Loading prices...
All news
Web3 Hacks Netted $1.3B in Six Months — and the Attack Playbook Just Changed

Web3 Hacks Netted $1.3B in Six Months — and the Attack Playbook Just Changed

July 15, 2026
1

According to CertiK's Hack3D report for the first half of 2026, Web3 projects lost $1,315,676,432 to attacks across 344 separate security incidents during the period.

The numbers are misleading without context

On paper, that's a 46.8% drop from H1 2025 ($2.47 billion). But that comparison is almost entirely a function of a single outlier — the $1.45 billion Bybit hack that defined last year's numbers. Strip that one-off event out, and 2026's losses are actually about 28% higher on a comparable basis.

The two biggest incidents

  • Kelp DAO RPC compromise ($291M, April 18): attackers exploited a DVN failover mechanism to confirm fabricated transactions and withdraw 116,500 rsETH
  • Drift Protocol breach ($285M, April): the half's second-largest incident

Together, these two events accounted for nearly 44% of all H1 losses.

The attack playbook has shifted

Wallet compromise emerged as the most financially destructive attack category, generating over $444 million across just 33 incidents. Phishing came second, costing $366.3 million across 63 incidents. CertiK's analysts are blunt about it: the underlying security environment hasn't improved — in several meaningful respects, it's gotten worse.

What this means in practice

The shift toward wallet compromise and phishing signals that purely technical smart-contract audits no longer guarantee safety on their own: a significant share of major losses now stems from operational security failures and social engineering rather than protocol-level code vulnerabilities.

This material is for informational purposes only.

Mike Robinson

Author

Mike Robinson

News feed editor

I'm constantly writing about crypto, Bitcoin, and altcoins. I cover a variety of topics related to the virtual currency market.

Comments (0)

No comments yet — be the first!