DefiLlama Says Q2 Was Crypto's Worst Quarter Ever: 70 Hacks, $746M. The Two Biggest Drained Trust, Not Code.

DefiLlama's Q2 numbers are in, and they are a record nobody wanted: roughly 70 separate exploits in the second quarter of 2026, draining about $746 million, making it the most-hacked quarter in crypto history by incident count — close to double the prior record. The dollar figure actually trails past peaks, which is the part worth sitting with. More attacks, less stolen per attack. The crime is professionalizing into a high-frequency business.

April carried the quarter on its own: 30 incidents and over $625 million, led by two exploits that, between them, tell you almost everything about where this is going. Neither of them was fundamentally a smart-contract bug. Both were attacks on trust.

Drift Protocol: $285M, and the attacker deposited a million dollars to earn the shot

On April 1, an attacker took roughly $285 million out of Drift Protocol — the second-largest exploit in Solana's history. The mechanism was not a reentrancy bug or an oracle glitch. It was a long con against the people who held the keys. The attackers posed as a quantitative trading firm, met Drift contributors in person at conferences across multiple jurisdictions, and deposited over a million dollars of their own capital into the protocol to build credibility. Then they used Solana's durable nonces to pre-sign administrative transactions weeks in advance, so that when the moment came, the governance multisig could be subverted and the funds moved in minutes.

Read that as a security person and the crypto vanishes from the story. What you are left with is a textbook trust-lifecycle attack: an actor enters a system, spends months and real money moving from "new" to "proving" to "proven," accumulates the access that trusted status grants, and then converts all of it to cash in a single event. We have written before that this arc — trust, proving, proven, compromise — is universal. It is how Silk Road's reputation system worked, how Mt. Gox and FTX ended, how ransomware affiliate brands rise and exit-scam. Drift is the same arc executed against a multisig with a seven-figure entry fee, and the entry fee tells you the expected payout was always nine.

KelpDAO: $292M through somebody else's single point of failure

Seventeen days later, on April 18, KelpDAO's rsETH cross-chain bridge was drained of about 116,500 unbacked rsETH, roughly $292 million, with the wrapped ether stranded across some twenty chains. The post-mortem fight was instructive: LayerZero publicly blamed Kelp's configuration, pointing at a single-point-of-failure in the bridge's infrastructure setup. Whoever you assign the fault to, the lesson is identical to the one we keep writing about enterprise supply chains. The protocol did not have to be the weak link. The thing the protocol depended on, and did not control, was the weak link.

Both Drift and Kelp have been linked to the same operator: North Korea's Lazarus Group. The same unit drained more than half a billion dollars from DeFi in eighteen days using two structurally different vectors — social-engineering the humans who sign governance transactions at Drift, and poisoning depended-upon infrastructure at Kelp. That is not a hacker getting lucky twice. That is a state program running a portfolio.

Why an enterprise threat shop is reading a crypto report

Because the part of DefiLlama's number that should worry defenders in every sector is the shape of it, not the dollar total. The shift from a few enormous heists to seventy smaller, more frequent ones is the same industrialization we have watched in supply-chain attacks and ransomware: lower yield per hit, far higher throughput, automation doing the enumeration, and the human attacker reserved for the high-value trust play. When the marginal cost of an attack drops, attackers stop optimizing for the jackpot and start optimizing for volume. The DeFi sector is just the place where it is most visible, because the losses are denominated on a public ledger and a single honest aggregator counts them for everyone.

And the two flagship exploits both bypassed the code entirely. Drift went after the signers. Kelp went after the dependency. This is the consistent message of 2026 across every domain we cover: the audited smart contract, the patched server, the hardened endpoint — these are getting good enough that the attacker's cheapest path is now the human who is trusted and the infrastructure that is assumed. The frontend, the registrar, the multisig member, the bridge you did not write. Defend the door that is actually being used.

We are about 95 percent confident this high-frequency, trust-first pattern is the through-line of the quarter, and we cap there because the residual is where the next novel vector hides. DefiLlama did the unglamorous, load-bearing work of counting honestly. The receipts say crypto's worst quarter wasn't a failure of cryptography. It was a failure of trust — earned, proven, and then spent all at once.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register