Phishing, deepfakes and supply-chain attacks drive 2026 crypto hacks

Security researcher CertiK has flagged phishing, real-time deepfakes (AI-generated voice and video), and software supply-chain compromises as the primary threat vectors likely to fuel the biggest cryptocurrency hacks in 2026. The firm notes that losses this year have already topped roughly $600 million, with a concentration of large incidents reported in April. Major crypto outlets have summarized CertiK’s findings and highlighted several high-value exploits.

CertiK’s analysis explains that attackers increasingly combine AI-enabled social engineering with technical exploits. Notable incidents cited by CertiK and press reports include a $293 million exploit affecting Kelp DAO tied to a cross-chain messaging single point of trust and a $280 million attack on the Drift Protocol. The firm also points to supply-chain breaches as particularly destructive, reporting $1.45 billion in losses from two incidents in 2025, including a major Bybit compromise. These cases illustrate how operational and dependency failures amplify systemic risk.

Market impact has been felt in risk pricing rather than immediate market-wide crashes: DeFi projects, cross-chain bridges and custodial services are increasingly scrutinized by both retail and institutional participants. Investors are shifting long-term holdings into cold storage and applying higher due diligence to bridge and oracle exposure. At the same time, regulators in major jurisdictions are expanding cyber programs to cover digital-asset firms, which could raise compliance costs and impose stricter operational requirements.

In the broader context, CertiK warns that the industrialization of AI makes both offensive and defensive capabilities more potent. Real-time deepfakes can undermine biometric or visual identity checks, while “harvest now, decrypt later” strategies and unsigned dependency chains raise concerns for long-term custodianship. CertiK recommends cryptographic verification, stricter dependency signing and continuous monitoring as mitigations to limit large-scale cascade failures.

Analysts expect continued pressure from social engineering and supply-chain threats in the coming months, but also foresee greater investment in AI-driven detection, formal verification and third-party audits. For market participants, CertiK’s message is clear: basic security hygiene—verifying URLs and smart-contract addresses, avoiding unsolicited QR codes, and using cold wallets for significant holdings—remains essential even as the threat landscape evolves.