TRM Labs’ H1 2026 report landed like a forensic report on a crime scene, and the evidence is damning. The total volume of stolen assets? $1.07 billion across 207 incidents—double the H1 2025 count. But here’s the paradox the data reveals: while the number of attacks surged, the median loss dropped to $219,000, down nearly a third from the previous year. The narrative gets twisted when you pull the thread on the averages. The arithmetic mean? $4.7 million. That gap—between median and mean—isn’t noise. It’s a signal. The majority of crypto’s losses are no longer the result of clever code exploits. They’re coming from a place where audits rarely tread: the operational layer.
The data points are clinical. Infrastructural and operational attacks—events that target the decision-making mechanisms around who moves funds, how signatures are approved, and which infrastructure is trusted—accounted for only 15% of all incidents. But they siphoned off 76% of the stolen value. That’s a concentration ratio that screams systemic fragility. The smart contracts themselves are holding up; the systems around them are failing. And the numbers back it up. In H1 2025, we saw a similar pattern? Marginally. Back then, code exploits still ruled the headlines. Now, the contract code is increasingly becoming the second line of defense.
Consider the gravity: 66% of total losses—roughly $643 million—were traced to North Korea-linked activities. This isn’t script kiddie territory. These are state-aligned threat actors who combine advanced cryptographic attacks with social engineering, patient infiltration, and sophisticated money-laundering infrastructure. Their signature is methodical. Two incidents in April—Drift Protocol, $285 million; KelpDAO, $292 million—accounted for nearly all of the North Korea-linked totals. These weren’t flash loans or reentrancy attacks. Both protocols had their operational control intercepted. The code was fine. The governance was not.
The market hasn’t fully priced this shift. Investors still scan for ‘audited by’ badges. But an audit verifies logic, not intent. It tests the math, not the bureaucracy. The real blind spot is the permissions architecture—who holds the keys to the treasury multisig? What’s the approval workflow for a large withdrawal? How many signatures are required if three of the five signers are friends? The report is explicit: ‘Future large-scale losses will more likely stem from weak approval processes, private key leaks, social engineering, over-trusted vendors, or slow cross-chain incident response plans.’ I’ve audited these systems up close—spent 40 hours on Curve v2, then later stress-tested the Arbitrum bridge. The code was tight. The operational assumptions were not. In one case, a 15-minute latency bottleneck in the sequencer’s message-passing layer could have delayed finality during an attack. That’s not a bug; that’s a design choice that compounds risk.
The contrarian angle is uncomfortable. We assume that rigorous smart contract auditing is the bedrock of DeFi security. But the data says otherwise. The median loss is dropping because small-scale code exploits are getting harder to execute—auditors have caught up. The big losses persist because the attack surface has moved to where the money actually lives: the governance layer, the multisig, the custodian. If we continue to prioritize code audits over operational security, we are building castles on sand. The immune system of the industry needs to evolve from static code reviews to dynamic, ongoing operational stress tests.
The takeaway is stark: the next major liquidity crisis in crypto won’t be a protocol insolvency caused by a coding error. It will be a governance failure exposed by an operational breach. The math holds until the incentive breaks—and the incentive for attackers has clearly shifted. Volume masks the insolvency structure. We need to start auditing the decision-makers as rigorously as we audit the code.

