Crypto Hacks Hit Record Frequency in Q2, Yet Losses Lag 2020 Peaks

Published by James Harris on June 22, 2026June 22, 2026

Q2 2026 logged more individual crypto security incidents than any quarter on record, but the dollar losses tell a more complicated story. Frequency hit a new high while total damage stayed well below the industry’s worst periods, and that gap explains almost everything about how the attack surface has shifted.

DeFiLlama data shows roughly 83 incidents through late June, double the previous high for a single quarter, yet total losses for Q2 sit at approximately $775 million. That figure is large, but the fourth quarter of 2020 still holds the dollar-loss record at $3.56 billion, and single-event catastrophes like the Ronin bridge hack in 2022 dwarfed what any individual attacker managed this quarter. The two largest Q2 incidents, the $293 million KelpDAO breach and the $280 million Drift Protocol exploit, both hit in April and together accounted for more than three-quarters of the quarter’s total. Cross-chain bridge vulnerabilities drove the costliest damage, with bridge-related exploits accounting for an estimated $351 million in Q2 losses alone. May then produced 60 separate incidents for only $68.3 million in combined losses, a ratio that confirms what Unfolded described on X as “a constant stream of smaller attacks” rather than a few outsized events.

The more structurally interesting trend is that deprecated contracts have become an active target, not an afterthought.

Aztec Connect smart contracts, abandoned in 2022 and 2023 with administrative controls renounced on-chain, were hit twice within a single week in June, with no emergency patch mechanism available because the keys no longer exist. A legacy vault linked to Thetanuts Finance lost $2.1 million on June 15 through a similar vector. Security researcher Blockful.eth flagged the pattern publicly, noting multiple exploits had hit “old contracts with millions of dollars sitting idle.” This is a category of risk that protocols rarely budget for because the contracts are no longer actively maintained, yet the funds and the vulnerabilities persist indefinitely. The forked or abandoned code problem tends to surface in clusters once attackers identify a productive template, which is exactly what the back-to-back Aztec incidents suggest is happening now.

The response side has also evolved in ways that matter. The Arbitrum Security Council froze $71 million of the KelpDAO attacker’s funds using emergency powers, a type of coordinated on-chain intervention that would have been logistically impossible or politically contested in earlier cycles. That capability exists because governance infrastructure has matured, but it also only applies to funds that remain on-chain and within reach of a council with actual authority. Private key compromises, which accounted for roughly 5.7% of Q2 losses including the $32 million Humanity Protocol breach on June 8, offer no equivalent recovery path. Cumulative 2026 losses through May reached approximately $1.3 billion, with June still adding to that total.

The shift toward higher frequency but lower individual impact partly reflects better auditing of flagship protocols and partly reflects attackers probing infrastructure seams like bridges and admin credential systems where complexity creates exploitable gaps. If the deprecated contract pattern accelerates through Q3, the sector will face pressure to establish some form of standardized sunset process, something that currently has no industry-wide equivalent.