Defillama: Q2 2026 Has Been Crypto’s Most-Hacked Quarter on Record With Nearly 70 Exploits

A Record Built connected Many Small Hits

The 2nd 4th of 2026 is already the most-hacked 4th connected record, tallying astir 70 hacks, which is astir doubly the erstwhile grounds for the fig of incidents successful a azygous quarter. Yet the full sum stolen, astir $746 million, is simply a fraction of the highest reached successful caller years. On the subject, Defillama analysts noted:

“Rather than a fewer giga exploits, it’s been a constant watercourse of smaller attacks.”

That signifier marks a departure from the mega-heists that defined earlier years, erstwhile a fistful of nine-figure span and protocol exploits drove yearly totals. Attackers look to beryllium spreading their efforts crossed galore lower-value targets alternatively than chasing single, headline-grabbing scores (a strategy that is harder for the manufacture to way and support against).

Q2 2026 has already go the most-hacked 4th connected grounds with 70 incidents (2X the record), per Defillama

The quarter’s harm was front-loaded, with April being confirmed arsenic crypto’s most-hacked period connected record, with astir 30 incidents and much than $625 cardinal stolen. Two breaches dominated, namely Drift Protocol’s $285 cardinal losses connected April 1, and KelpDAO $293 hack connected April 18 (together astir 93% of April’s outflows). The remaining 2 dozen-plus incidents mostly came successful nether $5 million, galore beneath $1 million.

The monthly gait stayed elevated done May arsenic astir 14 decentralized finance ( DeFi) protocols were deed during the month, of which astir 8 were bridge-related, with corporate losses adjacent $28 million. By the extremity of May, cumulative DeFi losses for 2026 had topped $840 cardinal crossed much than 50 incidents successful 5 months, versus astir 30 implicit the aforesaid span successful 2025, a astir 70% year-over-year leap successful frequency.

Bridges and Stolen Keys successful Focus

The repeated break-ins pointed to 2 recurring anemic spots. Cross-chain bridges, which fastener assets connected 1 web and mint equivalents connected another, remained a favored people due to the fact that a azygous flaw tin exposure pooled funds. Similarly, information analysts flagged a broader pivot from codification exploits to cardinal theft, arsenic attackers progressively utilized societal engineering and phishing to seizure private keys alternatively than hunt for smart-contract bugs.

That improvement has been disposable implicit a longer horizon, fixed crypto hacks person topped $17 billion implicit the past decade, with the onslaught aboveground steadily moving from protocol codification toward the humans and operational systems astir it. The archetypal 4th of 2026 had already acceptable a grim baseline, with astir $169 million stolen crossed 34 protocols.

With the 4th not adjacent done, the last tally could ascent further. Auditors pass the assemblage is moving adjacent to 1 onslaught per day, and the dependable drip of mid-sized exploits keeps unit connected bridges, cardinal absorption and incidental response.

The information offers 1 sliver of relief, which is that smaller mean losses suggest amended segmentation of funds, adjacent arsenic the sheer fig of palmy attacks hits a record. Whether protocols tin dilatory the cadence and not conscionable headdress the harm volition specify the remainder of 2026.