Notice: Closing figures for the first half of 2026 based on data from the TRM Labs report published on July 3, 2026, cross-referenced with The Block, UPI, and BeInCrypto. This is an editorial analysis by CleanSky regarding public incidents and third-party estimates—attribution to North Korea is a thesis held by forensic firms, not a fact confirmed by a court—and is not a security guide or financial advice. CleanSky does not receive commissions or referral payments from any of the firms or protocols mentioned.
The first half of 2026 closed with an uncomfortable record: 207 cryptocurrency hacks, the highest number ever recorded by TRM Labs in a single semester, yet only $972 million stolen—less than half of the $2.3 billion from the same period in 2025. More attacks, less money: frequency and severity have decoupled, and the explanation lies in two figures. North Korea (via the state-linked Lazarus group) accounted for approximately $643 million, or 66% of the total, in just two strikes in April. In contrast, the median hack of the semester cost $219,000. As of July 5, 2026, with the consolidated report now finalized, this article closes the books on the semester: what the definitive figures say, why the incident count is skyrocketing while the loot plummets, and what this decoupling reveals about a DeFi security landscape maturing at two different speeds. We are not re-arguing here that attacks have shifted from the contract to the perimeter—we already defended that with partial data in June; we are establishing the closing figure and the frequency-severity paradox as the true hallmarks of this semester.
How much was stolen in crypto during the first half of 2026?
The overall picture is provided by TRM Labs, an on-chain analysis firm (tracking money directly on the blockchain) whose semi-annual reports serve as a benchmark for the sector. Their July 3 closing report puts two numbers on the table that, when read together, seem to contradict each other: 207 individual incidents—the highest number of hacks ever recorded in a semester—and $972 million stolen in total, falling below the psychological billion-dollar barrier and less than half of what was lost a year prior.
The contrast with 2025 is the key to understanding the semester. In the first half of 2025, there were 83 incidents and $2.3 billion stolen. In the same period of 2026, the number of incidents has increased two-and-a-half times, but the money stolen has dropped by more than half. An ecosystem with significantly more attacks is losing much less money. That is the paradox that frames everything else.
| Metric (First Half) | 2025 | 2026 | Variation |
|---|---|---|---|
| Recorded incidents | 83 | 207 | +149% |
| Total losses | $2.3 billion | $972 million | −58% |
| Attributed to North Korea | ~$1.7 billion | ~$643 million | −62% |
| North Korea share | ~74% | 66% | −8 pp |
The last column should be read carefully: the fact that North Korea has stolen less money in absolute terms does not mean the ecosystem has expelled its most dangerous actor. It means that a single semester is so dependent on a handful of large operations that it only takes that actor having a "slow" semester—two hits instead of five—for the entire sector's aggregate figure to collapse. DeFi security, measured in dollars stolen, remains a hostage to the actions of a few state-linked operators.
Why were there more attacks but less money stolen?
The short answer is that two populations of attacks that barely overlap are converging. On one hand, a growing mass of low-value smart contract exploits (flaws in the code governing funds): numerous, cheap to execute, and yielding modest loot. On the other, a handful of infrastructure compromises—theft of private keys, poisoning of the operations surrounding the code—which are rare but devastating. The first population inflates the incident count; the second inflates the dollar count. They are almost never the same attack.
The data point that best captures this is not a total, but the distance between the mean and the median. The average loss per incident in the first half of 2026 was $4.7 million. The median loss—the hack that leaves exactly half of the cases above and half below—was just $219,000. When the average is twenty-one times the median, the distribution is not bell-shaped: it is shaped like a skyscraper surrounded by sheds. A few massive hits drag the average upward while the vast majority of incidents are, in monetary terms, almost background noise.
This is the real texture of the semester. A headline stating "an average of $4.7 million was stolen per hack" would describe an ecosystem that doesn't exist: the typical 2026 hack doesn't steal millions, it steals a few hundred thousand. And a headline stating "the typical hack costs $219,000" would hide the fact that two operations took more than the other two hundred and five combined. Only both figures read together tell the truth: frequency and severity now live on different planets.
What role did North Korea play in the 2026 losses?
The skyscraper in that distribution has a name. Of the $972 million stolen in the semester, approximately $643 million—66% of the total—is attributed by TRM Labs to actors linked to North Korea, and practically all of that money left through two doors opened in the same month. On April 1, 2026, Drift Protocol lost approximately $285 million following a months-long social engineering operation in which attackers posed as a quantitative trading firm to gain access. Weeks later, on April 18, KelpDAO lost approximately $292 million through an exploit of its bridge (the bridge that moves assets between chains). Together: roughly $577 million in eighteen days.
We are not reconstructing the mechanics of those two hits here—we did that incident by incident in how Lazarus stole 577 million from DeFi in 18 days without exploiting a single bug. What matters for the closing of the books is the arithmetic of concentration: two incidents out of two hundred and seven explain nearly six out of every ten dollars stolen in the entire semester.
| Semester Segment | Incidents | Losses | % of Total |
|---|---|---|---|
| Drift + KelpDAO (April, attributed to North Korea) | 2 | ~$577 million | ~59% |
| Rest of the semester | 205 | ~$395 million | ~41% |
| Total H1 2026 | 207 | $972 million | 100% |
The figure that provides historical perspective is cumulative: according to TRM Labs, cryptocurrency theft attributed to North Korea since 2017 now exceeds $6 billion. This is not opportunism or common crime; United Nations expert panels have for years described crypto looting as a state funding line that feeds the regime's weapons program. That is why the actor does not "retire" after a quiet semester: they return. And part of the subsequent challenge is what they do with the money once stolen, a laundering problem we addressed in the case of THORChain and Lazarus funds.
Why does the median hack cost $219,000 while the average is $4.7 million?
The gap between these two figures is not a statistical curiosity: it is a portrait of two attack economies coexisting under the same "crypto hack" label. It is worth separating them by vector, as the TRM report allows us to do so with numbers.
| Attack Vector | Incident Share | Loss Share |
|---|---|---|
| Infrastructure and Private Key Compromise | ~15% | ~76% |
| Smart Contract Exploits | ~60% (125 of 207) | Small share |
| Other Vectors | ~25% | Remainder |
The reading is almost a mirror image. A mere 15% of incidents—infrastructure compromises, where the attacker steals the private key or hijacks the operations surrounding the code—accounted for nearly 76% of all the money. At the other extreme, 125 of the 207 incidents were smart contract exploits, the majority of the count, yet together they barely moved the needle in dollar terms. Code exploits are now high-frequency background noise; infrastructure compromises are the few shots that actually hit the vault.
This is where this semester's closing links to a thesis we previously defended and will not repeat in detail: that the target of the "big heist" has shifted from the audited contract to the perimeter surrounding it. We argued this with partial April data in why 2026 hacks target infrastructure, not the contract. The consolidated semester report does not contradict that reading: it confirms it with the final figure. The 76% of losses from infrastructure compromise in just 15% of cases is, precisely, the shift in the locus of the attack measured over a six-month period.
Is DeFi security improving or worsening?
The honest answer is: both at the same time, on different layers. If you look at the smart contract, security has tangibly improved. The fact that there are 125 contract exploits and that they collectively steal a minor fraction of the total loot means that audits, formal verification, and bug bounties have made draining a serious protocol via code so expensive that it is no longer worth it for major attackers. The contract has hardened, and the figures prove it.
But if you look at the perimeter—infrastructure, keys, human operators, bridge configurations—security has not kept pace. That is where 76% of the money went, and that is where defense lacks the equivalent of a contract audit. It is an uneven maturity: the industry fortified the part it knew how to fortify and left relatively exposed the part that changes daily and which almost no one scrutinizes with the same rigor. The drop in total loot is real and is good news; attributing it to "DeFi being safer" without nuance would be to mistake a slow semester for Lazarus for a defense that has solved the underlying problem.
Furthermore, this report has a format precedent. The first-quarter closing already pointed in the same direction with less data; the comparison can be found in the Q1 2026 DeFi security report. Read in sequence, the quarter and the semester tell the same story with increasing clarity: the number of incidents is rising, the money per incident is falling, and the big loot is concentrated in very few hands.
Is the attribution to North Korea reliable?
This is the question a skeptical reader should ask, and the answer requires nuance. The attribution of $643 million to North Korea is an estimate by forensic analysis firms—led by TRM Labs, with consensus from other houses—built from on-chain patterns, address reuse, laundering techniques, and overlaps with previous operations already attributed. It is a solid and widely accepted method in the industry, but it is statistical inference based on money behavior, not a confession or a court ruling.
And there is an open dispute. North Korea already rejected any involvement in May 2026—in response to a previous partial report from TRM Labs—calling the accusations "absurd slander" and a political tool of the United States, without addressing the forensic method; as of July 5, there is no known public reaction from them to the July 3 semi-annual report. None of this invalidates the numbers—the consensus among independent firms is significant—but it requires precise phrasing: $643 million attributed to actors linked to North Korea, not $643 million whose authorship is proven beyond all doubt. The semester's book-closing also includes this caution: the star figure rests on an attribution that its alleged author denies.
What is the lesson of the semester?
The first half of 2026 leaves a headline that reads poorly at a glance but well with two figures in hand. "Record hacks" is true—207, there have never been so many—and "multi-year low in losses" is also true—$972 million, below one billion and less than half of 2025. Both phrases describe the same semester because they measure different things: one counts attacks, the other counts money, and in 2026 those two magnitudes have divorced.
For those building protocols, the lesson is that the number of contract audits says less and less about real risk: the big money exits through the perimeter. For those using DeFi, the lesson is one of exposure: the hack that will likely affect you is not the $285 million headline, but one of the two hundred and five with a modest median, and the best individual defense remains knowing what infrastructure backs every asset you touch and detecting early when an incident begins to contaminate it. And for the sector as a whole, the lesson is one of statistical humility: as long as a single state actor can decide with two operations whether the semester closes at $972 million or $2.3 billion, talking about "safer DeFi" requires looking at the median as much as the total.
Related articles: How Lazarus stole 577 million from DeFi in 18 days. Why 2026 hacks target infrastructure, not the contract. Q1 2026 DeFi Security Report. Monitor your positions and portfolio exposure on CleanSky — the hack that affects you is rarely the headline, but one of the many modest median cases that pass without noise.