Crypto’s Worst Quarter for Hacks Was Really About Scams

Q2 2026 set a record with 83 exploits and $755 million stolen. Strip out a couple of giant protocol breaches, though, and the real danger to an individual holder was never the code, but the con.

The numbers from last quarter read like an industry-wide security failure. Between April 1 and June 24, 2026, attackers carried out 83 separate exploits and made off with roughly $755 million, the highest number of incidents ever recorded in a single quarter. Cross-chain bridges absorbed the worst of it at $351 million.

Look closer at that dollar figure, though, and it bends around a handful of events. A breach of the LayerZero OFT bridge drained $293 million from KelpDAO, and a separate hit on Drift Protocol took another $280 million. Two incidents, in other words, account for more than $570 million of the $755 million stolen. Neither one touched an ordinary self-custody wallet.

The smaller attacks kept coming right up to the close. Hackers pulled $36 million from Humanity Protocol on June 8, with the security firm Quantstamp tracing the funds toward North Korean operators. The Taiko bridge lost $1.7 million to a compromised chain-verification mechanism, and THORChain gave up $10.7 million in mid-May. Then, a wallet-generation flaw at SecondFi, the Cardano service formerly known as Yoroi, opened losses that external analysts warned could reach roughly $20 million.

Read as a headline, this is the story of a market that cannot keep its money safe. Read against your own wallet, it is something else.

Source: CryptoRank https://x.com/CryptoRank_io/status/2069716397119111172/photo/1

Strip Out the Giants and the Picture Inverts

Take the giant protocol breaches out of the math, and the risk facing an everyday holder looks nothing like the headline. The money that leaves individual wallets tends to exit through a quieter door.

TRM Labs found that 76 per cent of 2025’s losses came from infrastructure attacks, meaning keys and seed phrases extracted largely through social engineering. Code-level exploits accounted for just 12 per cent. Our partner, AMLBot, reached a similar conclusion from a different angle, attributing 65 per cent of the $11.36 billion in scam losses to social engineering rather than to any technical breach.

The biggest individual theft of 2026 makes the point on its own. At $282 million, it involved no code exploit at all. The victim was talked into surrendering a seed phrase to someone posing as Trezor support. The chain held. The person operating it did not.

The Con Has Scaled Faster Than the Code

Fixating on “the worst quarter for hacks” quietly points attention at the wrong threat. The growth in crypto crime is not in clever contract bugs. It is in impersonation, which Chainalysis clocked climbing 1,400 per cent.

That surge shows up everywhere an individual looks. A counterfeit Ledger Live app siphoned $9.5 million after slipping onto the App Store. Printed letters dressed up as official Ledger or Trezor mail now land in real mailboxes, each bearing a QR code linking to a lookalike site. Address poisoning has crossed 270 million attempts against more than 17 million wallets. The SecondFi breach already has a second act, with fraudsters posing as the project and pushing fake recovery tools at the very people who just lost funds.

Reading scam intent has become a core survival skill rather than an advanced one. SimpleSwap’s guide on how to spot a crypto scam and stop it breaks down the signals behind each of these schemes, from address poisoning to fake support, along with the habits that stop them before they reach your keys.

What an Account Quietly Costs You

Here is where the custodial exchange model carries a hidden charge. A balance held by someone else, accessible via a login, is exactly what an impersonator needs to get to work. The fake “exchange support” chat, the “your account has been compromised, confirm your sign-in” email, the cloned 2FA prompt, the SIM-swap timed to intercept a one-time code: each of these relies on there being funds to seize and a custodian to impersonate.

Put plainly, a custodian is a target. Wherever a company holds your money and your credentials, there is a role worth impersonating and a sum worth chasing.

A Model With Nothing to Impersonate

This is the part of the threat a swap aggregator can actually design around. SimpleSwap is self-custodial and wallet-to-wallet, so it never holds a balance for you and never sits between you and your funds as a custodian. That strips out the targets a custodial platform creates: a support desk for someone to imitate and a pool of customer funds to drain. Your keys stay with you, and so does responsibility for the human layer that fraudsters now spend most of their energy attacking.

The record number of exploits last quarter is real, and so is the lesson beneath it: the protocol layer keeps getting harder to break, while the human layer is where the money increasingly goes. In an age of impersonation, the cleanest defense is leaving an attacker nothing to impersonate.

The information in this article is not a piece of financial advice or any other advice of any kind. The reader should be aware of the risks involved in trading cryptocurrencies and make their own informed decisions. SimpleSwap is not responsible for any losses incurred due to such risks.

Crypto’s Worst Quarter for Hacks Was Really About Scams was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.