Crypto Loses Over 35 Million USD in a Brutal Week of DeFi Attacks
The first full week of July was one of the worst stretches of the year for crypto security. Three major protocol attacks, a wallet flaw and a run of smaller thefts pushed confirmed losses past 35 million USD in just seven days.
The largest hit landed on BonkDAO, the community treasury behind the BONK memecoin on Solana, and it did not involve a single line of broken code. It was a hostile takeover of the project's own voting system, and it shows where the real risk in crypto now sits.
Table of content
A governance attack worth 20 million USD
Over several days, an attacker quietly bought about 4 million USD of BONK through exchange wallets, built up a dominant share of voting power, then pushed a malicious proposal through the DAO's token-weighted governance. The proposal had reportedly sat live for six days without a single challenge.
When the vote closed, wallets tied to the attacker controlled about 99.878 percent of the votes cast, even though only seven addresses voted out of more than 18,000 eligible wallets. Roughly 4.4 trillion BONK, worth about 20 million USD, drained from the treasury, and the attacker even renamed the DAO. Researchers called it less a hack than a takeover enabled by weak rules and near-zero turnout.
BONK fell more than 8 percent on the news, extending a decline of over 80 percent across the past year, and exchanges including Upbit, Bithumb and Kraken suspended BONK deposits and withdrawals while they traced the funds. The team says it has notified law enforcement and is working with exchanges and the Solana Foundation.
Flash loans and a forged oracle price
The other two attacks were more technical. On the same day, the multichain protocol Summer.fi lost close to 6 million USD to a flash-loan exploit, in which the attacker borrowed roughly 65 million USD in a single transaction to manipulate prices. The team paused its vaults, and investigators later traced the flaw to leftover tokens from an unrelated protocol collapse last November.
Then, to close the week, Hedera's largest lender, Bonzo Lend, was drained of about 9 million USD, with 5.25 million bridged to Ethereum. The attacker fed the protocol a forged price for one token, inflating its value enormously, then used a few dollars of it as collateral to borrow millions. A separate wallet that borrowed during the glitch later identified itself as a white hat and pledged to return the funds.
Wallets were not safe either. A newly disclosed flaw in how some older wallets generated recovery phrases, nicknamed Ill Bloom, has now been linked to more than 5 million USD in thefts, a reminder that the weakest link is often the tool holding your keys, not the blockchain itself.
What investors should take away
Zoom out and the pattern is clear. According to security firm CertiK, Web3 lost more than 1.31 billion USD across 344 incidents in the first half of 2026, with wallet compromises and phishing, not smart-contract bugs, now the biggest sources of loss. The attack surface is moving up the stack, toward governance, infrastructure and human approvals.
For everyday holders, the lessons are practical. Treat governance tokens and small DeFi platforms as high risk, be very careful what you sign, and keep long-term savings in self-custody on audited hardware rather than hot wallets. That is exactly why it pays to review the best crypto wallets and move serious funds off the exchanges and apps you trade on.
None of this means DeFi is broken, but it does show that in 2026 the biggest threats are rarely the code itself. They are the rules, the plumbing and the split-second approvals that surround it.
The takeaway for 2026 is uncomfortable but simple: in crypto, staying safe now depends as much on how carefully you behave as on how well the code was written.