Losses from crypto hacks plunged to roughly $37.7 million in February 2026, marking the lowest monthly tally since March 2025. Despite a steady number of incidents, attackers walked away with far less money than in previous months, pointing to a shift in the scale – but not the frequency – of exploit activity across the digital asset ecosystem.
According to data compiled by CertiK, the February total reflects a drop of about 60% compared with January and a sharp decline relative to the typical monthly losses seen throughout 2025. The key reason is not that hackers suddenly disappeared, but that high-value exploits became less common, while defensive measures and rapid incident responses improved.
Wallet compromises remain the top threat
The most damaging category in February was wallet compromise, which accounted for around $16.6 million in losses. These attacks typically involve private key theft, seed phrase exposure, or sophisticated malware that gains unauthorized access to users’ wallets. Given that wallets are the direct gateway to funds, even a single successful compromise can quickly drain substantial balances.
Closely behind were price manipulation schemes, which resulted in about $11.4 million in stolen funds. These attacks often exploit thin liquidity or oracle weaknesses, allowing attackers to distort asset prices, borrow against inflated collateral, or trigger liquidations in leveraged positions.
Phishing attacks, while often lower-value per victim, remained a persistent hazard. They collectively siphoned off around $8.6 million in February, matching January’s figure. The consistency in phishing-related losses underscores that social engineering continues to be one of the most effective tools in a hacker’s arsenal, even as technical defenses improve.
Breakdown by incident type
Beyond wallets and phishing, several other exploit categories contributed to February’s loss total:
– Code vulnerabilities were responsible for approximately $5.1 million in damage, highlighting that smart contract bugs and unpatched security flaws remain lucrative vectors for attackers.
– Exit scams – where project operators disappear with user funds or abruptly shut down without fulfilling obligations – added another $2.1 million in losses.
Although these numbers are smaller compared to previous months, they show that fundamental structural weaknesses in some protocols and projects have not been fully resolved.
Largest individual exploits
February’s loss landscape was shaped by several sizable incidents, though none reached the extreme levels seen in some of 2025’s headline hacks.
YieldBlox recorded the biggest single exploit of the month, with roughly $10.6 million stolen. IoTeX followed with about $8.9 million in losses, while Foom reported an incident involving $2.3 million. These attacks, taken together, represented a significant portion of the month’s total, but still fell short of the massive nine-figure exploits that characterized some prior periods.
Another dataset points to Instadapp as suffering the largest individual incident at approximately $10.5 million, with EFX losing about $8.9 million. Kasm reported $2.2 million in losses, while Initia saw roughly $2.1 million drained. CryptoFarm was hit twice, with two separate events combining for around $2.7 million.
Smaller-scale incidents also dotted the month’s activity. UCC and Hedgehog each recorded roughly $400,000 in losses, while Lending and SEI Token reported about $200,000 per incident. These modest figures show that attackers are targeting a wide range of platforms and tokens, not just high-profile protocols.
DeFi still the prime hunting ground
Decentralized finance remains the most lucrative segment for attackers by category. DeFi protocols suffered an estimated $14.4 million in losses across multiple incidents in February, maintaining their status as the primary target area. The composability of DeFi – where interconnected protocols rely heavily on each other’s smart contracts and oracles – creates a complex environment where a single weakness can cascade across several services.
AI-related projects emerged as the second-largest target area, with around $8.9 million in funds stolen. This reflects a broader market trend where AI-branded crypto projects have attracted substantial capital and user attention, making them appealing targets for both opportunistic hacks and fraudulent schemes.
Gambling platforms reported around $2.3 million in losses, while address poisoning and wallet drainer schemes combined for roughly $2.7 million. These more specialized attacks typically exploit user inattention, poor address management, or the misuse of transaction history rather than deep protocol flaws.
Recovery and frozen funds improve outcomes
One of the most encouraging data points from February is the amount of money that did not stay in the hands of attackers. Roughly $11.3 million in stolen or at-risk funds were either recovered or frozen, representing about 30% of the total losses.
This recovery rate suggests growing sophistication on the defensive side. Protocol teams, security firms, and infrastructure providers appear to be coordinating more quickly after an incident, leveraging on-chain analytics, rapid contract pauses, and negotiations with attackers to limit damage. In some cases, funds were frozen at centralized off-ramps or blocked through blacklist-enabled token contracts.
Fewer mega-hacks, not fewer hackers
The total incident count remained relatively stable between January and February, based on CertiK’s charts. The key difference lies in the absence of extremely large, market-moving exploits. Instead of a few catastrophic hacks dominating the statistics, February’s damage was spread across a larger number of smaller- to mid-sized incidents.
This shift could indicate several concurrent trends:
– High-profile protocols are gradually strengthening their security posture through audits, bug bounties, and hardened architectures.
– Attackers may be targeting newer or smaller projects that have less robust defenses, leading to more frequent but lower-value hits.
– Rapid community and developer response, including contract upgrades and emergency pauses, is limiting the escalation of ongoing exploits.
However, the stability in incident volume also shows that attackers remain active and are not deterred purely by market cycles or reduced volatility.
Comparison with 2025 and early 2026
Throughout most of 2025, monthly crypto hack losses regularly exceeded February 2026’s $37.7 million. January 2026 had already hinted at an improving picture with lower-than-usual losses, and February reinforced that trend.
Phishing-related figures in January and February were nearly identical, indicating that human-centered attack vectors are still yielding consistent results for criminals. By contrast, exploit-based losses – those stemming from protocol-level attacks, contract bugs, or price manipulation – saw a more noticeable drop into February, pulling overall numbers down.
If the pattern of fewer high-value exploits continues, 2026 could mark a turning point for crypto security, with the industry absorbing past lessons and hardening critical infrastructure.
What this means for investors and builders
For investors, the February data is a reminder that lower aggregate losses do not automatically translate into safety at the individual level. A single wallet compromise or phishing success can still be devastating for a retail user. Basic hygiene – hardware wallets, multi-factor authentication, careful verification of URLs and smart contracts, and avoiding signing unknown transactions – remains essential.
For builders and project teams, the dominant role of wallet compromises and price manipulation underscores the need to:
– Integrate robust key management and encourage non-custodial, secure storage practices.
– Use reliable, well-audited oracles and design mechanisms that reduce the impact of price anomalies.
– Conduct ongoing audits and implement bug bounty programs to detect vulnerabilities before they are exploited.
– Establish incident response playbooks, including communication strategies and coordination with security firms.
The rise in attacks on AI-related and emerging narrative projects also shows that marketing buzz can outpace security readiness. Teams in trendy sectors should avoid rushing products to market without rigorous testing and review.
Evolving attacker strategies
Attackers are clearly adapting to changes in the ecosystem. With some major DeFi platforms better protected, criminals appear to be:
– Exploiting long-tail projects with weaker defenses.
– Leaning more on social engineering and malware, which bypass purely on-chain safeguards.
– Leveraging cross-chain bridges, mixers, and complex routing to hide their tracks once funds are stolen.
This evolution puts pressure on infrastructure providers, analytics firms, and regulators to improve detection and tracing capabilities, while also requiring end users to remain vigilant.
Outlook for the rest of 2026
If the first two months of 2026 are any indication, the industry could be moving toward a phase where frequent but lower-value incidents replace spectacular, ecosystem-shaking hacks. That would still mean significant cumulative losses, but with fewer systemic shocks and fewer protocol “death events.”
Sustaining and improving this trajectory will depend on:
– Continued investment in smart contract security and formal verification.
– Widespread adoption of best practices for wallet and key management.
– Better user education around phishing and scam recognition.
– Cross-industry cooperation to freeze or recover stolen assets quickly.
While February 2026’s $37.7 million in losses is a multi-month low and a positive signal, it is not a reason for complacency. The data shows an ecosystem learning to defend itself more effectively, but also facing a persistent and adaptable adversary. For now, the balance has tilted slightly toward defenders – and maintaining that advantage will be one of the central challenges for crypto throughout 2026.