Top Crypto Hacks of 2026: Biggest Web3 and DeFi Security Failures

Top Crypto Hacks in 2026 KelpDAO, Ostium, THORChain, Verus, and DxSale overview

Top Crypto Hacks: How $100M+ Vanished in Blockchain Attacks

Crypto security has had a genuinely rough stretch this year. Trackers following DeFi exploits put total losses well into the More than $100 million was lost across 20+ top crypto hacks, and the pattern behind them has shifted in an interesting way. Fewer attackers are digging through smart contract code looking for bugs. More of them are going after the people and infrastructure sitting around that code instead: compromised keys, manipulated price feeds, forged bridge messages, and old contracts nobody thought to check on anymore.

defillama data regarding to recent hack

Source: defillama.com data

Here's a closer look at five of the largest incidents from this stretch, broken down by what actually happened, how much was lost, what the team behind each project said afterward, and whether anything was ever recovered in top crypto hacks

graphical representation

The KelpDAO Bridge Exploit

What happened: On April 18, attackers found a way into the infrastructure behind KelpDAO's cross-chain bridge. The bridge runs on a messaging system that lets tokens move between blockchains, and this system relies on a small set of verifier nodes to confirm that a transfer is genuine. KelpDAO's setup used just one verifier instead of several checking each other, so once attackers got into that single verifier's backend servers, they could push through fake confirmations that looked completely legitimate onchain.

How much was lost: Roughly 116,500 rsETH, worth about $292 million. That makes it the single largest loss on this entire list and one of the biggest DeFi hacks of the year overall.

What the team said: KelpDAO's emergency multisig froze the protocol's core contracts within about 46 minutes of the drain, fast enough to block two follow-up withdrawal attempts. In the weeks afterward, KelpDAO and the company behind the bridge infrastructure publicly disagreed over who was responsible for the risky single-verifier setup. The infrastructure provider eventually admitted it had allowed a configuration that wasn't appropriate for an asset holding this much value.

Was it recovered: No. As of the most recent reporting, the stolen funds have simply sat untouched rather than being moved, laundered, or returned. KelpDAO has since switched its bridge over to a different cross-chain messaging provider.

official source of kelpdao

Source for verification: KelpDAO official X post

The Ostium Oracle Exploit

What happened: On July 15, someone got hold of a signer key tied to Ostium's price-feed system. Ostium runs perpetual futures on real-world assets like stocks and forex, and it needs live price data pushed onchain constantly to know whether trades are winning or losing. Using that compromised key, the attacker submitted fake, future-dated price reports that made losing trades look profitable, then simply cashed out the fabricated gains. The whole thing reportedly took about five minutes.

How much was lost: Estimates range between $18 million and nearly $24 million, depending on which security firm's tracing you go by.

What the team said: Ostium noticed the unusual activity almost right away and paused all trading within about an hour of the attack starting. Its founder confirmed the exact timing publicly and said the team was working alongside outside security firms and, separately, with law enforcement to dig into what happened.

Was it recovered? No, that's not been publicly confirmed. No reimbursement plan or fund recovery has been announced as of the latest updates.

official source of ostium hack

Source for verification: Ostium exploit

The Verus Bridge Exploit

What happened: On May 17, an attacker found a missing validation check on the Verus-Ethereum bridge and used it to drain a mix of wrapped Bitcoin, ETH, and USDC straight out of the bridge's reserves.

How much was lost: About $11.58 million total.

What the team said: Verus moved fast, shutting down its block-producing nodes to stop any further transfers and pushing out an emergency patch to close the gap. Then it did something a bit unusual: instead of only threatening legal action, the team publicly offered the attacker a deal. Return 75% of the stolen funds within 24 hours, and the remaining 25% would be treated as an accepted bounty rather than pursued as theft.

Was it recovered? Mostly, yes. The attacker took the deal and returned 4,052.4 ETH, worth roughly $8.5 million, a few days later, keeping about $2.8 million as the agreed bounty. This is easily the cleanest recovery story on this list. Verus did note publicly that accepting the deal didn't rule out further legal action down the line.

official source of verus hack

official source of recover

Source for verification: Verus recovery

The THORChain Vault Exploit

What happened: On May 15, someone who had joined THORChain's network as a node operator just two days earlier exploited a weakness in the process nodes use to jointly sign off on transactions. That let them reconstruct enough key material to move funds out of one of THORChain's six vaults without proper authorization.

Source: Yt THORChain

How much was lost: About $10.7 million from that single vault.

What the team said: THORChain's automated monitoring caught the imbalance within minutes and triggered a network-wide halt on trading and signing, even while the underlying blockchain kept running normally. The network then stayed paused for roughly five weeks while the team investigated and coordinated a response with node operators.

Was it recovered? Not directly, but the protocol chose not to pass the cost onto RUNE holders either. Rather than creating new tokens to cover the gap, which would have diluted everyone's holdings, THORChain absorbed the loss using its own protocol-owned reserves. It's also worth knowing this wasn't a one-off for THORChain; the network has dealt with repeated security incidents over the years, including an earlier personal wallet compromise tied to its founder.

official source of thorchain

Source for verification: THORChain exploit

The DxSale Legacy Locker Exploit

What happened: The real story here starts about 269 days before the actual theft. Ownership of an old DxSale liquidity-locking contract on BNB Chain quietly changed hands to a new wallet, with no announcement made to any of the projects or users whose funds were still sitting locked inside it. On May 29, the new owner used a newer BNB Chain transaction feature to drain the contract in one coordinated sequence, hitting roughly 1,400 separate locked positions, some dating back to 2021.

How much was lost: Around $7.3 million.

What the team said: DxSale's public statement pinned the blame mainly on that newer BNB Chain feature, without really addressing the earlier, undisclosed ownership change that actually gave the attacker control in the first place. The team did clarify that its newer locker contracts, which have been through third-party audits, were untouched and remain safe to use.

Was it recovered? No public compensation plan for the affected liquidity providers has been confirmed as of the latest coverage.

official source of DxSale

Source for verification: DxSale exploit

Conclusion

Line these five up together, and a pattern jumps out fast. The biggest loss on this list didn't come from a flaw in any smart contract; it came from infrastructure sitting just outside it, a bridge's verification system that only had one point of failure. Ostium's attack worked the same basic way, going after a price-feed signer key rather than the trading contracts themselves. Even the smaller losses fit the theme. THORChain's came down to a compromised signing process, and DxSale's traced back to an old, forgotten contract that changed hands quietly without anyone noticing.

The aftermath looked pretty different from project to project, too. Verus talked its way into recovering most of what was stolen within days. THORChain ate the loss itself instead of passing it on to token holders. KelpDAO and Ostium, the two biggest top crypto hacks here, are both still working through investigations with nothing recovered yet. DxSale's response drew some criticism for what it left out of its own explanation. Not one of these five required an attacker to actually break smart contract logic, and that says a lot about where crypto's weakest points really are right now.

Disclaimer

This article is for educational and informational purposes only and should not be considered financial or investment advice. Figures cited reflect estimates reported by blockchain security firms and news outlets at the time of writing and may be revised as investigations continue. Always verify details through official project channels and do your own research before making any financial decisions.

Bablu Singh Nirwan

About the Author Bablu Singh Nirwan

English Blog Writer at coingabbar.com

Bablu Singh Nirwan is a passionate Content Writer with 6 months of experience in writing informative and engaging content related to blockchain, cryptocurrency, Web3, and digital finance. He has a strong ability to research emerging trends, simplify technical topics, and create SEO-optimized articles that provide value to a wide audience. His work emphasizes clarity, originality, and accuracy while covering market updates, educational content, and industry insights. Dedicated to continuous learning, Bablu stays informed about the latest developments in the crypto space and is committed to producing impactful content that keeps readers informed and engaged.

Leave a comment

Frequently Asked Questions (FAQ)

Faq Got any doubts? Get In Touch With Us
Scroll to Top