TRM Labs published its first-half 2026 hack dataset on July 1, and the headline numbers split in two directions: attackers carried out 207 separate hacks — the most TRM has ever recorded in a six-month window — yet total losses fell to $972 million, less than half the $2.3 billion stolen in H1 2025. More incidents, less money: the gap between what gets hit and what gets stolen is now the story.
Context: what TRM measured
TRM tracks confirmed hacks and exploits across crypto-native platforms — DeFi protocols, exchanges, token projects, and the infrastructure that signs and moves funds. The H1 2026 dataset is not a complete picture of all crypto crime (phishing, scams, and covert IT-worker fraud sit outside this count), but it is one of the industry’s most cited benchmarks for on-chain theft.
The firm published the figures in a blog post on July 1, and CryptoSlate’s coverage independently corroborated the same figures.
The split: incident count vs. dollar losses
The incident surge is stark. H1 2026 saw 207 hacks, more than double the 83 recorded in H1 2025. Q2 alone produced 123 incidents, following a record-setting first quarter. The increase was steady across the half rather than driven by a single catastrophic month.
Most of that growth came from smart contract exploits, which accounted for 125 of the 207 incidents — roughly 60%. These attacks increasingly chain multiple contract manipulations into a single exploit rather than relying on one coding flaw. The typical loss, however, was modest: TRM puts the median hack at about $219,000, while the mean sits at $4.7 million — more than twenty times higher. A handful of enormous outliers pull the average up; the median better reflects the everyday threat.
Dollar losses tell the opposite story. Infrastructure and operational compromises — attacks on keys, signing systems, approval workflows, and custody rather than on-chain code — represented only about 15% of incidents but roughly 76% of stolen value. Smart contract exploits drove the count; key theft and infrastructure raids drove the money.
Two North Korea-linked operations in April illustrate the concentration. The Drift Protocol breach cost approximately $285 million; the KelpDAO exploit added roughly $292 million. Together, the pair totaled about $577 million — nearly 60% of all funds stolen in the half on their own.
TRM assesses that approximately $643 million, or about 66% of H1 2026 losses, is attributable to North Korea-linked activity. That is down from roughly $1.7 billion in H1 2025, but North Korea remained the single largest source of stolen value. The lower aggregate total reflects the absence of another theft on the scale of 2025’s largest attacks — not a reduction in attacker capability.
What this means for exchanges and LatAm users
The laundering path behind the largest thefts is now well mapped. Stolen assets typically move through cross-chain bridges and no-KYC swap services before reaching exchanges. First-hop wallet screening is not enough when funds can hop chains in minutes.
That matters directly for Latin America’s exchange ecosystem. Platforms like Bitso, Mercado Bitcoin, and other regional VASPs that process fiat on- and off-ramps are natural exit points for laundered crypto. Brazil, under the Central Bank’s VASP framework (Decree 11.563), began phasing in mandatory monthly transaction reporting for virtual asset service providers in 2026. Argentina, Mexico, and Panama are tightening their own compliance frameworks in parallel.
TRM specifically flagged that exchanges and financial institutions need multi-hop transaction monitoring — tracing assets across the full laundering path, not just the first transfer. The firm’s Beacon Network, which includes more than 70 member exchanges and DeFi protocols, is designed to share attacker wallet intelligence in minutes rather than days once malicious addresses are identified.
For individual users in LatAm — where stablecoin rails power remittances, freelancer payouts, and savings hedges against local-currency volatility — the report reinforces a practical lesson: where you keep your keys matters more than which protocol you use. A smart-contract audit does not protect you if the protocol’s signing infrastructure gets compromised. And if you deposit on an exchange, you are trusting that exchange’s operational security and compliance stack, not just its marketing.
The report also noted a $24 million “wrench attack” — physical coercion to force a key handover — as a reminder that crypto security extends beyond screens and code.
Takeaway
H1 2026 set a record for hack count while halving total losses. The industry is getting hit more often in smaller bites, but the catastrophic losses still come from compromised keys, signing infrastructure, and state-sponsored infrastructure raids — not from the DeFi code bugs that dominate the incident log.
If you self-custody, treat your seed phrase and signing devices as the crown jewels. If you use an exchange, favor platforms with visible compliance investment — especially as LatAm regulators start demanding the transaction data that makes stolen-fund tracing possible. This is a security and compliance story, not a market-timing signal. Not financial advice.



