DeFi Hacks 2026: $840M+ Lost and the Attack That Changed Everything

Market Review 7 min read June 9, 2026
Lenka Fetyko

DeFi Hacks 2026: $840M+ Lost and the Attack That Changed Everything

Over $840 million drained in five months. 50+ incidents. A 70% year-over-year increase. But the most important shift in 2026 DeFi security isn’t the dollar amount — it’s where the attacks are coming from.

Key takeaways

  • $840M+ lost in January–May 2026 — a 70% YoY increase over the same period in 2025
  • 72% of losses in 2026 came from stolen keys and credential theft — not smart contract bugs
  • Lazarus Group (North Korea) attributed to ~76% of crypto hack losses globally in 2026
  • Bridges hold $21.94B TVL and remain the single highest-risk surface in DeFi infrastructure
  • June 9 (today): Humanity Protocol exploited for $30–32M via a stolen private key

Total Jan–May

$840M+

YoY increase

+70%

Incidents (Jan–May)

50+

April alone

$630M

A day without a crypto hack has become a rarity in 2026. By the end of April — just four months in — DeFi protocols had collectively lost more than $750 million to exploits. Add May and partial June figures and the running total exceeds $840 million.

But the dollar total isn’t the most important story. The more significant shift is where the attacks are coming from. Three of the four largest incidents in 2026 did not involve a single line of flawed Solidity. The smart contracts did exactly what they were programmed to do — they were given fraudulent instructions by attackers who had obtained access they shouldn’t have had.

This article documents every major DeFi exploit of 2026 to date, explains the attack vectors behind each, and examines what the data collectively signals about the direction of DeFi security risk.

Q1 2026: The familiar attack playbook

The year opened with a more recognisable set of attack vectors. Three protocols — Step Finance, Resolv, and Truebit — each lost more than $25 million in Q1 to oracle manipulation, logic flaws, and unchecked permission errors. These are the vulnerabilities that DeFi security researchers have been writing about for years. Well-audited protocols generally survive them; newer or faster-moving projects often don’t.

Foom Cash
$2.3M
March 2, 2026
Logic / ZK flaw

Attackers exploited a verifier misconfiguration in Foom Cash’s zero-knowledge proof logic, allowing unauthorised loan withdrawals. A reminder that even cutting-edge cryptographic primitives are only as strong as their implementation — a misconfigured verifier parameter breaks the entire mathematical guarantee.

Q1 total losses reached approximately $137 million. At the time, that looked like a serious but not unprecedented quarter. Then April arrived.

April 2026: $630M in 30 days

April set a grim record. Fourteen major incidents. Over $630 million in confirmed losses. Two attacks alone — Drift Protocol and KelpDAO — accounted for $577 million of that total. What made April different wasn’t just the scale. It was that neither of the two biggest exploits involved a smart contract vulnerability.

Drift Protocol — $285 million (April 1)

Drift Protocol
~$285M
April 1, 2026
Social engineering / key theft
Lazarus Group attributed

North Korean state-linked hackers spent six months on an in-person social engineering campaign before gaining privileged administrative access to this Solana-based DEX. Once inside, they introduced a fake asset, manipulated its price, and used it as collateral to drain real funds. Assets were bridged across chains within hours.

The mechanism was creative. The root cause was human. Six months of relationship-building, trust-gaining, and operational patience — then a single window of access was all it took.

KelpDAO — $292 million (April 19)

KelpDAO / LayerZero bridge
~$292M
April 19, 2026
Bridge / infra exploit
Lazarus Group attributed

Attackers compromised internal RPC nodes and DDoS’d external nodes, feeding false data to KelpDAO’s LayerZero bridge — which was running a single-DVN configuration despite multi-verifier setups having been previously recommended. A phantom token burn convinced the Ethereum contract to release 116,500 rsETH. The fallout triggered $13 billion in DeFi outflows and caused Aave to freeze rsETH markets on V3 and V4.

Bridge risk context

Bridge TVL reached $21.94 billion as of March 2026. Bridges have produced more than $2.8 billion in cumulative losses since 2022 — roughly 40% of all value ever hacked in Web3. A bridge custodying wrapped assets across 20 chains is a single point of failure for every protocol downstream.

CoW Swap
$1.2M
April 14, 2026
DNS / domain hijack

This popular DEX aggregator lost $1.2M not to a contract exploit, but to a domain hijacking attack. The attack surface wasn’t the code — it was DNS infrastructure. Internal funds only were affected; user assets remained safe.

May 2026: $68M and twelve incidents

May brought a sharp drop in headline losses — $68.3 million total, down from $630M in April. But twelve incidents exceeding $1M each is not a quiet month by historical standards. Both old and new attack vectors appeared side by side.

TrustedVolumes
$6.7M

Access control

Attacker added themselves to the approved trade order signers list via missing allowlist access controls.

TAC Protocol
$2.8M

Bridge / logic flaw

Logical errors in the TON/EVM cross-chain bridge path allowed funds to be drained.

Ekubo Protocol
$1.4M

Smart contract flaw

Verification error in a custom extension contract allowed draining via existing ERC-20 approvals.

May total (12 incidents)
$68.3M

Bridges: 42% of losses

Cross-chain bridges still accounted for 42% of May losses. Infrastructure risk didn’t disappear — the headline numbers just got smaller.

June 9, 2026 (today): Humanity Protocol

As this article is being written, the Humanity Protocol exploit is unfolding. It fits the 2026 pattern precisely — and it’s worth examining in detail.

Humanity Protocol — BREAKING (June 9, 2026)
$30–32M
June 9, 2026
Private key theft
Possible insider involvement (ZachXBT)

A private key belonging to a foundation member was stolen. Attackers drained $30M+ from 17 wallets on Ethereum, then extended the exploit to BNB Chain — seizing proxy admin control and minting 100 million additional $H tokens (~$12.9M). The H token dropped over 80% in a single session, from ~$0.67 to ~$0.13.

Note: On-chain investigator ZachXBT publicly questioned whether the incident was staged. The team has denied this. Investigation ongoing.

All major DeFi incidents of 2026

Ranked by confirmed loss  ·  Data as of June 9, 2026  ·  Sources: Halborn, CCN, CoinDesk, Chainalysis

Protocol Date Loss Attack vector
KelpDAO Apr 19 ~$292M Bridge / infra exploit
Drift Protocol Apr 1 ~$285M Key / credential theft
Humanity Protocol Jun 9 $30–32M Key / credential theft
Resolv Q1 $27M+ Logic / oracle flaw
Step Finance Q1 $26M+ Logic / oracle flaw
Truebit Q1 $25M+ Logic / oracle flaw
TrustedVolumes May $6.7M Access control
TAC Protocol May $2.8M Bridge / infra exploit
Foom Cash Mar 2 $2.3M Logic / ZK flaw
CoW Swap Apr 14 $1.2M DNS hijack

The shift in attack vectors: what the data shows

Koinly reports that compromised accounts now account for more than 50% of all DeFi attacks by incident count — overtaking traditional smart contract exploits as the primary source of losses for the first time. By dollar value, the skew is even more pronounced in 2026.

Estimated share of 2026 losses by attack vector

Key & credential theft
72%

KelpDAO (RPC nodes), Drift (social engineering), Humanity Protocol (stolen key)

Bridge / infrastructure exploit
18%

Cross-chain bridges still 42% of May losses alone; $2.8B cumulative since 2022

Logic & oracle flaws
8%

Resolv, Step Finance, Truebit, Foom Cash

Access control / other
2%

TrustedVolumes (missing allowlist), CoW Swap (DNS hijack)

The North Korea factor

Chainalysis attributes approximately 76% of crypto-related hack losses globally in 2026 to state-backed actors linked to the Lazarus Group. North Korea’s cumulative crypto theft now exceeds $6 billion in attributed incidents since 2017.

These are not opportunistic attackers. They are well-resourced, patient, and increasingly focused on the human layer — precisely because the code layer has become harder to crack. A six-month social engineering campaign is a professional operation, not an opportunistic exploit.

“Smart contract audits are standard practice. Formal verification is increasingly common. Bug bounty programmes for code are well-established. None of these would have prevented Drift, KelpDAO, or Humanity Protocol.”

What this means for DeFi security

The industry’s security infrastructure is still largely oriented toward the previous problem. Code audits address code vulnerabilities. They do not address:

  • Insider threats and social engineering at the team level
  • Private key management and hardware security module policies
  • Single-point-of-failure bridge configurations (single DVN vs multi-verifier)
  • DNS and domain infrastructure security
  • RPC node compromise and off-chain data integrity

These are not exotic new attack surfaces. They are basic operational security failures. The question the industry needs to address is why they keep occurring at scale, and whether security due diligence frameworks — for protocols, investors, and users alike — need to be reoriented accordingly.

Open question

If the majority of losses now come from operational and human-layer failures rather than smart contract bugs — should security budgets, audit standards, and due diligence frameworks shift to reflect that?

Share your perspective in the comments below.

Written byLenka Fetyko
0 Comments
Leave a comment

Your email address will not be published. Required fields are marked *