Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
CFD
Stock CFD Derivatives
US Stocks
Access real US stocks and ETFs
HK Stocks
Trade quality Hong Kong-listed stocks
Korean Stocks
SK Hynix
Real Korean stocks and top assets
Stock Futures
High leverage, 24/7 trading
Tokenized Stocks
Backed by real stock assets
IPO Access
Unlock full access to global stock IPOs
GUSD
3.8%
Mint GUSD for Treasury RWA yields
Stocks Activities
Trade Popular Stocks and Unlock Generous Airdrops
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
Biggest Crypto Hacks and Scams of 2026 So Far
Crypto security losses reached $1.316 billion across 344 incidents during the first half of 2026, according to CertiK’s H1 security report. Approximately $115.3 million was frozen or returned, reducing the adjusted loss to around $1.2 billion. The apparent improvement from 2025 needs context. The previous year’s first-half total included the exceptional $1.45 billion Bybit breach. Once that single event is excluded, CertiK estimates that comparable losses increased by approximately 28% in 2026. The distribution of those losses is just as important as the total. The average incident cost approximately $3.82 million, while the median loss was only $138,703. The average was therefore more than 27 times the median, showing that a small number of extreme failures drove the overall result. Three incidents alone, Kelp DAO, Drift Protocol, and a targeted $284 million phishing theft, accounted for approximately 65% of all reported first-half losses. A Loss Ranking Needs More Than One Number Crypto incident reports frequently compare figures that measure different forms of damage.
Gross loss
The value removed from a protocol or victim before recoveries.
Realized extraction
Assets the attacker successfully converted into transferable economic value.
Net loss
The amount still missing after freezes, returns, repayments, and recoveries.
User liabilities
Claims owed by a platform, which may be larger or smaller than the attacker’s original proceeds.
Notional exposure
The theoretical value of fraudulently issued or placed-at-risk assets, even when the attacker could not monetize the full amount.
The ranking below primarily uses reported gross losses. Recoveries, disputed valuations, and differences between attacker proceeds and platform liabilities are stated separately. For incidents involving unbacked token creation, realized extraction is more meaningful than the face value of the fraudulent supply. Otherwise, an attacker who creates $100 million of an illiquid token but extracts $1 million of real collateral could incorrectly be ranked as having stolen the full $100 million. The Largest Reported Crypto Losses of 2026
Statement on Recent Security Incident
In the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised.
Immediately after detecting the breach, we began working…
— Step☀️ (@StepFinance_) February 2, 2026
Earlier onchain estimates placed the loss closer to $27 million because they focused on the approximately 261,854 SOL initially identified leaving treasury wallets. Step’s later figure included a broader group of affected assets. Using the project’s $40 million gross estimate while separately reporting the recovered amount produces a more complete picture than selecting one figure without explaining why the estimates differ. The financial consequences of an attack can also extend beyond the amount transferred to the attacker. Emergency financing, legal expenses, user compensation, interrupted operations, and lost revenue can make the eventual business impact larger than the initial onchain withdrawal. 5. Humanity Protocol – $36 Million Humanity Protocol suffered an attack on June 9 after a compromised device exposed wallet data and private keys associated with privileged project accounts. In its official explanation, Humanity said the attacker copied private keys from the device and used them to execute the onchain attack. The project also said the Ethereum H token contract was protected by a separate clean multisig and that its canonical mainnet bridge was not compromised.
https://t.co/VjouykTSPw
— Humanity (@Humanityprot) June 12, 2026
Published estimates range from approximately $31 million to $36 million, partly because the stolen H tokens were valued at different market prices and at different stages of the incident. The more important structural problem was the concentration of multiple privileged credentials on one compromised endpoint. A multisignature arrangement only provides meaningful protection when its keys are separated across people, devices, locations, and administrative environments. Several credentials stored on or recoverable from the same computer can satisfy an onchain signature threshold while still operating as one practical point of failure. 6. Resolv Protocol – Approximately $26.8 Million Resolv Protocol was exploited on March 22 after an attacker compromised its cloud infrastructure and gained access to a key controlled through AWS Key Management Service. Resolv used an offchain service to authorize the creation of USR after users deposited collateral. According to CertiK’s incident analysis, the attacker made relatively small legitimate USDC deposits and then used the compromised service role to authorize approximately 80 million USR across two transactions. The contract verified that the authorization came from the approved service. It imposed a minimum output but did not enforce a maximum amount tied to the collateral deposited by the user. Once the privileged service was compromised, the attacker could produce signatures that were cryptographically valid but economically unsupported. This does not mean that cloud key-management services are inherently unsuitable for crypto infrastructure. The larger design problem was the amount of unrestricted economic authority granted to one service role. A protected key can still become a catastrophic failure point when the contract receiving its signatures does not independently enforce collateral ratios, minting ceilings, transaction limits, or withdrawal velocity. 7. Truebit – $26 Million Truebit was exploited on January 8 through an integer-overflow vulnerability in a bonding-curve contract deployed in 2021. The contract had been compiled with Solidity 0.5.3, before automatic overflow protection was introduced in Solidity 0.8.0. An attacker supplied an exceptionally large value that caused an arithmetic calculation to wrap around to a number close to zero. This allowed large quantities of TRU to be minted for almost no ETH and then redeemed for real ETH held by the contract. Chainalysis estimated the primary loss at $26.2 million. CertiK placedthe combined amount closer to $26.6 million, including approximately $224,000 extracted by a second attacker. The vulnerable implementation had not been publicly verified on Etherscan. That did not prevent attackers from examining it. Contract bytecode can be decompiled, old compiler behavior can be identified, and suspected vulnerabilities can be tested through simulations or blockchain forks. Truebit is the clearest major exception to the broader pattern seen in 2026. Its loss came from public execution logic rather than compromised operational authority. It also shows why dormant contracts must remain within audit, monitoring, and bug-bounty scopes for as long as they retain funds or permissions. Why Echo Protocol Does Not Rank as a $76.7 Million Theft Echo Protocol is sometimes described as suffering a $76.7 million loss because an attacker used a compromised administrator key to mint 1,000 unbacked eBTC carrying that notional value. The attacker did not extract $76.7 million in real assets. According to Merkle Science, 45 of the fraudulent eBTC were deposited into the Curvance lending protocol. The attacker borrowed approximately 11.29 WBTC, worth around $867,000, before the remaining 955 unbacked eBTC were burned. The accurate figures are therefore:
Classifying the full notional amount as stolen would exaggerate the realized damage by almost 90 times. Echo still exposes an important collateral-risk problem. Curvance’s oracle correctly recognized the market value assigned to eBTC, but it could not determine that those particular tokens had been created without backing. Price integrity is not the same as issuance integrity. Lending protocols accepting externally issued collateral need controls for abnormal supply creation, changes in minting authority, sudden collateral deposits, backing verification, and issuer-level administrative risk. A correct price feed cannot answer those questions by itself. The Common Failure Was the Control Plane The largest 2026 incidents did not share one code vulnerability. They shared weaknesses in the systems responsible for deciding what the code was allowed to do. In traditional infrastructure terminology, the execution layer processes ordinary activity, while the control plane determines permissions, configurations, trusted data sources, and exceptional actions.
That distinction maps closely onto the largest incidents:
Kelp: A verifier accepted a fabricated version of source-chain activity.
Drift: Valid signatures transferred administrative control.
Step: Compromised executive devices exposed treasury authority.
Humanity: A compromised endpoint exposed privileged keys.
Resolv: A compromised service role created valid but economically unsupported authorizations.
Echo: One administrator key could grant uncapped minting authority.
Truebit: The exception was an arithmetic flaw in legacy contract code.
CertiK recorded 204 code-vulnerability incidents during the first half of the year, producing approximately $151.6 million in losses. Wallet compromises caused $444.5 million across only 33 incidents. That works out to an average of approximately $743,000 per code-vulnerability incident and $13.5 million per wallet-compromise incident. On average, a wallet compromise was roughly 18 times more expensive. The comparison does not make smart contract audits less important. It shows that auditing the contract while excluding its signers, RPC dependencies, administrative interfaces, cloud roles, and emergency controls leaves a substantial part of the financial system untested. Five Controls That Address the Actual Failures Enforce Economic Limits After Authentication A valid signature should prove who approved an action. It should not grant unlimited economic authority. Minting, bridging, collateral approval, and withdrawals can still be restricted through maximum transaction sizes, rolling limits, collateral ratios, time delays, asset-specific caps, and automatic pauses. These controls may not prevent a credential compromise, but they can stop one compromised key from immediately creating an unlimited liability. Measure Independence, Not the Number of Keys A 3-of-5 multisig is not meaningfully distributed when three keys can be recovered from one laptop or controlled through the same corporate account. NIST’s key-management guidance emphasizes lifecycle controls including authorization, backup, accountability, separation of duties, compromise response, and protection of keying material. Protocols should identify whether supposedly independent signers share devices, password managers, cloud tenants, recovery procedures, physical locations, or reporting lines. Monitor Relationships, Not Only Transactions Every individual transaction in the Kelp exploit appeared valid. The detectable failure was the missing relationship between the two chains: rsETH was released on Ethereum without being burned on the source chain. Bridge monitoring should continuously reconcile locks, burns, mints, and releases across every relevant network. Similar invariant checks can compare collateral deposited against tokens minted, reserves against circulating supply, and approved withdrawal limits against actual outflows. Simulate Administrative Intent Before Signing Hardware wallets protect private keys, but they cannot determine whether a legitimate user is approving a malicious transaction. Administrative transactions should be decoded and simulated in a separate environment before execution. Signers need to see the resulting permission changes, newly approved collateral assets, pricing parameters, withdrawal limits, contract upgrades, and ownership transfers, not only a transaction hash or an opaque wallet prompt. Keep Legacy Contracts Inside the Security Perimeter A contract does not become safer because it has operated without incident for several years. Any deployment that holds assets, processes redemptions, controls protocol permissions, or remains connected to current products should have verified source code, documented compiler assumptions, active monitoring, and inclusion in audit and bug-bounty programs. AI-assisted decompilation may reduce the time attackers need to identify old arithmetic, access-control, or validation flaws. Security through obscurity becomes less effective as those tools improve. AI Is Amplifying Existing Fraud Models AI did not create the core vulnerabilities behind Kelp, Drift, Resolv, or Echo. Its more immediate effect is to reduce the cost of target research, impersonation, localization, and sustained communication. Chainalysis’ 2026 Crypto Crime Report, which analyzes 2025 activity, found that scam operations with identifiable links to AI-service providers were approximately 4.5 times more profitable than scams without those links. That evidence should not be presented as proof that every sophisticated attack in 2026 used AI. It shows that AI-assisted operations were already producing higher returns and could make several established techniques easier to scale:
Synthetic Identity
Deepfake video and voice impersonation.
Advanced Reconnaissance
Target research across social and professional networks.
Multilingual Social Engineering
Long-running conversations in multiple languages.
Adaptive Phishing
Cloned interfaces and personalized phishing pages.
Automated Vulnerability Research
Automated analysis of contracts and decompiled bytecode.
The likely development is a combination of social and technical methods. Social engineering obtains the credential or authorization; existing protocol permissions convert that access into a financial loss. Regulation Changes Accountability, Not Exploit Mechanics The European Union’s MiCA transitional period ended on July 1, 2026. Covered crypto-asset service providers generally now require authorization to continue operating in the EU, subject to the regulation’s scope and national supervisory decisions. MiCA can strengthen governance, custody, operational controls, and accountability. It cannot determine whether a bridge uses independent verifiers, whether privileged keys are properly separated, or whether an authorized signer understands a malicious transaction. The US GENIUS Act was signed into law on July 18, 2025 and establishes a federal framework for payment stablecoins. It is not a general cybersecurity regime for every bridge, exchange, wallet, or DeFi protocol. Regulation determines who is responsible and which safeguards should exist. Security engineering determines whether a forged message, compromised key, or malicious approval can execute before those safeguards respond. What to Watch Through the Rest of 2026 The final 2026 security picture should be judged through more than the cumulative headline loss.
Security Intelligence: Key Indicators
Loss concentration
Whether a few extreme incidents continue to dominate the annual total.
Attack surface
Whether wallet, administrative, cloud, and infrastructure compromises remain more costly than code exploits.
Recovery-adjusted damage
How much remains missing after freezes, repayments, and negotiated returns.
Attribution quality
Whether preliminary links to state-sponsored groups are supported by completed investigations.
Control adoption
Whether protocols introduce independent verification, transaction simulation, key separation, and enforceable economic limits before the next major attack.
This ranking is a snapshot prepared on July 17, not a final record for the year. Nearly 46% of 2026 remains, and historical loss figures may continue to change through asset recoveries, token-price revisions, newly identified wallets, and clearer distinctions between notional exposure and realized theft. The evidence supports a narrower conclusion: the highest-value incidents increasingly targeted the control systems surrounding smart contracts, signers, devices, RPC infrastructure, privileged services, and verification networks, rather than contract logic alone.
This article is for educational purposes only. Incident valuations may change because of asset-price movements, recoveries, revised attribution, and differences between gross exposure, realized extraction, and net losses.