Every quarter, the SEAL Intel team pulls together the incidents, patterns, and attacker behavior we've tracked across the ecosystem into a threat intelligence report. Q2 2026 was a busy one with 47 high-confidence incidents with roughly $115.4 million + 500 BTC + 50 ETH in stolen losses.
There's a silver lining buried in those numbers because most attempts we tracked never made it to actual theft. We’re setting detection and EDR deployment doing really effective work, but the attempts that do get through are getting more costly, and the combination of more attempts blocked but bigger losses when one lands, is the bottom line for everything we discuss below.
The full report goes deeper on attribution, tooling, and technical indicators. This post is the shorter version focused on the top threats we’ve seen and what you can actually do about them.
1. DPRK is still the biggest threat by a wide margin
North Korea-linked actors accounted for about $88.65 million of the $115.4 million in total losses this quarter (roughly 77 cents of every dollar stolen). These groups aren't slowing down, and they're not standing still either. Rather, they're quickly adapting their tactics and successfully getting into organizations’ infrastructure using new approaches each time.
Making things even messier, we're also seeing more "copycat" actors borrowing DPRK-style methodologies. That means the playbook is spreading beyond the original group, and defenders can't assume a familiar-looking attack means a familiar attacker.
What to do: Assume DPRK-style tactics are being used against you even if you don't think you're a high-profile target. Their methods are now everyone's methods.
2. AI is lowering the bar for attackers of all skill levels
Threat actors are actively using AI for vulnerability research, malware development, and reconnaissance on target infrastructure. The effect isn't just that sophisticated groups move faster (though they are); it's that less experienced attackers can now produce work that used to require time-honed expertise.
What to do: Don't calibrate your defenses to the skill level of attackers you've seen before because the floor for how good an attacker needs to be to hurt you has dropped.
3. Attackers have moved beyond stealing private keys
For a long time, the mental model for crypto security was focused on protecting keys, but that’s no longer enough. Attackers are increasingly targeting the infrastructure around the keys including oracle systems, RPC nodes, and the endpoints used to validate or sign transactions. If they can manipulate the data or process feeding into a transaction, they don't need your key at all.
What to do: Every layer of your protocol's infrastructure needs to be treated as a potential target, not just the components that touch private keys directly.
4. Social engineering has gotten a lot more convincing, and it's coming from the inside too
Phishing and fake front-ends aren't new, but the sophistication has jumped and we’re seeing that synthetic personas with detailed, believable activity histories are now standard tradecraft. At the same time, we're seeing more use of "facilitators," people who use legitimate identities to help adversaries get inside organizations. This started with fake job applicants (the well-known DPRK IT worker or "moonlighter" pattern), but it has grown into a broader vector for financial fraud and infrastructure compromise.
Attackers have also largely abandoned "smash and grab" attacks in favor of patient, methodical lateral movement and carefully timed thefts. They're willing to wait.
What to do: Standardize due diligence for anyone new interacting with your organization, including contractors and job candidates, and give employees a clear, low-friction way to report anything that feels off.
5. Attackers are hiding inside tools you already trust
Rather than standing up disposable domains and hosting that's easy to flag, attackers are increasingly using legitimate platforms like GitHub, npm, and Google to deliver payloads. In some cases, compromised systems are being used to push malicious code directly into a company's own GitHub repositories, turning a single compromise into a distribution channel for the next one.
Malware itself has also gotten more comprehensive with cross-platform payloads (including a rise in macOS-specific campaigns) that combine infostealer, RAT, and backdoor capabilities in a single package.
What to do: Treat "assume breach" as your default posture. Maintain full visibility into your dependency chain, and don't extend automatic trust to a repository or package just because the platform hosting it is reputable.
Want the technical deep dive? This post covers the highlights, but the full Q2 2026 report includes detailed incident breakdowns, attacker cluster data, and technical indicators. Full reports are available to institutional donors.