Key Takeaways
- • SlowMist published its H1 2026 Blockchain Security and AML Report.
- • Blockchain security incidents rose to 182 while losses fell to $956 million.
- • DeFi remained the most targeted sector with 116 recorded incidents.
- • Supply chain attacks caused the highest financial losses during H1 2026.
- • Ethereum led incident count, while Solana recorded the largest ecosystem losses.
- • AI, phishing, and supply chain attacks expanded blockchain security risks.
SlowMist has published its 2026 Mid-year Blockchain Security and AML Report, finding that the blockchain industry recorded 182 publicly disclosed security incidents during the first half of 2026, resulting in $956 million in losses.
While the number of incidents increased compared with the first half of 2025, total losses declined sharply as fewer large-scale exploits occurred. SlowMist said blockchain security risks are also expanding beyond smart contract vulnerabilities, with attackers increasingly targeting software supply chains, developers, browser extensions, wallets and end users through phishing and social engineering campaigns.
Alongside exploit statistics, the report examines money laundering trends, the growing role of AI in cyberattacks, and how stolen assets continue to move through privacy protocols and cross-chain infrastructure.
Security Incidents Increased While Total Losses Declined
According to SlowMist, blockchain security incidents increased from 121 in H1 2025 to 182 in H1 2026, a year-over-year increase of more than 50%.
Despite the higher number of attacks, total losses fell from $2.37 billion to $956 million, a decline of nearly 60%.
The report attributes the change to a more fragmented threat landscape. Instead of several billion-dollar exploits dominating the period, losses were concentrated across a smaller number of high-impact attacks while a larger number of smaller incidents were disclosed.
SlowMist also noted that 18 security incidents involving about $389 million resulted in partial or complete asset recovery or freezing during the first half of the year. According to the report, approximately $118 million was recovered or frozen, including $5.16 million with assistance from SlowMist's security team.
Ethereum Recorded the Most Incidents While Solana Saw the Largest Ecosystem Losses
SlowMist's ecosystem analysis shows Ethereum remained the most frequently targeted blockchain during the first half of the year.
The accompanying statistics recorded 44 incidents on Ethereum, followed by BNB Smart Chain with 32 incidents. Other ecosystems collectively accounted for 30 incidents, while Arbitrum, Base, Solana, Polygon, Sui and Bitcoin recorded smaller totals.
Although Ethereum experienced the largest number of attacks, Solana generated the highest financial losses among the tracked ecosystems in SlowMist's breakdown. The report illustrates that attack frequency did not necessarily correlate with financial impact, with several large exploits accounting for a significant share of total losses.
DeFi Continued to Dominate Security Incidents
Decentralized Finance (DeFi) remained the primary target for attackers.
SlowMist attributed 116 incidents to the sector, representing the majority of recorded cases. Those attacks resulted in $488.88 million in losses.
Bridge protocols experienced only 20 incidents, but losses reached $346.34 million, making them the second-largest category by value lost.
The report also recorded four exchange incidents resulting in $29.28 million in losses; five wallet-related incidents causing $6.16 million in losses; five blockchain infrastructure incidents totaling $7.6 million; and two NFT-related incidents with minimal financial impact.
The findings continue a trend seen in previous years, in which cross-chain infrastructure remains one of the most expensive attack surfaces despite relatively few successful exploits.
The Kelp DAO Exploit Was the Largest Attack of the Half
Among the incidents reviewed in the report, SlowMist identified the Kelp DAO exploit as the largest security incident during the reporting period.
According to the firm's analysis, attackers compromised cross-chain infrastructure by exploiting weaknesses involving LayerZero's decentralized verifier network (DVN), together with RPC manipulation and denial-of-service activity, allowing forged cross-chain messages that ultimately resulted in losses of roughly $292 million.
The report uses the incident to demonstrate how modern attacks increasingly combine infrastructure weaknesses with protocol-level vulnerabilities rather than relying on a single exploit.
Smart Contract Bugs Remained the Most Common Cause
Smart contract and logic vulnerabilities remained the industry's most common security weakness.
SlowMist said these vulnerabilities accounted for 48% of all recorded incidents, making them the largest attack category by frequency.
Private key and credential compromises represented 9.6% of incidents, followed by supply chain attacks at 6.8%. Reserve manipulation attacks, compromised X accounts, social engineering, oracle misconfigurations, flash loan attacks, and governance attacks accounted for the remaining share.
However, incident frequency did not match financial impact.
When measured by losses, supply chain attacks ranked first, causing $297.8 million in losses during the first half of the year. Contract and logic vulnerabilities followed with $152.3 million, while private key and credential compromises resulted in $130 million in losses.
The figures suggest attackers increasingly relied on compromising trusted software and operational infrastructure rather than exploiting blockchain protocols alone.
Supply Chain Attacks Became More Sophisticated
SlowMist dedicated part of the report to the growing number of supply chain compromises targeting developers and blockchain companies.
One example highlighted a phishing campaign that impersonated audit procedures by sending token project emails requesting token vesting confirmations and supporting documents. The emails contained malicious attachments disguised as routine audit requests.
The report also referenced the malicious LiteLLM 1.82.8 package uploaded to PyPI. According to SlowMist, the package contained a malicious litellm_init.pth file capable of executing automatically when Python started, allowing attackers to steal developer credentials without requiring users to import the package directly.
Beyond these examples, SlowMist said attackers increasingly targeted package repositories, software dependencies and development environments, making software supply chain security a growing concern across the blockchain industry.
Wallet Phishing and Social Engineering Continued to Evolve
The report highlights several phishing campaigns aimed at cryptocurrency users.
Among the examples was a fake browser extension impersonating TronLink that prompted users to import existing wallets. Another case involved a phishing website that masqueraded as a MetaMask security verification page, instructing victims to enter their recovery phrase under the pretense of enabling additional security features.
SlowMist also documented WhatsApp-based social engineering campaigns in which victims were approached with seemingly legitimate partnership opportunities, only to be directed to malicious meeting links or fraudulent websites.
According to the report, attackers increasingly rely on trust-building techniques, fake business relationships, and impersonation rather than purely technical exploits to compromise victims.
AI Is Creating New Attack Surfaces
Beyond traditional blockchain exploits, SlowMist identified artificial intelligence as an emerging security challenge.
The report says AI-powered applications and autonomous agents introduce new attack vectors, including prompt injection, memory poisoning, excessive tool permissions and AI-generated phishing campaigns.
SlowMist said these risks extend beyond blockchain protocols themselves, affecting wallets, developer tools and applications that integrate AI models into their infrastructure.
Professional Drainer Services Remain Active
The report also examined the continued growth of organized wallet drainer operations.
One example featured RublevkaTeam, a drainer service advertising phishing infrastructure, automated Telegram bots, wallet spoofing capabilities, landing page generators and affiliate revenue-sharing programs.
SlowMist said these services lower the technical barrier for cybercriminals by offering ready-made phishing infrastructure that can be deployed across multiple blockchain ecosystems.
Exploited Funds Continued Moving Across Chains
Beyond the initial exploits, SlowMist analyzed how attackers launder stolen assets after successful attacks.
Transaction tracing included in the report followed funds stolen during the Kelp DAO and Humanity exploits as they moved through decentralized exchanges, bridges, and Bitcoin wallets before being consolidated.
The report notes that cross-chain movement, asset swaps and wallet fragmentation continue to complicate investigations and asset recovery efforts.
Privacy Protocols Continue to Play a Role in Asset Movement
The AML section of the report examined cumulative inflows into privacy-focused protocols between Jan. 1 and July 4.
According to SlowMist, Tornado Cash received approximately $691 million in cumulative inflows during the period, followed by Railgun with $222 million, Hinkal with $46.22 million, Privacy Pools with $12.65 million, and zkBOB with $2.06 million.
SlowMist noted that these figures represent cumulative deposits rather than illicit funds. The report also observed that stablecoins accounted for a growing share of deposits into several privacy protocols, particularly Railgun, reflecting changing laundering patterns as attackers increasingly move dollar-pegged assets rather than more volatile cryptocurrencies.
SlowMist Says Blockchain Security Is Expanding Beyond Smart Contracts
The report concludes that blockchain security is evolving from a narrow focus on smart contract vulnerabilities into a broader ecosystem challenge.
While contract flaws remain the most common cause of incidents, SlowMist said organizations must also secure software supply chains, developer environments, operational infrastructure and user-facing applications against phishing, credential theft and social engineering.
The firm's findings suggest that protecting digital assets increasingly requires a combination of secure development practices, operational security, user education and stronger AML capabilities as attackers continue to diversify both their techniques and laundering methods.




