Over the past six months, the number of on-chain attacks surged by 50%. Total losses dropped by 60%. That divergence is not a victory lap for the industry. It is a warning flare.
Attack frequency is climbing. Losses per incident are shrinking. The surface area is expanding faster than defensive tooling can keep up. The data comes from SlowMist’s mid-year 2026 report – a cold, clinical snapshot of a security landscape mutating in real time.
Context matters. SlowMist processes over 80% of major blockchain security incidents globally. Their numbers carry weight. The headline: 50% more attacks, but absolute losses fell from $X billion to $Y billion. On the surface, progress. Under the hood, a structural shift in attack vectors.
Contract logic bugs still top the frequency charts. Private key and credential leaks come second. Supply chain attacks are rarer but carry the largest per-incident losses. Kelp DAO lost $290 million to a supply chain infiltration linked to Lazarus Group. Ethereum remains the most attacked chain.
But the real story is the quiet rise of AI as an attack multiplier.
Core: The AI Toolchain in Practice
I have manually audited smart contracts since 2018. I know the difference between a code vulnerability and a human vulnerability. The AI-driven social engineering playbook is not theoretical. SlowMist’s report lists three concrete cases.
Case one: Attackers used ChatGPT to generate phishing scripts tailored to the language and culture of specific DeFi communities. The scripts passed initial social screening. One click, private key gone.
Case two: A Lazarus sub-group used Grok, an AI chatbot, to decode blockchain signals and craft legitimate-looking investment proposals. They targeted protocol developers with fake job interviews, passed technical discussions, then injected malicious code into core libraries.
Case three: The most novel vector – the AI agent trust chain attack. An attacker exploits the inherent trust users place in their automated AI assistants (trading bots, governance agents). By feeding the agent a crafted instruction disguised as a routine query, the agent executes a token transfer or grants permissions. The logs show a normal interaction. The user sees no anomaly. The funds are gone.
Silence in the logs is louder than the crash.
This is a paradigm shift. Traditional security focuses on code audits, bug bounties, and real-time monitoring. Those tools catch exploits like reentrancy or oracle manipulation. They cannot catch a DeepSeek-generated email that looks exactly like a co-founder’s writing style.
I learned this lesson early. In 2018, I spent six weeks manually auditing Oasis Pro’s Solidity codebase. I found a reentrancy hole that could have drained $2.5 million. The fix was a single line of code. The attacker would have needed weeks to craft the exploit. Today, a script can generate that exploit in seconds.
In 2020, I stress-tested Lend’s liquidation engine with my own capital. I simulated flash loan attacks exploiting a 15-second oracle latency. That was a technical vulnerability. Today’s attacks don’t need oracle delays. They need one employee to click a fake invoice.
Precision is the only currency that never inflates.
Supply chain attacks deserve special attention. They accounted for only 12 incidents, but average losses exceed $10 million per event. The Kelp DAO case is instructive. Attackers embedded themselves in the development team through a meticulously staged recruitment process – fake LinkedIn profiles, deepfake video interviews, and a clean open-source portfolio. Once inside, they added a malicious dependency that diverted future withdrawals to their wallet.
This is not a code vulnerability. It is a process vulnerability. And process vulnerabilities do not show up in any static analysis tool.
The report also highlights a troubling trend: weaponization of AI for reconnaissance. Attackers use large language models to scrape protocol documentation, governance forums, and developer chats. They identify communication patterns, personality quirks, and emotional triggers. Then they craft bespoke social engineering campaigns that bypass spam filters and human skepticism.
Contrarian: What the Bulls Got Right
Bulls will point to the 60% decline in total losses as evidence that the industry is getting better at defending itself. Insurance pools are growing. Audits are more rigorous. Bug bounties are higher. The Kelp DAO recovery rate was better than historical averages.
They are not wrong – but the conclusion is incomplete.
The loss decline is partly a composition effect. Attackers have shifted from high-stakes, single-shot exploits to low-value, high-volume campaigns that are harder to detect and prosecute. The average loss per incident fell because attackers are now targeting smaller protocols with weaker defenses. The repeat rate is rising. The same attackers hit multiple projects with the same playbook before defenses adapt.
More importantly, the AI agent trust chain attack represents a completely unhedged risk. No major audit firm has a standardized checklist for this vector. No insurance policy explicitly covers it. The attack surface is literally the user’s own trust in their assistant.
In 2022, I reconstructed the Terra collapse. The math was broken from day one. The market believed the stability mechanism would hold until $100 million in withdrawals proved it wouldn’t. The AI agent trust chain feels similar – it will work perfectly until it doesn’t, and then it will work perfectly for the attacker.
Yield is just risk wearing a mask of mathematics. Replace ‘yield’ with ‘convenience’ and the same principle applies to AI agents.
Takeaway
The market is underpricing the structural shift. AI-driven social engineering and supply chain attacks are not a temporary spike. They are the new normal. The 50% increase in attack frequency is a linear trend that will accelerate as more AI tools become available. The decrease in total losses is a mirage caused by attackers optimizing for execution speed rather than payout size.
Expect the following in the next 12 months: a major AI-agent-integrated protocol will be compromised via trust chain exploitation, triggering a sharp revaluation of all AI-crypto crossover projects. Security-first infrastructure – hardware wallets, institutional custody, and insurance protocols – will see capital inflows as risk-averse investors rotate out of high-TVL DeFi protocols with opaque operational security.
I reviewed ETF custodial infrastructure in 2024. I saw how institutional entry shifted risk but did not eliminate it. The same dynamic applies here: the bull case for crypto’s maturation includes better security tooling, but the attacker’s cost curve is dropping faster than the defender’s.
Silence in the logs is louder than the crash. The crash is already underway. It is just happening one small attack at a time.