DeFi logged approximately 70 separate exploits in Q2 2026, roughly doubling the previous quarterly record, even as the $746 million dollar total remains a fraction of historical single-event peaks.
Q2 2026 has become the most-hacked quarter in DeFi history by incident count, according to DefiLlama, which logged approximately 70 separate exploits across April, May and the first two weeks of June. The quarterly dollar total stands at roughly $746 million.
The figures reflect a structural shift in how DeFi is attacked. Total losses are far below peaks reached during single mega-exploits in prior years, yet the attack frequency has roughly doubled the previous quarterly record. April alone set a monthly record with 28 to 30 confirmed incidents and more than $625 million in losses, driven largely by the $285 million Drift Protocol breach on April 1 and the $293 million KelpDAO exploit on April 18. Those two incidents together accounted for 93% of the month’s losses, per Bitcoin.com’s summary of DefiLlama’s data.
April was already covered by The Defiant as the most-hacked month on record by incident count. Q2’s quarterly total adds May’s 41 reported incidents and approximately $84 million in losses, per a June 1 Cryip report, plus early June incidents including the $36 million Humanity Protocol bridge exploit.
The Volume-vs-Magnitude Pattern
The quarterly count of roughly 70 is double the previous record for any single quarter, per DefiLlama’s hacks database. The $746 million total, while significant, is small relative to prior headline-grabbing single events: the February 2025 Bybit breach alone reached approximately $1.4 billion.
Q1 2026, by comparison, saw 34 security incidents totaling approximately $169 million, per DefiLlama data cited by the Bitcoin Foundation. April’s surge was 3.7 times larger than the entire Q1 total. But the larger story at the quarterly level is frequency: incidents are arriving faster, even as no single attack in May or early June approached the scale of the two April mega-events.
May’s incident pattern differed from April’s. Rather than a pair of large bridge and social-engineering attacks, May spread $84.2 million across 41 incidents on 16 blockchains, with the five largest collectively accounting for about 60% of losses. Infrastructure-layer attacks, including multisig tampering, bridge verification bypasses, and vault churn address poisoning, represented 63% of May’s total dollar losses, per the Cryip report.
Ethereum and Bridge Infrastructure Concentrate Risk
Ethereum-connected protocols accounted for $61.9 million of May’s $84.2 million in losses, or roughly 74% of the monthly total, per the Cryip data. Bridge-related incidents have totaled over $328 million across all of 2026 to date, per a June 3 CertiK Skynet report. The KelpDAO wallet compromise alone represents $291.3 million of that figure.
The attack vector breakdown for the quarter reflects the shift away from smart contract code bugs. Three of the four largest incidents in Q2, including the Drift Protocol social-engineering attack attributed to North Korea’s Lazarus Group, the KelpDAO LayerZero bridge message spoofing, and the Thorchain vault churn address poisoning, involved attackers who obtained access through operational or infrastructure failures rather than exploiting on-chain logic flaws.
What’s Not Yet Disclosed
DefiLlama’s figures remain subject to revision as recovery efforts proceed and attribution on several June incidents is finalized. The $746 million quarterly figure does not account for any recoveries or restitutions made after incident reports. Several May and June incidents remain under active investigation, with amounts unconfirmed.
The Q2 record by incident count comes as the DeFi sector TVL has not recovered to pre-April levels following the TVL flight that followed the KelpDAO exploit.
Be the first to comment