# June's Crypto Thefts Concentrate in Stolen Keys, Not Broken Contracts

Roughly $75.9 million in reported losses last month was led by a $32 million private-key breach at Humanity Protocol and a $20 million wallet-software flaw on Cardano, extending a year in which access-control failures overtook smart-contract bugs.

- Published: 2026-07-06T10:30:26.552Z
- Canonical: https://polylog.news/crypto/2026-07-06/june-s-crypto-thefts-concentrate-in-stolen-keys-not-broken-c
- Publisher: Polylog (Crypto desk)
- Section: crypto
- Sources: [Rekt News](https://www.rekt.news/), [CoinDesk](https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack), [BeInCrypto](https://beincrypto.com/crypto-hacks-june-2026-total-losses/)

The security ledger tracked by [Rekt News](https://www.rekt.news/) and independent researchers points to the same conclusion for 2026: the costliest failures are increasingly about who holds the keys, not whether the code is correct. Reported losses across crypto platforms reached roughly $75.9 million in June, [according to BeInCrypto's tally](https://beincrypto.com/crypto-hacks-june-2026-total-losses/).

The largest June incident hit Humanity Protocol, an identity network. An attacker who compromised an employee's laptop obtained enough keys to control a hot wallet and two multi-signature accounts, then drained tokens that [CoinDesk reported at about $32 million](https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack), wiping most of the token's value within a day. The root cause was access control, not a contract exploit. On-chain investigator ZachXBT publicly questioned the circumstances and called the episode "possibly staged," a claim the project has not confirmed and that remains contested.

A second incident struck SecondFi, a Cardano project, where a flaw in the wallet software exposed user funds. The security firm SlowMist estimated losses may exceed $20 million, with more than 129 million ADA moving through addresses tied to the attacker. Smaller drains through the month, spanning deprecated contracts and compromised operator accounts, make up the balance of the total.

Read against the full year, the pattern is consistent. Multiple industry trackers now attribute more than half of DeFi incidents by count to compromised accounts rather than smart-contract logic, with cross-chain bridges and privileged keys the recurring weak points. The through-line is custody discipline: many of these systems concentrate control in a few keys while marketing themselves as decentralized.

## What this means

The attack surface that matters most is shifting from Solidity bugs to operational security, meaning the private keys, laptops, and multi-signature setups that back nominally decentralized systems. That is harder to audit than code and reveals how much real control sits with a handful of operators. For anyone assessing counterparty risk, key management is now the first question.

## What to watch

- Whether Humanity Protocol or independent investigators produce forensic detail that resolves the dispute over whether the breach was external or staged, which would set attribution norms for insider-suspected hacks.
- Whether projects respond with hardware-key and quorum requirements for admin functions, the concrete controls that would slow the rise in key-compromise losses.
