Crypto hack losses dropped below $1 billion in the first half of 2026, even as attack volume reached record highs. The Immunefi report signals a structural shift in how institutional players secure digital assets. For hedge fund operations teams and treasury managers, the data validates what security architects have argued for years: key management architecture determines exposure more than any other factor.
What happened
Immunefi's H1 2026 report documents a decline in total losses from exploits and hacks, with figures falling under the $1 billion threshold for the first time since 2023. This occurred despite attackers launching more attempts than in any prior six-month period. The gap between attack frequency and actual losses points to improved defensive infrastructure across the industry.
DeFi protocols and centralized exchanges both contributed to the improved numbers, though the mechanisms differ. Centralized platforms increasingly adopted multi-party computation (MPC) and threshold signature scheme (TSS) architectures, eliminating single points of failure in key management. DeFi protocols improved smart contract auditing and implemented time-locked governance controls.
The Immunefi data shows that protocols using distributed key management suffered disproportionately fewer successful exploits. Previous incidents like the StablR exploit demonstrated how traditional multisig arrangements fail under coordinated attack. TSS architectures, by contrast, never expose complete signing authority to any single party or system.
Why it matters
The correlation between TSS adoption and reduced losses is not coincidental. Traditional custody models concentrate signing authority in hardware security modules (HSMs) or multisig wallets that require threshold approval but still expose complete keys during signing operations. MPC-based TSS eliminates this exposure entirely. Key shares remain distributed across multiple computation parties, and the complete private key never exists in any single location.
For institutional allocators, this architecture addresses two persistent concerns: counterparty risk and operational security. A 3-of-3 threshold signature scheme, where the institution holds one share and the custody provider holds two, ensures that neither party can unilaterally move assets. The institution maintains sovereign control while gaining the operational benefits of a managed custody layer.
Regulatory frameworks are beginning to recognize these distinctions. Under the Markets in Crypto-Assets Regulation (MiCA) in the European Union, non-custodial architectures where clients retain control of signing authority may qualify for different treatment than full-custody arrangements. This has implications for capital requirements, licensing obligations, and client asset protection rules.
The H1 2026 data also reinforces the importance of third-party attestations. SOC 2 Type II certification, which verifies operational controls over an extended audit period, has become a baseline requirement for institutional due diligence. ISO 27001 certification provides additional assurance around information security management systems. Platforms lacking these certifications face increasing scrutiny from compliance teams at banks, hedge funds, and regulated fintechs.
Implications
The Immunefi findings carry direct implications for how institutions evaluate custody providers. The traditional question of whether to use hot or cold storage is giving way to more nuanced analysis of key management architecture, signing workflows, and audit trails.
Trusted Execution Environments (TEEs) add another layer to this analysis. TEEs provide hardware-isolated compute environments where MPC protocols can execute without exposure to the broader system. When combined with TSS, this creates a defense-in-depth model that addresses both cryptographic and operational attack vectors.
Concerns raised by security researchers about DeFi infrastructure readiness for institutional capital appear to be translating into measurable improvements. The protocols and platforms that invested in MPC/TSS architecture during 2024 and 2025 are now demonstrating lower loss rates than their peers.
For DAO treasurers managing significant protocol reserves, the data supports a reexamination of existing custody arrangements. Multi-signature wallets with 2-of-3 or 3-of-5 configurations offer flexibility but still expose complete keys during the signing process. TSS architectures perform the same threshold approval function without this exposure.
The compliance dimension is equally significant. Recent MiCA enforcement actions in Spain and other EU jurisdictions demonstrate that regulators are scrutinizing custody arrangements with increasing precision. Platforms that can demonstrate non-custodial architecture with client-controlled signing authority may face a lighter regulatory burden than full-custody alternatives.
Platform lock-in remains a consideration for institutions evaluating custody providers. Architectures that allow clients to maintain signing authority through their own key share enable migration to alternative providers without complex key regeneration procedures. This operational flexibility is particularly relevant for hedge funds and treasury teams that may need to adjust custody relationships as their portfolios scale or regulatory requirements change.
Enterprise treasury management practices are evolving to incorporate these architectural considerations into standard operating procedures. The Immunefi data provides empirical support for prioritizing MPC/TSS over legacy custody models.
What to watch next
The H2 2026 data will test whether the H1 improvements represent a durable trend or a temporary lull. Attack sophistication continues to increase, and state-sponsored actors have shown persistent interest in high-value crypto targets. The resilience of TSS architectures under sustained pressure will determine whether institutional adoption accelerates further.
Regulatory developments in the United States will also shape custody infrastructure decisions. The CLARITY Act and related legislation may establish clearer guidelines for digital asset custody that favor non-custodial and MPC-based models. Financial institutions preparing for these frameworks are already evaluating infrastructure that can satisfy both current European requirements and anticipated American standards.
Insurance markets are another variable. Underwriters have historically struggled to price cyber risk for digital asset custody. The H1 2026 data may provide actuarial support for differentiated premiums based on custody architecture. Platforms with SOC 2 Type II attestation, ISO 27001 certification, and TSS-based key management could qualify for more favorable coverage terms.
Cross-chain infrastructure presents ongoing challenges. Multi-chain portfolios require custody solutions that support consistent security models across diverse blockchain networks. The H1 2026 data does not disaggregate losses by chain, but institutional operators increasingly demand custody platforms that maintain uniform MPC/TSS architecture across ten or more supported networks.
Institutions evaluating custody infrastructure should examine their current key management architecture against the security models validated by the H1 2026 data. Vaultody's 3-of-3 TSS architecture with SOC 2 Type II and ISO 27001 certifications provides a framework for assessing whether existing arrangements meet institutional security and compliance requirements.