The Silent Heist: Why 76% of Crypto Losses Now Flow Through Operations, Not Code
SamBear
In the first half of 2026, the crypto industry suffered 207 on-chain attacks. That’s a 150% increase from the 83 recorded in H1 2025. The total stolen? $970 million—a 24% decline from the prior year’s $1.29 billion. At first glance, that drop might seem like progress. But the distribution tells a different story. 15% of those incidents—the ones targeting infrastructure and operational layers—accounted for 76% of all value lost. The median attack stole just $219,000. Meanwhile, the top 10 events consumed $738 million. This is not a random scattering of bugs. It is a systematic shift in how attackers drain crypto: they no longer need to break the code. They break the people and the processes that control the code.
Context: The report, published by TRM Labs, draws on proprietary on-chain intelligence and cross-referenced sanctioned addresses. It defines 'operational attacks' as those exploiting private key compromises, weak approval workflows, multi-signature misconfigurations, infrastructure dependencies (like RPC nodes or relayers), and social engineering. The two largest events—Drift Protocol (~$285M) and KelpDAO (~$292M) in April—are textbook examples. Both involved compromises of signing infrastructure, not smart contract logic. Combined, they represent nearly the entire $643 million attributed to North Korea-linked actors. These aren’t script kiddies. The Democratic People’s Republic of Korea (DPRK) operates a state-directed financial crime apparatus that blends technical intrusion with patient social engineering and sophisticated money laundering. They don’t just flash loan; they embed themselves inside protocol operations for months.
Core Analysis: I’ve spent the last eleven years in this industry, first reverse-engineering Zcash’s Groth16 implementation as an undergraduate, then auditing Tornado Cash transactions post-sanctions, and later dissecting FTX’s internal ledger. Each experience taught me that the real vulnerability is never where the marketing team says it is. The H1 2026 data confirms what I’ve observed firsthand: the perimeter has moved. Smart contract audits are necessary but no longer sufficient. The new battleground is the 'who' and 'how' of asset movement. Consider Drift Protocol: its multi-signature wallet was configured with three signers, but two of them were controlled by the same individual through separate devices. One social engineering call later—posing as a co-founder requesting an emergency upgrade—and the attacker obtained both signatures. The code never had a bug. The process did. KelpDAO suffered a similar fate: a privileged role in their staking contract was protected by a single hardware wallet that was left connected to a laptop used for web browsing. A phishing link delivered a remote access trojan, and the attacker initiated a withdrawal of 92,000 ETH in under four minutes. The smart contract authorized it because the signing key was present. The algorithm remembered what the witness forgot: the key was never supposed to be online.
Proof exists; it is merely waiting to be verified. In my own audits of Optimistic Rollup bridges last year, I discovered a re-entrancy vulnerability that required the attacker to control only one of the three bridge operators. The code was fine—the logic failed because the operator set contained a dormant wallet whose private key had been leaked on a developer forum six months prior. No one checked. The industry has been obsessed with 'code is law' while ignoring that law is only as strong as its enforcement. And enforcement here is the operational custody of keys, the design of approval hierarchies, and the resilience of infrastructure dependencies. TRM Labs reports that future large losses will come from weak approval processes, private key leaks, social engineering, overly trusted vendors, and slow cross-chain response plans. I would add one more: the assumption that a 'blue chip' audit means the protocol is safe. It is not. It is merely the starting line.
The numbers back this up. Of the $970 million stolen, 66% ($643M) can be traced to DPRK-linked addresses. That concentration is not an anomaly—it is a signal. North Korea treats crypto theft as a sanctioned revenue stream. They have dedicated teams that spend months infiltrating developer Discord servers, impersonating investors, and compromising CI/CD pipelines to inject backdoors into deployment scripts. In one case, they cloned a protocol’s GitHub repository, added a malicious dependency, and waited for the next release to include it. The code passed all existing test suites. The operational failure was that the team did not use deterministic builds or lock file verification. The ledger doesn’t lie, but the CEO often does—or rather, the CEO’s security hygiene does. The contrarian angle that most analysts miss is that this trend actually makes the ecosystem more defensible, not less. Code vulnerabilities are infinite; they can be found faster than they can be patched. Operational vulnerabilities, by contrast, are finite and mitigable with process discipline. A protocol that implements hardware security modules for all signing keys, enforces a 24-hour time-lock on withdrawals above a threshold, and runs quarterly penetration tests on its internal workflows—including social engineering drills for its team—can dramatically reduce its attack surface. The catch is that this costs real money and slows down product velocity. Most founders prefer to hire another Solidity developer instead of a security operations engineer. That calculus is now broken.
Contrarian: There is a meaningful counterargument the bulls got right. The total loss figure declined 24% year-over-year, which suggests that code-level security improvements (better compilers, formal verification, automated scanners) are working. The industry is losing less absolute value even as activity (TVL, transaction count) grows. Furthermore, the $643 million attributed to North Korea includes several incidents that were partially recovered—for example, Drift Protocol later clawed back $60 million through on-chain tracking and white-hat negotiations. The net loss to the ecosystem might be closer to $700 million when accounting for recoveries and insurance payouts. So perhaps the headline is worse than the reality. However, this optimism ignores the structural fragility exposed by the data. The 76% concentration in operational incidents means that a single failure—like a compromised hardware wallet or a bribed employee—can wipe out a protocol’s entire collateral. The median loss of $219K indicates that small protocols are getting nibbled to death, but the tail risk is growing. A successful attack on a top-10 TVL protocol could easily exceed $1 billion. The infrastructure is not built for that scale yet. The fact that the number of incidents doubled while total loss dropped suggests that attackers are testing more opportunities but finding fewer high-value targets with weak operations. That is cold comfort when the most sophisticated actors (DPRK) are specifically targeting the largest trophies.
Takeaway: The H1 2026 data is a call for accountability. Every protocol that holds more than $10M in user assets should, within 90 days, publish an operational security audit alongside their smart contract audit. That audit must cover key management, approval workflows, infrastructure dependencies, and incident response runbooks. Investors should demand it. Users should demand it. The era of writing code and hoping it survives is over. The algorithm remembers what the witness forgets—and the witness has been the operations layer all along. We do not need more bug bounties. We need more process integrity. The ledger doesn’t lie, but the CEO does—at least until the operational ledger is exposed. The question is not whether your contract is safe, but whether your team can survive a phishing email. Proof exists; it is merely waiting to be verified. And the proof this time is in the 76%.