Dragonfly Partner Says AI Has Not Triggered DeFi Hack Surge
Dragonfly managing partner Haseeb Qureshi said 2026 DeFi hack data does not show the AI-driven collapse some security researchers feared earlier this year.
Qureshi said attack counts have reached a record, but the typical loss has fallen sharply. He said the pattern points to more attacks against small or neglected projects rather than major AI-driven breaches of established protocols.
Median DeFi Hack Loss Falls Below $500,000
Qureshi said the median DeFi hack has fallen below $500,000 in 2026, compared with more than $2 million last year. He also said the annualized value stolen from DeFi remains below the 2025 level.
His assessment excludes months dominated by exceptional incidents, including the $1.4 billion Bybit theft in February 2025 and the Drift Protocol and KelpDAO attacks in April 2026. Removing those outliers leaves monthly losses this year below the comparable 2025 pace, according to Qureshi.
Qureshi argued that AI tools may be helping attackers find weaknesses across small protocols and abandoned code. Larger DeFi projects have also had time to improve audits, monitoring and emergency controls as AI coding systems have become more capable.
OpenZeppelin Founder Warns AI Still Raises Risk
The comments responded to OpenZeppelin founder Manuel Aráoz, who warned that AI agents can inspect smart contracts, locate vulnerabilities and build working exploits faster than human researchers.
Aráoz said he considers DeFi unsafe because autonomous coding tools are improving while deployed contracts can hold large sums in systems that cannot easily reverse malicious transactions.
His concern is that attackers may eventually automate more of the exploit process. Qureshi rejected the idea that this has already produced a sector-wide crisis. He said current data shows higher attack frequency but smaller typical losses, rather than repeated breaches of the largest protocols.
H1 Hacks Doubled While Losses Fell to $972M
Crypto attackers carried out 207 hacks during the first half of 2026, more than double the 83 incidents recorded a year earlier. Total losses fell to $972 million from $2.3 billion, while the typical incident cost about $219,000.
Smart contract exploits caused most incidents, but infrastructure and operational failures produced most of the losses. The Drift and KelpDAO thefts alone accounted for about $577 million and were linked to North Korean actors.
Infrastructure Breaches Remain the Larger Loss Risk
The figures do not show that AI poses no threat. They show that stolen keys, compromised systems and approval controls still cause more financial damage than automated contract attacks.
Protocols now face two separate problems: frequent code exploits against smaller projects and rare infrastructure breaches capable of draining hundreds of millions of dollars.