Verify a decision

{"actor":"system:backfill","investigation_id":"0180d047-73a2-45da-9503-dfef6cc4ea9d","kind":"publish","page_slug":"q2-2026-defi-record-hack-wave","published_at":"2026-06-25T17:09:23.957Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Q2 2026 DeFi Record Hack Wave","sections":[{"content":"Q2 2026 (April–June) set a new record for quarterly crypto hacking activity by incident count. According to data aggregated by DefiLlama and reported by multiple outlets including CoinTelegraph and Blockchain.news, 83 distinct exploits were recorded during the quarter, surpassing any prior three-month period. Total losses reached approximately $755.3 million, making Q2 2026 the most-hacked quarter by frequency, though it trails Q4 2020's $3.56 billion in aggregate dollar terms. Year-to-date through late June 2026, the industry recorded 121 hacks with cumulative losses approaching $942 million, according to CoinTribune. The surge in incident frequency occurred against a backdrop of significant TVL contraction: total value locked in DeFi fell roughly 39% from approximately $115 billion in January 2026 to about $70 billion by late June, per CoinTelegraph and Yahoo Finance data.","heading":"Overview and Scale","severity":"critical","sources":[{"credibility":2,"name":"Q2 2026 Emerges as Most-Hacked Quarter on Record with 83 Incidents — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"121 Crypto Hacks, Billions Evaporated: DeFi Faces Its Worst Year Since 2022 — CoinTribune","type":"news_article","url":"https://www.cointribune.com/en/121-crypto-hacks-billions-evaporated-defi-faces-its-worst-year-since-2022/"},{"credibility":2,"name":"DeFi TVL Down by $45B in 2026 Despite More Resilient Market Structure — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/defi-tvl-falls-39-2026-erases-45b-value"}]},{"content":"The single largest DeFi exploit of Q2 2026 struck KelpDAO on April 18, 2026. An attacker drained 116,500 rsETH — approximately 18% of the token's circulating supply and worth roughly $292–$293 million — from KelpDAO's LayerZero-powered cross-chain bridge. According to CoinDesk and a Chainalysis post-mortem, the attack was not a smart-contract vulnerability but rather a targeted compromise of off-chain infrastructure. The attacker allegedly poisoned two of the bridge's internal RPC nodes — the servers relaying blockchain data to the LayerZero Decentralized Verifier Network (DVN) — while simultaneously conducting a distributed denial-of-service (DDoS) attack that forced the DVN's verifier to fail over to the compromised nodes. Because the bridge was configured with a 1-of-1 DVN verification scheme, a single poisoned node was sufficient to authorize the fraudulent cross-chain instruction. The attack had cascading effects on Aave: the attacker deposited approximately 89,567 rsETH as collateral and borrowed roughly $190.86 million in wrapped Ether against it. Aave's pricing oracle, which was still valuing rsETH at its pre-exploit market rate, did not detect the compromised origin of the collateral. By the time Aave froze rsETH markets, an estimated $190 million in real Ether had been extracted, representing a second-order loss distinct from the primary bridge drain. TRM Labs attributed the KelpDAO attack to North Korean state-sponsored actors, noting that pre-hack funding wallets traced back to Wu Huihui, a Chinese crypto broker previously indicted in 2023 for laundering Lazarus Group proceeds.","heading":"KelpDAO Exploit — $292–$293 Million (April 18, 2026)","severity":"critical","sources":[{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"The $292 million Kelp crypto exploit: how it happened, and what it means for DeFi — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/19/the-usd292-million-kelp-exploit-how-it-happened-and-what-it-means-for-defi"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"What Is KelpDAO? How Its $292M Hack Shook the Crypto Market in 2026 — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/vn-kelpdao-hack-2026-rseth-exploit-analysis"}]},{"content":"On April 1, 2026, approximately $285 million was drained from Drift Protocol, a Solana-based decentralized exchange, in an attack lasting roughly 12 minutes. The Hacker News, TRM Labs, and Drift's own post-mortem describe the incident as the culmination of a six-month social engineering campaign attributed with medium confidence to UNC4736, a North Korean state-sponsored hacking group also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces — distinct from but related to the broader Lazarus Group umbrella. The alleged operation began in fall 2025, when attackers created accounts on the Drift platform, deposited more than $1 million of their own funds to establish credibility, and cultivated relationships with multiple core contributors through detailed product questions over several months. By early 2026, the attackers had allegedly convinced multisig signers to pre-sign hidden governance authorizations. On April 1, they pushed a zero-timelock governance migration that removed the protocol's review window, granting them administrative control. The attackers also allegedly created a synthetic asset called CarbonVote Token and manipulated Drift's price oracle into treating it as valid collateral, enabling them to borrow against it. Drift's native token ($DRIFT) declined more than 40% in hours following the announcement. In May 2026, Drift published a recovery plan for affected users.","heading":"Drift Protocol Exploit — $285 Million (April 1, 2026)","severity":"critical","sources":[{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol Hack: $285M Stolen in 12 Min — Shattered.io","type":"news_article","url":"https://shattered.io/drift-protocol-hack-285m/"},{"credibility":1,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"}]},{"content":"On June 8, 2026, an attacker stole approximately $36 million in H tokens from Humanity Protocol, a biometric identity project sometimes described as a Worldcoin competitor. According to CoinDesk and a Halborn post-mortem, the attack originated from a phishing email impersonating South Korean exchange Bithumb that compromised an employee's laptop. That laptop stored multiple bridge admin private keys — specifically, three of six Ethereum multisig keys and three of five BNB Chain multisig keys — all on a single device. Using these keys, the attacker upgraded Humanity's Ethereum bridge to a malicious contract implementation and deployed an unlimited-mint function on BNB Smart Chain. Approximately 141 million H tokens were drained from the Ethereum bridge; approximately 200 million additional H tokens were minted at will on BNB Chain. The attacker swapped most stolen tokens for ETH via DEXs, causing H token's market price to collapse by an estimated 80–90% within 12 hours. Blockchain security firm Quantstamp attributed the malware used in the attack to North Korean threat actors. Humanity Protocol subsequently announced a token swap program beginning June 17, 2026, to compensate affected holders.","heading":"Humanity Protocol Exploit — $36 Million (June 8, 2026)","severity":"critical","sources":[{"credibility":1,"name":"Humanity's $36 million exploit happened because a 'multisig' lived on one laptop — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-s-usd36-million-exploit-happened-because-a-multisig-wallet-lived-on-one-laptop"},{"credibility":2,"name":"Explained: The Humanity Protocol Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-humanity-protocol-hack-june-2026"},{"credibility":2,"name":"Humanity Protocol's $36M hack linked to suspected North Korean hackers — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/humanity-protocol-36m-hack-north-korean-hackers/"},{"credibility":2,"name":"$36 million exploit: Humanity Protocol token swap begins — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/17/36-million-exploit-humanity-protocol-token-swap-begins/"}]},{"content":"On May 15, 2026, THORChain, a decentralized cross-chain liquidity protocol, halted trading after approximately $10.7 million was drained from one of its five Asgard vaults. According to THORChain's official exploit report and coverage by CoinDesk and The Block, the attacker was a newly admitted node operator who had joined the network two days prior. Over those two days, the attacker participated in routine GG20 threshold signature scheme (TSS) operations, accumulating enough key material to reconstruct the private key for a single vault. The attacker then bypassed the normal approval process and authorized direct outbound withdrawals from the compromised vault. THORChain's automated solvency checker — which monitors for greater than 1% imbalance in vault balances — flagged the breach within minutes, triggering automated halts on trading, signing, and churning operations. The protocol covered the $10.7 million loss from its protocol-owned liquidity reserves, avoiding a supply inflation of RUNE. Trading resumed approximately five weeks after the incident.","heading":"THORChain Exploit — $10.7 Million (May 15, 2026)","severity":"high","sources":[{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":2,"name":"THORChain Exploit Report #1 — THORChain Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":1,"name":"THORChain pauses trading as security researchers flag suspected $10M multi-chain exploit — The Block","type":"news_article","url":"https://www.theblock.co/amp/post/401462/thorchain-pauses-trading-as-security-researchers-flag-suspected-10m-multi-chain-exploit"},{"credibility":2,"name":"THORChain resumes trading after five-week halt following $10.7M exploit — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-resumes-trading-after-exploit/"}]},{"content":"Cross-chain bridge exploits were the dominant attack vector in Q2 2026, accounting for approximately $351 million — roughly 47% of total quarterly losses — according to data cited by CoinTelegraph and Blockchain.news. The KelpDAO incident alone represented over 38% of all value stolen in the quarter. Compromised administrator accounts and token price manipulation accounted for approximately 37% of losses, while private key theft accounted for a further 5.66%. Security analysts noted a broader tactical evolution away from direct smart-contract code vulnerabilities toward attacks on off-chain infrastructure (as in the KelpDAO RPC poisoning), social engineering of multisig signers and core team members (as in the Drift Protocol attack), and phishing-driven private key compromise (as in the Humanity Protocol incident). The altfins.com research note and thirdweb blog characterized this shift as attackers recognizing that 'the code layer has become harder to crack' and migrating to the 'human layer.' AI-assisted exploitation techniques were flagged by several security firms as an emerging threat contributing to the rising incident frequency.","heading":"Attack Vectors and Patterns","severity":"high","sources":[{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"DeFi Hacks 2026: $840M+ Lost and the Attack That Changed Everything — Altfins","type":"news_article","url":"https://altfins.com/blog/defi-hacks-2026/"},{"credibility":2,"name":"DeFi Security Crisis 2026: $840M Lost, AI Exploits and What Builders Must Know — Thirdweb Blog","type":"research","url":"https://blog.thirdweb.com/defi-lost-840-million-in-2026-so-far-heres-what-builders-need-to-know-about-the-security-crisis/"},{"credibility":2,"name":"Every Major DeFi Hack in 2026 So Far: Bridge Exploits Dominate — Phemex","type":"news_article","url":"https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained"}]},{"content":"TRM Labs reported that North Korean state-sponsored actors captured approximately $577 million — or 76% of all tracked crypto hack value through April 2026 — via just two attacks: the Drift Protocol exploit on April 1 and the KelpDAO exploit on April 18. TRM attributed the Drift attack to UNC4736 (also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces), describing the group as distinct from the better-known TraderTraitor Lazarus subgroup. Attribution for the KelpDAO attack relied on on-chain analysis of pre-funding wallets and post-hack laundering flows, with KuCoin citing a connection to Wu Huihui, a Chinese broker previously indicted for laundering prior Lazarus proceeds. Quantstamp attributed the Humanity Protocol malware to North Korean threat actors. A separate KuCoin news note stated that North Korean Lazarus Group actors stole $635 million from crypto protocols in April 2026 alone. Chainalysis corroborated the attribution methodology, noting the use of intermediary wallets, DEX swaps, cross-chain bridges, and no-KYC swap services for post-theft laundering — consistent with prior DPRK operational patterns documented after the February 2025 Bybit hack. North Korea's cumulative attributed crypto theft since 2017 was estimated by TRM Labs at more than $6 billion prior to the Q2 2026 incidents.","heading":"North Korean State-Actor Attribution","severity":"critical","sources":[{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"North Korean Lazarus Group steals $635 million from crypto protocols in April 2026 — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/north-korean-lazarus-group-steals-635m-from-crypto-protocols-in-april-2026"},{"credibility":2,"name":"The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know — Sanctions.io","type":"research","url":"https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026"},{"credibility":2,"name":"Lazarus And The Kelp Hack: How North Korea's Crypto Heists Evolved — Yellow Research","type":"research","url":"https://yellow.com/research/lazarus-kelp-hack-north-korea-crypto-heists"},{"credibility":2,"name":"Crypto Hacks in April 2026: $606M Lost, DeFi Exodus — IndexBox / Yahoo Finance","type":"news_article","url":"https://www.indexbox.io/blog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/"}]},{"content":"The Q2 2026 hack wave contributed to a sustained DeFi TVL decline throughout 2026. CoinTelegraph and Yahoo Finance data show TVL fell from approximately $115 billion in January 2026 to about $70 billion by late June, a roughly 39% year-to-date contraction. Aave alone saw TVL drop from $26.4 billion to $14.3 billion in the immediate aftermath of the KelpDAO exploit, as depositors withdrew funds in response to oracle and collateral concerns. A separate CoinTribune analysis noted that approximately $14 billion was withdrawn from DeFi lending platforms in the weeks following major April incidents. The broader crypto market also contracted: total crypto market capitalization fell from roughly $4.21 trillion to approximately $2.15 trillion between peak and trough in 2026, per Yahoo Finance data. Security researchers at The Block noted that the DeFi sector's declining TVL paradoxically reduced the available target pool for attackers but did not meaningfully reduce incident frequency, suggesting the frequency increase was driven by improved attacker capability rather than expanding targets.","heading":"DeFi TVL Impact and Market Effects","severity":"high","sources":[{"credibility":2,"name":"DeFi TVL Falls 39% YTD to $70B as Exploits and Market Slump Weigh on Sector — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/defi-tvl-falls-39-ytd-to-70b-as-exploits-and-market-slump-weigh-on-sector/"},{"credibility":2,"name":"DeFi Total Value Locked Slides Every Month in 2026 to $70 Billion — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/defi-total-value-locked-slides-072657247.html"},{"credibility":1,"name":"DeFi Hacks and Recoveries Data — The Block","type":"research","url":"https://www.theblock.co/data/decentralized-finance/exploits"},{"credibility":3,"name":"Nearly $14 billion withdrawn from DeFi sector following high-profile cyberattacks — ECIKS","type":"news_article","url":"https://eciks.org/10177-66183-decentralized-finance-investor-exodus-14-billion"}]},{"content":"Beyond the three primary exploits, Q2 2026 included numerous smaller incidents that contributed to the record incident count. Two exploits on abandoned Aztec Connect smart contracts resulted in losses of approximately $2.1 million and $1.3 million respectively; the protocol had been deprecated but its contracts remained active with residual funds. Raydium, a Solana-based DEX, reported a $1.3 million exploit in June 2026. Taiko, a ZK-rollup bridge, suffered an estimated $1.7 million loss. The quarter also saw concurrent non-crypto cybersecurity incidents, including tens of thousands of Fortinet firewall compromises and 772 ransomware victims recorded in April alone, suggesting broader infrastructure threat environment. The altfins.com analysis characterized the pattern of smaller, more frequent attacks as attackers diversifying target selection rather than concentrating solely on large-TVL protocols.","heading":"Other Notable Incidents","severity":"medium","sources":[{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":2,"name":"Q2 2026 Becomes Record-Breaking Most-Hacked Quarter with 83 Incidents — CryptoBreaking","type":"news_article","url":"https://www.cryptobreaking.com/q2-2026-becomes-record-breaking/"},{"credibility":2,"name":"DeFi Hacks 2026: $840M+ Lost and the Attack That Changed Everything — Altfins","type":"news_article","url":"https://altfins.com/blog/defi-hacks-2026/"}]},{"content":"The hack wave unfolded during a period of active regulatory development in the United States. The SEC and CFTC issued a joint interpretation of federal securities laws as applied to crypto assets in March 2026, and signed a memorandum of understanding on regulatory harmonization in the same month. However, no targeted enforcement actions specifically arising from Q2 2026 DeFi hacks have been publicly reported as of late June 2026. The Lazarus Group attribution in the Drift and KelpDAO incidents echoes prior OFAC-designated activity; the group was sanctioned by the U.S. Treasury Department in 2019. The incidents prompted renewed industry discussion about cross-chain bridge security standards, DVN configuration requirements for LayerZero integrations, and the adequacy of multisig key management practices. Security researchers at Chainalysis flagged that post-Tornado Cash, DPRK-linked actors have migrated laundering operations to alternative mixing services, peer-to-peer transactions in jurisdictions outside U.S. reach, and privacy coin conversions.","heading":"Industry and Regulatory Context","severity":"medium","sources":[{"credibility":2,"name":"SEC and CFTC Sign Landmark Memorandum of Understanding on Regulatory Harmonization — Fintech and Digital Assets Blog","type":"regulatory","url":"https://www.fintechanddigitalassets.com/2026/03/sec-and-cftc-sign-landmark-memorandum-of-understanding-on-regulatory-harmonization/"},{"credibility":2,"name":"The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know — Sanctions.io","type":"research","url":"https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"}]}],"sources_used":[{"credibility":2,"name":"Q2 2026 Emerges as Most-Hacked Quarter on Record with 83 Incidents — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"The $292 million Kelp crypto exploit: how it happened, and what it means for DeFi — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/19/the-usd292-million-kelp-exploit-how-it-happened-and-what-it-means-for-defi"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"The $293 million KelpDAO hack shows why DeFi is finally being forced to grow up — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/16/the-usd293-million-kelpdao-hack-shows-why-defi-is-finally-being-forced-to-grow-up"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol Hack: $285M Stolen in 12 Min — Shattered.io","type":"news_article","url":"https://shattered.io/drift-protocol-hack-285m/"},{"credibility":1,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":1,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":1,"name":"Humanity's $36 million exploit happened because a 'multisig' lived on one laptop — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-s-usd36-million-exploit-happened-because-a-multisig-wallet-lived-on-one-laptop"},{"credibility":2,"name":"Explained: The Humanity Protocol Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-humanity-protocol-hack-june-2026"},{"credibility":2,"name":"Humanity Protocol's $36M hack linked to suspected North Korean hackers — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/humanity-protocol-36m-hack-north-korean-hackers/"},{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":2,"name":"THORChain Exploit Report #1 — THORChain Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":1,"name":"THORChain pauses trading as security researchers flag suspected $10M multi-chain exploit — The Block","type":"news_article","url":"https://www.theblock.co/amp/post/401462/thorchain-pauses-trading-as-security-researchers-flag-suspected-10m-multi-chain-exploit"},{"credibility":2,"name":"121 Crypto Hacks, Billions Evaporated: DeFi Faces Its Worst Year Since 2022 — CoinTribune","type":"news_article","url":"https://www.cointribune.com/en/121-crypto-hacks-billions-evaporated-defi-faces-its-worst-year-since-2022/"},{"credibility":2,"name":"DeFi Hacks 2026: $840M+ Lost and the Attack That Changed Everything — Altfins","type":"news_article","url":"https://altfins.com/blog/defi-hacks-2026/"},{"credibility":2,"name":"DeFi TVL Falls 39% YTD to $70B — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/defi-tvl-falls-39-ytd-to-70b-as-exploits-and-market-slump-weigh-on-sector/"},{"credibility":2,"name":"DeFi Total Value Locked Slides Every Month in 2026 to $70 Billion — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/defi-total-value-locked-slides-072657247.html"},{"credibility":2,"name":"DeFi TVL Down by $45B in 2026 Despite More Resilient Market Structure — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/defi-tvl-falls-39-2026-erases-45b-value"},{"credibility":2,"name":"The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know — Sanctions.io","type":"research","url":"https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026"},{"credibility":2,"name":"North Korean Lazarus Group steals $635 million from crypto protocols in April 2026 — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/north-korean-lazarus-group-steals-635m-from-crypto-protocols-in-april-2026"},{"credibility":2,"name":"Crypto Hacks in April 2026: $606M Lost, DeFi Exodus — IndexBox","type":"news_article","url":"https://www.indexbox.io/blog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/"},{"credibility":1,"name":"DeFi Hacks and Recoveries Data — The Block","type":"research","url":"https://www.theblock.co/data/decentralized-finance/exploits"},{"credibility":2,"name":"SEC and CFTC Sign Landmark Memorandum of Understanding on Regulatory Harmonization — Fintech and Digital Assets Blog","type":"regulatory","url":"https://www.fintechanddigitalassets.com/2026/03/sec-and-cftc-sign-landmark-memorandum-of-understanding-on-regulatory-harmonization/"},{"credibility":2,"name":"Q2 2026 sees record 70 crypto hacks totaling $746M in losses — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/q2-2026-sees-record-70-crypto-hacks-totaling-746m-in-losses/"},{"credibility":2,"name":"Q2 2026 Records Highest Number of Crypto Hacks Ever With 83 Incidents — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/q2-2026-records-highest-number-of-crypto-hacks/"},{"credibility":2,"name":"$36 million exploit: Humanity Protocol token swap begins — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/17/36-million-exploit-humanity-protocol-token-swap-begins/"},{"credibility":2,"name":"THORChain resumes trading after five-week halt following $10.7M exploit — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-resumes-trading-after-exploit/"}],"summary":"Q2 2026 became the most-hacked quarter in crypto history by incident count, with 83 confirmed exploits totaling approximately $755 million in losses. The two largest incidents — a $293 million bridge exploit at KelpDAO and a $285 million social-engineering attack on Drift Protocol — were both attributed to North Korean state-sponsored actors, who collectively captured an estimated 76% of all crypto hack losses recorded through April 2026. The wave contributed to a 39% year-to-date decline in DeFi total value locked, which fell from roughly $115 billion to approximately $70 billion by late June 2026.","timeline":[{"date":"2026-04-01","event":"Drift Protocol exploited for approximately $285 million in 12 minutes; attack attributed to North Korean UNC4736 group following a six-month social engineering campaign that began in fall 2025.","source":"The Hacker News / TRM Labs","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-04-18","event":"KelpDAO exploited for approximately $292–$293 million via a LayerZero bridge RPC poisoning and DDoS attack; Aave suffers secondary losses of approximately $190 million before freezing rsETH markets.","source":"CoinDesk / Chainalysis","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-30","event":"April 2026 closes as the single month with the highest crypto hack losses ever recorded; losses for the month estimated at $606–$651 million across approximately 30 incidents.","source":"IndexBox / Yahoo Finance","source_url":"https://www.indexbox.io/blog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/"},{"date":"2026-05-05","event":"Drift Protocol publishes recovery plan for affected users following the April 1 exploit.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"date":"2026-05-15","event":"THORChain halts trading after $10.7 million is drained from one Asgard vault by a newly admitted node operator exploiting the GG20 threshold signature scheme; RUNE drops 12%.","source":"CoinDesk / The Block","source_url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"date":"2026-05-16","event":"CoinDesk publishes analysis on the KelpDAO hack and its implications for DeFi bridge security standards.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/05/16/the-usd293-million-kelpdao-hack-shows-why-defi-is-finally-being-forced-to-grow-up"},{"date":"2026-06-08","event":"Humanity Protocol exploited for $36 million after a phishing email compromises an employee laptop holding multiple bridge admin keys; H token collapses 80–90% in value.","source":"CoinDesk / Halborn","source_url":"https://www.coindesk.com/tech/2026/06/09/humanity-s-usd36-million-exploit-happened-because-a-multisig-wallet-lived-on-one-laptop"},{"date":"2026-06-17","event":"Humanity Protocol begins a token swap program to compensate holders affected by the June 8 exploit.","source":"Cryptonomist","source_url":"https://en.cryptonomist.ch/2026/06/17/36-million-exploit-humanity-protocol-token-swap-begins/"},{"date":"2026-06-24","event":"DeFi TVL reported at approximately $70 billion, a 39% decline year-to-date from roughly $115 billion in January 2026; Q2 2026 confirmed as the most-hacked quarter on record with 83 incidents and $755 million in losses.","source":"CoinTelegraph / Yahoo Finance","source_url":"https://cointelegraph.com/news/defi-tvl-falls-39-2026-erases-45b-value"}]},"v":1}