The second quarter of 2026 just became the worst three-month period on record for crypto theft. According to data compiled by the industry, 83 separate hacks drained a total of $755 million from protocols and users — a pace that outran every previous quarter. Bridge exploits, long a weak spot in DeFi, were the single biggest driver of losses.
Bridge exploits take the lead
Cross-chain bridges have been a favorite target for years, and Q2 2026 proved no exception. These protocols, which let assets move between blockchains, tend to hold large pools of locked value and often rely on code that hasn't been battle-tested at scale. Attackers hit them repeatedly over the quarter, pushing bridge-related losses past every other category combined.
The numbers don't tell a happy story for developers either. Despite years of audits, bug bounties, and security tooling, the frequency of successful attacks keeps climbing. The industry has gotten better at patching — but not at preventing.
Q2 by the numbers
Eighty-three hacks in 91 days works out to nearly one every 26 hours. The $755 million stolen represents a sharp jump from Q1 2026, though the full-year tally isn't in yet. No single exchange or protocol was named in the data provided, but the breadth of the attacks suggests a systemic problem rather than a few isolated flaws.
Some of the largest individual losses came from private-key compromises, flash-loan attacks, and governance exploits — but bridges consistently produced the biggest dollar figures.
The broader cybersecurity picture
Crypto isn't the only sector dealing with a surge in cybercrime in 2026, but the transparency of blockchain makes the damage unusually visible. Traditional finance sees similar attack volumes, but losses are often covered by insurance or quietly settled. On-chain, every stolen cent is public — and the pressure to recover funds is intense.
Regulators have taken notice. Multiple jurisdictions are pushing for mandatory security audits and tighter licensing for DeFi platforms. Whether those rules will land before the next wave of exploits is an open question.
For now, the record is clear: Q2 2026 was brutal. The next quarter will show whether the industry can learn fast enough.
