DefiLlama said on June 12, 2026 that the second quarter has already become the most-hacked quarter on record, with roughly 70 separate incidents logged so far, about double the previous quarterly high for raw incident count. The tracker shared the figure on its official account, and its public hacks database lets anyone reconstruct the running tally exploit by exploit.
The headline number is frequency, not size. A record count of break-ins does not automatically mean a record amount of money lost, and this quarter is the clearest example yet of that gap.
A record built on volume, not size
April set the tone for the quarter and still accounts for most of the dollars. DefiLlama earlier flagged April 2026 as the worst single month in crypto history for losses, driven by two large exploits that together did the bulk of the damage. The months since have added far more individual incidents without adding a comparably large pile of stolen funds.
That divergence matters. When a quarter's loss total is dominated by two events, the average hack is large and the count is low. Q2 2026 inverted the pattern: many more attacks, most of them smaller. For anyone holding crypto, the takeaway is not "the biggest hacks are getting bigger." It is "the number of ways to get hit keeps climbing."
Stolen keys, not broken code
The shift in hack frequency lines up with a longer trend DefiLlama has documented. Crypto exploits have totaled roughly $17 billion over the past decade, and the nature of those attacks has changed. Early losses came from smart-contract bugs: reentrancy, faulty math, mispriced collateral. More recent losses increasingly come from compromised keys, social engineering, and access control failures, where the contract worked exactly as written but the wrong person held the signing rights.
Recent incidents fit that mold. The $36 million Humanity Protocol exploit was traced to a multisig configured on a single laptop, not a flaw in the protocol's logic. Even where teams made users whole, such as Raydium covering a $1.34 million loss from a retired pool, the pattern is the same: the attack surface has moved from the code to the people and keys around it.
A higher count of smaller attacks is what you would expect if more attackers are probing access points rather than waiting to find a single catastrophic contract bug. It is cheaper to phish an admin or drain a misconfigured wallet than to discover a clean reentrancy bug in audited code, and it scales.
The custody question for card users
Most of this happens at the protocol and bridge layer, away from the average person spending crypto. The relevance for spenders is what the trend says about where to keep a balance.
Every crypto card sits on one side of a custody line. Custodial programs from exchanges and centralized issuers hold your funds and settle transactions from their own treasury. That is convenient, and it also means the platform's security is your security. If a provider is drained or freezes withdrawals, your spending balance can be caught in it, the same counterparty risk that turned FTX and Wirecard balances into claims rather than cash.
Cards that spend directly from your own wallet move that risk onto you. There is no shared treasury to drain, but the failure mode becomes personal: a leaked seed phrase, a malicious signature, or an approval you forgot to revoke. The Q2 data is a reminder that key compromise is now the dominant attack type, so the security burden of self-custody is exactly the burden attackers are leaning into hardest.
Neither model is strictly safer. The honest framing is that custodial cards concentrate risk in the provider, and self-custody cards concentrate it in your own key hygiene. A quarter with 70 incidents is a prompt to decide which of those you are better equipped to manage, and to avoid parking a large idle balance on any single platform you would not want frozen.
Context at the time of writing
The hack count lands during a jittery market. As of June 12, 2026, the Fear & Greed index sits at 18, in "extreme fear," even as prices bounced, with Bitcoin near $63,582 (up 2.8% on the day) and Ether around $1,672 (up 2.6%). Security incidents tend to bite harder in a fearful tape, because confidence is already thin and each new headline reinforces the caution rather than getting shrugged off.
Q2 is not closed yet, so the final figures will move. The trajectory is already set: more incidents than any quarter before it, and a loss profile that says the danger is shifting from contract bugs to whoever holds the keys.
Overview
DefiLlama reported on June 12, 2026 that Q2 2026 is the most-hacked quarter on record at roughly 70 incidents, about twice the prior record for count, though dollar losses remain concentrated in April's two large exploits. The pattern points to more frequent, smaller attacks centered on compromised keys and access rather than smart-contract bugs. For people spending crypto, it sharpens the custodial-versus-self-custody decision: custodial cards carry provider counterparty risk, self-custody cards put key security on the user, and the smart move is keeping less idle balance on any one platform.
