The second quarter of 2026 has officially become the most-hacked quarter on record by incident count, with 83 separate exploits targeting cryptocurrency protocols so far.
That number comes from market insights platform Unfolded, pulling data from DefiLlama. The total value stolen stands at $755.3 million, which is actually lower than the $3.56 billion lost in Q4 2020, the costliest quarter by dollar amount.
The two biggest hits this quarter were the KelpDAO hack at $293 million and the Drift Protocol exploit at $280 million. Both involved cross-chain bridge vulnerabilities, which have emerged as the dominant attack vector of 2026.
Bridge exploits accounted for $351 million in total losses, with the LayerZero OFT bridge exploit behind KelpDAO responsible for over 38% of all value stolen. Compromised admin attacks and fake token price manipulation made up another 37%.
Why more incidents but lower dollar amounts? Dmytro Tarasiuk, product director at CORE3 and CER.live, points to the smaller pool of value available. Total value locked in DeFi has fallen from $164 billion before last October liquidation event to about $73 billion now.
He also noted a structural problem: protocols are being re-engineered faster than their security can keep up. Projects declare a three-of-six multisig and store three keys on one laptop. That is not security. That is a ticking clock.
Other notable incidents include $36 million stolen from Humanity Protocol on June 8, $10.7 million exploited from THORChain on May 15, and $2.1 million taken from Aztec Connect abandoned smart contracts.
Immunefi CEO Mitchell Amador has gone as far as calling it a vulnerability apocalypse, driven by the proliferation of new AI models shifting the cybersecurity playing field in favor of attackers.
