TRM Labs: Crypto Hacks Reach New High in H1 2026, but Losses Pivot to Ops Failures

security
🔄 Mixed
⏱ 3 min read

TRM Labs’ H1 2026 review reveals a historic 207 crypto hacks across the sector—double the prior year’s count—yet aggregate losses halved to $972M, spotlighting a shift in how and where the most damaging attacks occur.

What Happened

In the first half of 2026, TRM Labs documented 207 distinct crypto hack incidents, setting a new six-month record for attacks targeting protocols, tokens, and decentralized applications. This figure marks a steep rise from 83 hacks during the same period in 2025, with Q2 2026 alone contributing 123 incidents after a record Q1. The vast majority of these attacks, 125 out of 207, exploited vulnerabilities in smart contracts—the code underpinning DeFi’s protocols. Smart-contract failures have long been a source of direct losses, but the current picture is more nuanced: despite more incidences, overall sector losses actually shrank sharply from $2.3 billion in H1 2025 to $972 million in H1 2026. This signifies not only a proliferation of attack attempts, but also improved loss containment at the aggregate level.

According to TRM Labs, while the number of incidents soared, the typical loss per attack remained relatively low. The median exploit led to a $219,000 loss, while the average stood at $4.7 million. This disparity—between more frequent but less devastating hacks on one hand, and a handful of large, high-profile breaches on the other—paints a complex risk picture. Contextually, crypto markets have become more resilient to frequent but modestly-sized thefts, yet remain highly vulnerable to rare but catastrophic operational failures. The report highlights a critical trend: only 15% of hacks involved infrastructure or operational system breaches, yet these were responsible for 76% of cumulative value stolen.

Why It Matters

The findings upend conventional wisdom about where crypto’s greatest security threats lie. Most teams focus on smart-contract audits and code reviews to prevent exploits, which is necessary given the sheer volume of such incidents. However, TRM’s data suggests the lion’s share of losses no longer stems from code alone, but from failures in keys, custody, signing infrastructure, and related approval controls—the very systems that dictate who can move funds or approve critical transactions. In broader market context, this signifies a growing need for so-called “defense in depth”: end-to-end controls that extend beyond code, into operational policy, off-chain infrastructure, and team-level processes.

Historically, headline-grabbing hacks often traced back to code vulnerabilities, incentivizing teams to focus investment on code-level audits. However, as more protocols mature and on-chain governance grows in complexity, attackers are now pinpointing weaknesses in bridge validation, multi-signature approval flows, and other human or operational dependencies. TRM’s split—between the frequency of smart-contract breaches and the value destroyed by operational failures—marks a new paradigm. For large protocols, custodians, and institutional investors, this entails revisiting and expanding security frameworks to address not only what the code does, but how—and by whom—it is executed and controlled.

Key Takeaways

  • Crypto hacks reached a new six-month record in H1 2026, led by smart-contract exploits, but total sector losses dropped significantly.
  • Operational and infrastructure compromises made up the bulk of stolen value despite being fewer in count.
  • The median hack was relatively small, yet a few large breaches skewed averages and risk perception.
  • DeFi teams now require holistic security approaches that go far beyond code reviews.

What’s Next

The market will be watching whether security investments refocus from an almost exclusive emphasis on code-level audits towards shoring up operational controls around custody, key management, and approval flows. With hackers targeting both code and the critical infrastructure that governs asset movement, teams face growing complexity in risk management. Analysts will focus on adoption of multi-layered security frameworks, regulatory pressures, and the evolution of insurance for operational failures. The real test may be whether the next paradigm-shifting breach targets code, custody, or an operational blind spot.

🧠 HafidWatch Take

TRM Labs reports a record 207 crypto hacks in H1 2026, yet total losses decline to $972M, less than half of H1 2025. Most incidents involved smart-contract exploits, but the majority of stolen value arose from infrastructure and operational system breaches.

Get The Hafid Brief every morning

Crypto & markets. Fast, filtered, serious. Free. Delivered at 7:30am ET.


Subscribe free →

Type above and press Enter to search. Press Esc to cancel.