Highlight

CertiK Hack3D: H1 2026 Report

CertiK Hack3D: H1 2026 Report

DOWNLOAD the full report here!

The Web3 security landscape in the first half of 2026 tells a story that headline numbers alone do not capture. Total losses exceeded /1.31billionacross344incidentsafigurethat,onthesurface,appearslowerthanthesameperiodlastyear.Butthatcomparisonisalmostentirelyafunctionofthe/1.31 billion across 344 incidents — a figure that, on the surface, appears lower than the same period last year. But that comparison is almost entirely a function of the /1.45 billion Bybit hack that defined H1 2025. Adjusted for that outlier, losses in H1 2026 are approximately 28% higher on a comparable basis. The underlying security environment has not improved. In several meaningful respects, it has deteriorated.

The CertiK Hack3D: H1 2026 Report finds that wallet compromise has emerged as the most financially destructive attack category of the half, generating over /444millionacrossjust33incidents.ThetwolargesteventstheKelpDAORPCcompromise(444 million across just 33 incidents. The two largest events — the Kelp DAO RPC compromise (291 million) and the Drift Protocol breach ($285 million), both occurring in April — together accounted for nearly 44% of all H1 losses. Phishing, meanwhile, has undergone a structural shift: incident volume fell over 50% year over year, yet losses declined by only around 11%, as attackers have moved away from broad-volume campaigns toward a smaller number of highly targeted social engineering attacks. Four such incidents accounted for approximately 85% of all phishing losses in the period.

Code vulnerability remained the most prolific attack category by incident count, with 204 incidents recorded across H1. A growing proportion of these targeted contracts are more than one year old, a pattern that suggests attackers are systematically revisiting legacy codebases rather than focusing exclusively on newly deployed protocols.

For the first time, the H1 2026 report also includes dedicated sections covering Q1 and Q2 individually, with full breakdowns by attack type, chain, and incident for each quarter.

Key Findings

A total of /1,315,676,432waslostacross344incidentsinthefirsthalfof2026.ComparedtoH12025,thisrepresentsa46.81,315,676,432 was lost across 344 incidents in the first half of 2026. Compared to H1 2025, this represents a 46.8% decrease in total losses (/2,473,576,952) and a 0.3% decrease in total incidents (345). However, that comparison requires important context. H1 2025 was defined by the Bybit wallet compromise, a single /1.45billioneventthataloneaccountedfor58.71.45 billion event that alone accounted for 58.7% of that period's losses. Excluding Bybit, H1 2025 losses stood at approximately1.03 billion, making H1 2026's figure roughly 28% higher on a like-for-like basis. The underlying security environment has not improved; in several meaningful respects, it has deteriorated.

  • Wallet compromise was the most costly attack vector in H1 2026, with $444,531,691 stolen across 33 incidents.
  • Phishing was the second most costly, with $366,312,027 stolen across 63 incidents. While phishing incident volume dropped from 132 in H1 2025 (a 52.3% decrease), losses declined by only 10.8%, reflecting a significant shift toward fewer, higher-value attacks.
  • Code vulnerability accounted for $151,591,472 stolen across 204 incidents, the highest incident count of any single vector.
  • Ethereum experienced the highest number of security incidents, with 153 hacks, scams, and exploits leading to $522,814,367 in losses.
  • Solana saw fewer incidents, but outsized losses of $315,069,960, driven primarily by the Drift Protocol exploit.
  • The total value of funds frozen and returned was /115,311,507,leadingtoadjustedtotallossesof115,311,507, leading to adjusted total losses of1,200,364,925 for H1 2026.
  • The average loss per incident was 3,824,641andthemedianlossperincidentwas/3,824,641 and the median loss per incident was /138,703.

Read more about H1 trends, including a breakdown of individual trends across the first and second quarters of 2026 by downloading our report.

FAQs

How much was lost to Web3 security incidents in H1 2026? Total losses exceeded /1.31billionacross344incidents.Afteraccountingforfrozenandrecoveredfunds,netlossesstoodatapproximately/1.31 billion across 344 incidents. After accounting for frozen and recovered funds, net losses stood at approximately /1.2 billion.

Does the decline from H1 2025 mean the security environment is improving? Not on a comparable basis. H1 2025 losses were heavily inflated by the $1.45 billion Bybit hack. Excluding that event, H1 2026 losses are approximately 28% higher than the equivalent H1 2025 baseline.

What was the most damaging attack type in H1 2026? Wallet compromise generated the highest total losses at over $444 million across 33 incidents, driven primarily by the Kelp DAO RPC compromise and the Drift Protocol breach, both of which occurred in April 2026.

Why did phishing losses stay high even as incident counts fell? The nature of phishing attacks has changed. Broad-volume campaigns have given way to highly targeted social engineering attacks on individuals and entities controlling significant on-chain wealth. Four such incidents accounted for approximately 85% of all phishing losses in H1 2026.

What does the report say about North Korea? The report includes a dedicated section on DPRK-linked threat activity, noting that state-sponsored actors, most notably the Lazarus Group, have consistently escalated operations as each calendar year progresses. The second half of 2026 is identified as a period of heightened concern.