Verify a decision

{"actor":"system:backfill","investigation_id":"f7b62b47-2118-46e9-8025-4f381f47211f","kind":"publish","page_slug":"q2-2026-record-crypto-hack-wave","published_at":"2026-06-29T12:36:58.368Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Q2 2026 Record Crypto Hack Wave","sections":[{"content":"Q2 2026 (April 1 – June 30, 2026) was reported by multiple blockchain intelligence and cybersecurity firms as the most-hacked quarter ever recorded by incident count. Blockchain.news and CoinTelegraph both reported 83 discrete security incidents resulting in $755.3 million in aggregate losses. The quarter's incident frequency averaged nearly one confirmed exploit per day. While Q4 2020 remains the costliest quarter historically at approximately $3.56 billion, the Q2 2026 figure is notable because it occurred against a backdrop of sharply reduced total value locked (TVL) in DeFi, which had declined from a peak of approximately $164 billion to roughly $71–73 billion by mid-2026 according to multiple reports. Immunefi CEO Mitchell Amador publicly characterized the surge as a 'vulnerability apocalypse,' citing advances in AI-assisted exploit tooling as a contributing factor.","heading":"Overview and Scale","severity":"critical","sources":[{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"Q2 2026 Emerges as Most-Hacked Quarter on Record with 83 Incidents — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Report: Q2 2026 Becomes Worst Quarter Ever for Crypto Hacks — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/report-q2-2026-becomes-worst-quarter-ever-for-crypto-hacks/"},{"credibility":2,"name":"Immunefi CEO says new AI models are worsening crypto security — Whale Alert / Immunefi","type":"news_article","url":"https://whale-alert.io/stories/99c0016d98d195/Immunefi-CEO-says-new-AI-models-are-worsening-crypto-security-as-2026-hacks-and-DeFi-exploits-surge"}]},{"content":"On April 18, 2026 at approximately 17:35 UTC, attackers drained 116,500 rsETH tokens — valued at approximately $292–293 million — from KelpDAO's cross-chain bridge, which used LayerZero's OFT (Omnichain Fungible Token) messaging infrastructure. The attack was not a smart contract code flaw; instead, attackers compromised two remote procedure call (RPC) nodes that LayerZero's single verifier depended upon to validate cross-chain transactions. A simultaneous distributed denial-of-service attack against uncompromised external RPC nodes forced the system to rely exclusively on the poisoned servers, which then fraudulently approved a transaction releasing the stolen funds. The malicious node software subsequently self-destructed, destroying local logs and binaries. The critical enabling factor was a 1-of-1 verifier configuration: rsETH had been secured by a single LayerZero DVN (decentralized verifier network) with no secondary verifier required to agree. KelpDAO's emergency multisig paused contracts approximately 46 minutes after the exploit, blocking two additional attempted drains each estimated near $95–100 million. The Arbitrum Security Council coordinated with law enforcement to freeze approximately $75 million of attacker funds on Arbitrum. LayerZero and KelpDAO publicly disputed responsibility for the misconfiguration for several weeks before LayerZero issued a blog post on May 9, 2026 acknowledging it 'made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions.' LayerZero subsequently announced it would no longer service 1-of-1 configurations and migrated defaults to 5-of-5 or minimum 3-of-3 verification. Kelp DAO moved its rsETH bridge to Chainlink, and Solv Protocol relocated over $700 million in tokenized Bitcoin infrastructure away from LayerZero following the incident. Approximately $175 million of the stolen funds was reported converted to Bitcoin through intermediaries including the Umbra privacy tool.","heading":"KelpDAO Bridge Exploit ($292–293 Million, April 18 2026)","severity":"critical","sources":[{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"LayerZero Blames Kelp's Setup for $290M Exploit, Attributes It to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"LayerZero says it 'made a mistake' in $292 Million Kelp exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"Kelp claims LayerZero approved the setup it blamed for $292M bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":2,"name":"LayerZero Pins $292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-pins-292m-kelpdao-bridge-113544792.html"}]},{"content":"On April 1, 2026, Drift Protocol — a Solana-based perpetuals and spot exchange — was drained of approximately $285–295 million in a 12-minute window following a multi-month social engineering campaign attributed with medium confidence to UNC4736, a North Korean state-sponsored unit also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces, and linked to the Lazarus Group. There was no smart contract code vulnerability; the operation instead compromised individuals holding administrative access. The attack preparation began in fall 2025 when operatives posing as representatives of a quantitative trading firm approached Drift contributors at crypto conferences across multiple countries. Between December 2025 and January 2026, the group formally onboarded an Ecosystem Vault on Drift, depositing over $1 million of their own funds to establish operational credibility. Between February and March 2026, the attackers distributed malicious Microsoft Visual Studio Code projects with weaponized 'tasks.json' files and fake wallet applications distributed via Apple TestFlight. The technical execution involved convincing multisig signers to pre-sign hidden authorizations, then pushing a zero-timelock governance migration that eliminated the protocol's review window. The attackers also fabricated a worthless token (CarbonVote Token) and manipulated Drift's oracle into treating it as valuable collateral, enabling the extraction. Perpetrators deleted all Telegram chats and malware evidence immediately after execution. Mandiant forensic investigators were engaged for attribution. Approximately $3.36 million in USDC was frozen, and approximately 130,259 ETH (roughly $31 million) remained traceable. Drift announced a recovery plan on May 5, 2026, issuing recovery tokens representing $1 per dollar of verified loss, funded by remaining protocol assets ($3.8 million), performance-based Tether support ($127.5 million ceiling), partner contributions ($20 million ceiling), and future exchange revenue. The exploit ranked as the second-largest in Solana's history, behind the 2022 Wormhole hack.","heading":"Drift Protocol Social Engineering Exploit ($285–295 Million, April 1 2026)","severity":"critical","sources":[{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":2,"name":"Drift Protocol Hack 2026: What Happened, Who Lost Money, and What's Next — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/drift-protocol-hack-2026-what-happened-who-lost-money-and-whats-next/"},{"credibility":2,"name":"Crypto experts slam Drift Protocol after months-long hack drains $280M — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/experts-slam-drift-after-280m-hack/"}]},{"content":"On June 9, 2026, Humanity Protocol — a biometric identity project using palm scans and zero-knowledge proofs marketed as a 'Chinese Worldcoin' alternative — suffered a private key compromise attributed to a phishing attack. According to a post-mortem by security firm Quantstamp, a Humanity Foundation team member received a phishing email impersonating Bithumb. The email delivered malware that compromised the victim's laptop, enabling theft of MetaMask credentials and private keys. Approximately 17 project-controlled wallets were drained. Loss estimates vary across sources: CoinDesk reported $32 million, CCN and CoinTelegraph reported up to $36 million, and Cryptonomist reported approximately $30 million, with additional unauthorized minting of $H tokens bringing the total unique impact to approximately 447 million $H tokens. The project's native $H token crashed 80–90% following the incident. The attack is consistent with the broader Q2 2026 pattern of private key and credential theft superseding smart contract exploits as the dominant loss vector.","heading":"Humanity Protocol Private Key Theft ($32–36 Million, June 9 2026)","severity":"high","sources":[{"credibility":1,"name":"Humanity Protocol token crashes more than 80% after a $32 million private-key hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"credibility":2,"name":"Explained: The Humanity Protocol Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-humanity-protocol-hack-june-2026"},{"credibility":2,"name":"'Chinese Worldcoin' Crashes 85% After $36 Million+ Private Key Hack — CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/humanity-protocol-private-key-hack-36m-h-token-crash/"},{"credibility":2,"name":"Humanity Protocol Token Crashes 88% Following Private Key Breach — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/humanity-protocol-token-crashes-88-024154068.html"}]},{"content":"On May 15, 2026, THORChain's cross-chain DEX was exploited for approximately $10.7–11 million across at least nine blockchain networks including Bitcoin, Ethereum, BNB Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. The attack targeted a single Asgard vault out of five. The suspected vulnerability was a flaw in the GG20 Threshold Signature Scheme (TSS) used to secure the vaults: a newly churned node operator that had entered the network approximately two days prior is believed to have exploited this weakness to authorize unauthorized withdrawals. THORChain's automated solvency detection triggered within minutes, halting signing and trading across multiple chains without human intervention. The global emergency halt lasted approximately 12 hours and 42 minutes. The attacker's wallets held roughly 3,443 ETH, 36.85 BTC, and 96.6 BNB following the exploit. RUNE, THORChain's native token, dropped approximately 12–15% following the disclosure. TRM Labs issued a contemporaneous analysis of the exploit vectors. Notably, TRM Labs had separately documented North Korean laundering of funds through THORChain's cross-chain infrastructure in connection with the Drift and KelpDAO exploits from April 2026.","heading":"THORChain Asgard Vault Exploit ($10.7–11 Million, May 15 2026)","severity":"high","sources":[{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":1,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"THORChain Asgard Vault Exploit Drains $10M, Crashes $RUNE 15% — Memeburn","type":"news_article","url":"https://memeburn.com/thorchain-asgard-vault-exploit-crashes-rune-may-2026/"}]},{"content":"Cross-chain bridges were the single largest attack surface in Q2 2026, accounting for approximately $351 million — nearly 46% of all quarterly losses — across 14 reported bridge exploits per multiple news summaries. The KelpDAO exploit alone, which used LayerZero's bridge infrastructure, accounted for roughly 38% of the quarter's total stolen value. Bridges have accumulated an estimated $2.8 billion in cumulative losses since 2022, representing approximately 40% of all value ever hacked in Web3 according to published figures from Memeburn and multiple secondary analyses. As of March 2026, bridge TVL was approximately $21.94 billion, making bridges among the highest-density targets in the DeFi ecosystem. The Q2 2026 bridge losses reinforce a pattern of infrastructure-level single points of failure — specifically misconfigured verifier networks and compromised off-chain node infrastructure — as more exploitable than on-chain smart contract logic in the current environment.","heading":"Cross-Chain Bridge Attack Surface","severity":"critical","sources":[{"credibility":2,"name":"Every Major DeFi Hack in 2026 So Far | Bridge Exploits Dominate — Phemex","type":"research","url":"https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained"},{"credibility":2,"name":"The biggest bridge hacks in 2026 — 1inch Blog","type":"research","url":"https://1inch.com/blog/post/the-biggest-bridge-hacks-in-2026"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations Drive Over $750 Million in Losses — KuCoin Blog","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"},{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"}]},{"content":"Blockchain intelligence firm TRM Labs reported that North Korean-linked actors stole 76% of all crypto hack value in 2026 through April, derived from just two attacks: KelpDAO ($292 million) and Drift Protocol ($285 million), totaling approximately $577 million. Attribution for both was made with medium confidence to the Lazarus Group and its TraderTraitor subunit (tracked as UNC4736 by Mandiant; also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). TraderTraitor specializes in targeting crypto industry employees through social engineering, fake recruiter pitches, malware-laced pre-employment tests, and compromise of wallet and administrative systems. North Korea's share of annual global crypto hack losses has increased substantially over time per TRM Labs data: approximately 10% in 2020–2021, 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, and 76% through Q2 2026. DPRK-linked actors stole $2.02 billion in 2025, a 51% year-on-year increase, with the cumulative total since 2017 exceeding $6.75 billion. On March 12, 2026 — weeks before the Q2 attacks — the U.S. Treasury's OFAC designated six individuals and two entities for facilitating North Korea's IT worker program, which had generated nearly $800 million in 2024 to fund DPRK weapons programs. Laundering of the Q2 2026 proceeds involved THORChain for cross-chain ETH-to-BTC conversions, the Umbra privacy tool, and Chinese intermediary networks; on-chain analysts traced funds back to wallets previously linked to indicted Chinese crypto broker Wu Huihui. Approximately $75 million in KelpDAO proceeds was frozen on Arbitrum by the Arbitrum Security Council; Drift proceeds remained largely dormant as of the reporting date.","heading":"North Korean State Attribution (Lazarus Group / TraderTraitor)","severity":"critical","sources":[{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know — Sanctions.io","type":"research","url":"https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026"},{"credibility":1,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis Blog","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":1,"name":"Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm774"},{"credibility":2,"name":"KelpDAO, Bybit, Ronin: Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"}]},{"content":"Multiple security analysts and researchers documented a structural shift in dominant attack methodology across Q2 2026. According to altfins.com's analysis of 2026 DeFi hacks, 72% of losses in 2026 came from stolen keys and credential theft rather than smart contract code vulnerabilities. The attack vector breakdown for Q2 2026 specifically, per Blockchain.news and CoinTelegraph reports, showed: cross-chain bridge infrastructure exploits (46% of losses), compromised admin accounts and token price manipulation (37%), and private key theft (approximately 5.66%), with smart contract logic flaws accounting for the remainder. Both mega-exploits of the quarter — KelpDAO and Drift Protocol — were achieved through off-chain infrastructure attacks and human-layer compromise rather than on-chain code bugs. Security practitioners have described this shift as posing fundamentally different mitigation challenges: operational security, personnel vetting, multi-party authorization design, and verifier network configuration have become more critical than smart contract auditing alone. Immunefi's vulnerability scoreboard and CEO commentary attributed some acceleration in exploit sophistication to AI-assisted vulnerability discovery tools available to threat actors.","heading":"Structural Shift: Social Engineering and Key Compromise Over Code Exploits","severity":"high","sources":[{"credibility":2,"name":"DeFi Hacks 2026 — altfins.com","type":"research","url":"https://altfins.com/blog/defi-hacks-2026/"},{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data — Immunefi","type":"research","url":"https://immunefi.com/blog/research/the-ecosystem-vulnerability-scoreboard-6-years-of-defi-loss-data/"}]},{"content":"The Q2 2026 hack wave occurred against a materially weaker DeFi ecosystem than prior record periods. Total value locked declined from a 2021 peak of approximately $164 billion to roughly $71–73 billion by mid-2026 per multiple reports, meaning the $755 million in quarterly losses represented a higher percentage of available TVL than a nominally larger dollar figure would have in 2021. Aave, SparkLend, Fluid, and other major protocols paused their rsETH markets in the immediate aftermath of the KelpDAO exploit due to collateral exposure. Lido Finance paused deposits in its earnETH product due to rsETH backing risks. Solv Protocol relocated over $700 million in tokenized Bitcoin infrastructure away from LayerZero. DeFi TVL on Solana was affected by the Drift Protocol exploit, which was the second-largest in Solana's history. THORChain's RUNE token fell 12–15% following that protocol's own May 2026 exploit, a particularly notable market reaction given THORChain had also been documented as a laundering pathway for the larger April exploits. The cumulative effect across Q2 contributed to a broader reduction in institutional and retail confidence in cross-chain bridge infrastructure.","heading":"Market and Ecosystem Impact","severity":"high","sources":[{"credibility":2,"name":"Q2 2026 Just Broke the Record — Memeburn","type":"news_article","url":"https://memeburn.com/q2-2026-just-broke-the-record/"},{"credibility":1,"name":"Kelp DAO exploited for $292 million — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"}]}],"sources_used":[{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"Q2 2026 Emerges as Most-Hacked Quarter on Record with 83 Incidents — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Report: Q2 2026 Becomes Worst Quarter Ever for Crypto Hacks — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/report-q2-2026-becomes-worst-quarter-ever-for-crypto-hacks/"},{"credibility":2,"name":"Q2 2026 Just Broke the Record — Memeburn","type":"news_article","url":"https://memeburn.com/q2-2026-just-broke-the-record/"},{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"LayerZero Blames Kelp's Setup for $290M Exploit, Attributes It to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Kelp claims LayerZero approved the setup it blamed for $292M bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":1,"name":"LayerZero says it 'made a mistake' in $292 Million Kelp exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"LayerZero Pins $292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-pins-292m-kelpdao-bridge-113544792.html"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know — Sanctions.io","type":"research","url":"https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026"},{"credibility":1,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis Blog","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":1,"name":"Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm774"},{"credibility":1,"name":"Humanity Protocol token crashes more than 80% after a $32 million private-key hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"credibility":2,"name":"Explained: The Humanity Protocol Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-humanity-protocol-hack-june-2026"},{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":1,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"DeFi Hacks 2026 — altfins.com","type":"research","url":"https://altfins.com/blog/defi-hacks-2026/"},{"credibility":2,"name":"The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data — Immunefi","type":"research","url":"https://immunefi.com/blog/research/the-ecosystem-vulnerability-scoreboard-6-years-of-defi-loss-data/"},{"credibility":2,"name":"Crypto Hack Statistics in 2026: The Latest Data and Industry Insights — NFT Plazas","type":"news_article","url":"https://nftplazas.com/crypto-hack-statistics/"},{"credibility":2,"name":"KelpDAO, Bybit, Ronin: Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"}],"summary":"The second quarter of 2026 became the most-hacked quarter on record by incident count, with 83 confirmed crypto security incidents totaling approximately $755.3 million in losses. Two attacks — KelpDAO ($292–293 million) and Drift Protocol ($280–285 million) — together accounted for roughly 75% of quarterly losses and were both attributed by blockchain intelligence firms to North Korea's Lazarus Group and its TraderTraitor subunit. The quarter marked a structural shift in dominant attack methodology away from smart contract code vulnerabilities toward infrastructure misconfiguration, private key compromise, and multi-month social engineering campaigns.","timeline":[{"date":"2025-09-01","event":"Alleged start of multi-month Lazarus Group social engineering campaign against Drift Protocol contributors, with operatives posing as quantitative trading firm representatives at crypto conferences","source":"The Hacker News / Mandiant","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2025-12-01","event":"North Korean operatives formally onboard an Ecosystem Vault on Drift Protocol, depositing over $1 million to establish credibility; integration conversations begin","source":"The Hacker News / Mandiant","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-02-01","event":"Drift attack operatives begin distributing malicious Visual Studio Code projects and fake wallet applications via Apple TestFlight to targeted contributors","source":"The Hacker News / Mandiant","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-03-12","event":"U.S. Treasury OFAC designates six individuals and two entities for facilitating North Korean IT worker schemes that generated nearly $800 million in 2024","source":"Chainalysis / OFAC","source_url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"date":"2026-04-01","event":"Drift Protocol drained of approximately $285–295 million in approximately 12 minutes via zero-timelock governance migration and fabricated CarbonVote Token oracle manipulation; operatives delete all evidence immediately after execution","source":"CoinDesk / The Hacker News","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"date":"2026-04-18","event":"KelpDAO bridge exploited for approximately $292–293 million at 17:35 UTC via compromised RPC nodes and DDoS attack forcing LayerZero's single-verifier configuration to rely on poisoned servers; contracts paused 46 minutes later","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-20","event":"LayerZero attributes KelpDAO exploit with preliminary confidence to North Korea's Lazarus Group and TraderTraitor subunit; places configuration responsibility on KelpDAO","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-04-21","event":"TRM Labs reports North Korean operators linked to Lazarus Group have drained over $575 million from DeFi across just two attacks in 18 days, representing 76% of all 2026 crypto hack losses through that date","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"date":"2026-05-05","event":"Drift Protocol outlines recovery plan for affected users: recovery tokens pegged at $1 per dollar of verified loss, backed by protocol assets, Tether support (up to $127.5 million), partner contributions (up to $20 million), and future exchange revenue","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"date":"2026-05-05","event":"KelpDAO publicly claims LayerZero had approved the single-verifier setup that was exploited, contradicting LayerZero's earlier statements","source":"CoinDesk","source_url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"date":"2026-05-09","event":"LayerZero reverses its position and admits it 'made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions'; announces migration to minimum 3-of-3 or 5-of-5 verifier configurations","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"date":"2026-05-15","event":"THORChain exploited for approximately $10.7–11 million across nine blockchain networks via alleged GG20 TSS vulnerability exploited by a newly churned node operator; automated halt triggers within minutes, freezing trading for approximately 13 hours","source":"CoinDesk / TRM Labs","source_url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"date":"2026-06-09","event":"Humanity Protocol suffers private key theft via phishing email impersonating Bithumb; attacker drains approximately 17 project wallets for $32–36 million; $H token crashes 80–90%","source":"CoinDesk / Halborn","source_url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"date":"2026-06-25","event":"Q2 2026 formally closes; multiple reports confirm 83 incidents and approximately $755.3 million in total losses, making it the most-hacked quarter on record by incident count","source":"Memeburn / CoinTelegraph / Blockchain.news","source_url":"https://memeburn.com/q2-2026-just-broke-the-record/"}]},"v":1}