- CertiK’s Hack3d report recorded more than US$1.31 billion lost across 344 incidents in the first half of 2026, about 28% higher than a year earlier once the Bybit hack is excluded.
- Code vulnerabilities produced 204 incidents, the highest count of any attack vector, with hackers increasingly targeting legacy contracts more than a year old, according to CertiK.
- A four-year-old bug in Zcash’s Orchard pool, found by security engineer Taylor Hornby using a Claude-powered auditing agent, has firms including TRM Labs urging continuous review over one-time audits.
Crypto protocols lost more than US$1.31 billion (AU$1.89 billion) to hacks and exploits across 344 incidents in the first half of 2026, according to CertiK’s Hack3d report, and security experts say the same AI tooling speeding up those attacks is also helping defenders surface bugs that sat undetected for years.
Headline losses fell 46.8% from the first half of 2025, though that period included the US$1.45 billion (AU$2.09 billion) Bybit hack. Excluding it, CertiK said losses ran about 28% higher year-on-year.
Some US$115.3 million (AU$166 million) was frozen or recovered, putting net losses near US$1.2 billion (AU$1.73 billion). “The underlying security environment has not improved; in several meaningful respects, it has deteriorated,” the report stated.
Wallet compromise was the costliest vector at US$444.5 million (AU$640.1 million) across 33 incidents. April produced two of the largest single incidents of the half, the US$291 million (AU$419 million) Kelp DAO RPC compromise and the US$285 million (AU$410.4 million) Drift Protocol breach.
Phishing followed at US$366.3 million (AU$527.5 million) across 63 incidents, with incident volume down 52.3% while losses fell only 10.8%. Four incidents accounted for about 85% of the category’s losses, a shift CertiK attributed to highly targeted social engineering.
Related: SEC Eyes Sweeping Crypto Rule Overhaul Covering Tokens, Trading, and Broker-Dealers
Old Code Draws New Attacks
Code vulnerabilities cost US$151.6 million (AU$218.3 million) across 204 incidents, the highest count of any category, and CertiK identified a growing pattern of attackers targeting legacy contracts more than a year old, aided by improved automated tooling that finds latent vulnerabilities at scale. The firm warned that the window of maximum vulnerability does not close after launch.
Security engineer Taylor Hornby, engaged by Shielded Labs to audit Zcash, found a four-year-old soundness bug in the privacy network’s Orchard shielded pool in late May using a custom auditing agent powered by Anthropic’s Claude.
The flaw, in the codebase since May 2022, could have allowed undetectable counterfeiting; a patch shipped on June 1, an emergency hard fork followed on June 3, and developers believe no exploitation occurred. ZEC fell about a third on the June 5 disclosure.
Anthropic’s own December research found AI agents uncovered the equivalent of US$4.6 million (AU$6.62 million) in simulated exploits across 405 previously hacked contracts, and surfaced two unknown vulnerabilities while screening 2,849 newer ones.
TRM Labs Global Head of Policy Ari Redbord stated the data argues for continuous review in place of a one-time audit, with attack techniques moving faster than a launch-day audit can account for.
Related: Ripple Secures Full EU MiCA License, Clearing Path for Crypto Expansion Across Europe
AI,Hackers,Security#Speeding #Hacks #Hunts #Smart #Contract #Bugs #Security #Experts #Warn1783678101
