The tweet was deleted by the author.
But we saved everything 🙂.
Cryptocurrency projects lost around $972 million across 207 hacking incidents in the first half of 2026. This was the highest number of attacks ever recorded, according to Immunefi’s June Ecosystem Update.
At the same time, total losses remained below $1 billion and were less than half the amount the industry lost in the first half of 2025.
Immunefi noted that the report’s main finding is mixed. Attacks are becoming more frequent, but the average damage from each individual incident is declining.
Decentralized finance losses from exploits fell 74% compared with the 2022 peak. At that time, DeFi projects lost $2.62 billion, while the figure has now declined to $680.3 million. The median loss per exploit fell 75% over the same period.
Immunefi attributed this to continuous security coverage, bug bounty programs, audit competitions and the growing number of researchers who find vulnerabilities before attackers can exploit them.
At the same time, the company also noted that full-year DeFi losses in 2025 amounted to $680.3 million, 74% below the 2022 peak but above $534 million in 2024. Immunefi explained the modest year-over-year increase by the growing complexity of multichain deployments rather than a broader decline in security.
Smart contract vulnerabilities remain a problem, but the most serious damage is increasingly tied not only to protocol code. According to the report, major losses are now caused by infrastructure failures, compromised private keys, errors in cross-chain system settings and weaknesses in privileged access.
Immunefi sees this as a structural change in the threat landscape. Attackers are increasingly moving higher up the technology stack and targeting operational and infrastructure layers, not just the code of the protocols themselves.
This trend is in line with Immunefi’s previous research. Bridge exploits, which once accounted for most DeFi losses, have largely moved into the background. Flash-loan attacks, which dominated in 2020, now account for only a fraction of a percent of total losses.
A separate risk for the crypto industry is that attacks are becoming not only technical but also psychological. Hackers are increasingly using AI to prepare phishing emails, fake messages, voice calls and deepfake videos. These tools help them more accurately imitate executives, exchange employees, fund representatives or project partners, making it easier to gain access to wallets, internal systems and private keys.
For crypto companies, this is especially dangerous because one successful deception can lead to an immediate loss of funds. While a smart contract error was once seen as the main risk, attackers are now increasingly targeting people and processes around the protocol. That is why Web3 security can no longer be limited to code audits: projects need strict access rules, verification of large transactions through several independent channels, phishing protection and team training on AI-driven fraud.
As a reminder, according to CertiK, losses from crypto hacking attacks fell by 47%.