According to analysis by Unfolded using DefiLlama data, the second quarter of 2026 has already set an all-time record for the number of crypto hacks: 83 incidents and $755 million in losses. No previous quarter has seen attacks at this frequency. We break down why cross-chain bridges are again the main target and what these numbers tell us about the state of DeFi security.
How Did 83 Attacks Happen in a Single Quarter?
Eighty-three incidents works out to roughly one attack every two days. No slow periods, no weekends off. Unfolded, analyzing DefiLlama data, confirmed that Q2 2026 set a new record for hack frequency across the entire history of the crypto industry.
Total losses, though, did not break the all-time dollar record. The fourth quarter of 2020 saw $3.56 billion stolen, nearly five times more than Q2 2026's $755 million. This quarter leads in frequency, not in total damage.
Two incidents account for most of the losses. KelpDAO lost $293 million after a vulnerability in the LayerZero OFT bridge was exploited. Drift Protocol on Solana lost another $280 million through a compromised admin key. Together, those two hacks represent over 76% of all Q2 losses.
The most recent victim at the time of publication is Taiko, an Ethereum layer-2 network, where attackers stole $1.7 million by targeting the bridge's chain state verification mechanism. The quarter has not closed yet, so the final incident count may go higher.
Why Bridges Keep Getting Hit the Hardest
Cross-chain bridges connect separate blockchain networks and allow assets to move between them. This design concentrates hundreds of millions, sometimes billions, of dollars into a single smart contract.
In Q2 2026, bridge exploits accounted for $351 million in losses, or 46% of everything stolen during the quarter. Most of that came from one incident. The LayerZero OFT bridge had a vulnerability that allowed attackers to drain $293 million from KelpDAO, a liquid restaking protocol on Ethereum. That single attack represents 38% of all quarterly losses.
LayerZero is a cross-chain messaging protocol. Its OFT (Omnichain Fungible Token) standard lets tokens exist on multiple networks at once. The vulnerability was found in the logic of that standard's contract.
Several structural factors explain why bridges draw so much attention:
- Concentrated liquidity: one contract holds locked assets for two networks simultaneously, which can add up to hundreds of millions of dollars in a single address
- Code complexity scales with every new blockchain a bridge supports. More chains means more potential attack surfaces in the contract logic
- Speed-to-market often beats security readiness. Teams ship first and audit later, driven by competitive pressure
- Key management failures remain a chronic issue. Dmytro Tarasiuk of CORE3 described a common pattern: "declare a 3-of-6 multisig, then store three keys on one laptop"
Other Attack Methods Used in Q2 2026
Bridges took nearly half of all losses, but attackers use a range of approaches.
Compromised admin access combined with fake token price manipulation accounted for 37% of losses. In the first scenario, attackers gain privileged contract access through stolen developer or owner keys. In the second, they inflate the price of an illiquid token, take out a loan using it as collateral, and exit before the system can react.
Flash loans deserve a specific mention. These are uncollateralized loans issued and repaid within a single transaction. Attackers use them to temporarily control large amounts of liquidity and manipulate protocol logic without putting any of their own funds at risk.
Private key compromises were responsible for 5.66% of losses. A smaller share by total value, but this method has led to some of the largest individual hacks in previous years.
Why More Attacks but Less Money?
Two factors explain this pattern.
First, the pool is smaller. Total value locked in DeFi fell from $164 billion to roughly $73 billion following the large liquidation event on October 10, 2025. Less liquidity in protocols sets a lower ceiling on what a single hack can extract.
Second, protocol complexity grows faster than security practices mature. As Dmytro Tarasiuk of CORE3 put it, "protocols get re-engineered faster than the underlying risk management complexity grows." Teams add features and connect new chains. Security does not always keep pace.
Attackers are hitting more targets, but each yields less. With DeFi TVL roughly half its peak, attackers distribute across a larger number of smaller opportunities. The threat changes shape, but it does not disappear.
One more point. "More attacks" does not automatically mean "more attackers." Some of the frequency increase reflects the spread of automated vulnerability-scanning tools, which lower the barrier to entry for smaller actors.
What This Means if You Use DeFi
Check the audit before sending significant funds through any bridge. Most major Q2 2026 hacks involved protocols either with no current public audit or with known vulnerabilities the team had flagged but not fixed.
Audit reports without a date, or without a list of identified findings, should raise questions. A recent audit from a reputable firm is considerably more useful than an audit that exists but cannot be verified.
Avoid concentrating large amounts in a single DeFi protocol. After a hack, recovering funds is rare. Most affected users receive nothing back.
If a protocol's audit shows critical findings marked as "acknowledged" (known but not fixed), that is already an answer to the question of when.
Comments
Your email address will not be published. Required fields are marked *