Web3 security incidents cost the industry more than $1.31 billion across 344 events in the first half of 2026, according to CertiK's Hack3D H1 2026 Report, published Monday. Net losses stood near $1.2 billion after frozen and recovered funds, the blockchain security firm said.
Headline totals show a 46.8% year-over-year drop, but CertiK (in a post on its official X account) said that comparison is skewed by the $1.45 billion Bybit hack that inflated H1 2025's tally. Stripping out that outlier, H1 2026 losses were approximately 28% higher than the equivalent year-ago baseline.
Wallet compromise was the costliest attack vector, generating more than $444 million in losses across 33 incidents, CertiK found. The category was driven primarily by the Kelp DAO RPC compromise and the Drift Protocol breach, both of which occurred in April 2026.
Phishing incident counts fell, but losses stayed elevated as attackers shifted from broad campaigns to fewer, higher-value social-engineering hits on wallets holding significant on-chain wealth. Four such incidents accounted for roughly 85% of all phishing losses in the period, per the report.
CertiK also devoted a section to North Korea-linked activity, saying state-sponsored actors, most notably the Lazarus Group, have escalated operations as prior calendar years progressed, and flagged the second half of 2026 as a period of heightened concern.








