift Protocol incidents even sparked a meeting between US, Japanese and South Korean authorities late last month over how the nations can mitigate North Korea’s malicious cyber activity and illicit revenue generation.
The state officials also acknowledged that North Korean IT workers are increasingly using AI to enhance their schemes — a development that some cybersecurity leaders believe has significantly increased the scale, speed and sophistication of protocol exploits.
CertiK cautioned that the “industry is absorbing a structurally higher rate of attack activity” than last year and that — excluding the Bybit incident — attacks are becoming “targeted and more financially destructive per event.”
TRM Labs reached a similar conclusion in its H1 2026 report on Wednesday, stating that the “decline in total dollars stolen should not be mistaken for a safer environment.”
“The lower total reflects the absence of another record setting theft, not a reduction in attacker capability.”
TRM’s analysis found that the number of incidents more than doubled from 83 to 207 in H1, the highest number TRM has recorded across a six-month period.
Smart contract exploits accounted for 125 or 60% of the incidents in H1, TRM added.
Protecting private keys
CertiK said private keys and multisignature wallet management remain the “most consequential security surface” for attackers to exploit.
Related: Crypto hack losses top $630M in April, highest since February 2025
CertiK urged crypto protocols and institutions holding significant onchain assets to harden every layer of private key management — from hardware security and multisignature governance to even geographically spreading out where signers are based.
This is an “area where security investment yields asymmetric returns,” CertiK said.
Crypto hardware wallet providers like Ledger have also long warned users to store seed phrases offline and never share them as a basic safeguard against phishing.
Magazine: The end of anonymity? AI could unmask crypto’s hidden identities
