Losses from crypto hacks have fallen to levels not seen in nearly a year, with February 2026 recording an estimated $37.7 million in stolen funds – the lowest monthly tally since March 2025, according to data compiled by blockchain security firm CertiK. While attacks remain frequent, the size of successful exploits has shrunk significantly, pointing to fewer blockbuster hacks and more mid‑sized incidents spread across various sectors.
Compared with January, overall losses dropped by about 60%, marking a sharp pullback from the elevated figures that characterized much of 2025. The number of incidents, however, stayed relatively stable month over month. This suggests that attackers are still highly active, but are either struggling to land major scores or facing stronger defenses from protocols, wallets, and users.
Wallet compromise was the single most damaging attack vector in February, responsible for around $16.6 million in losses. These cases typically involve attackers gaining control of private keys or seed phrases through malware, social engineering, or unsafe signing of malicious transactions. Once a wallet is compromised, funds can be drained in minutes, often leaving victims with no practical way to recover assets.
Price manipulation came in second, accounting for approximately $11.4 million in stolen value. These schemes usually target low‑liquidity markets or complex DeFi mechanisms, where attackers can distort token prices through flash loans, wash trading, or oracle manipulation. By exploiting poorly defended pricing mechanisms, hackers can extract outsized profits before markets normalize and the damage becomes fully apparent.
Phishing attacks remained a persistent threat, siphoning off about $8.6 million in February – roughly the same level seen in January. In many of these cases, victims were tricked into signing malicious transactions, connecting wallets to fake interfaces, or revealing sensitive information. The fact that phishing losses stayed flat while other categories declined underscores how social engineering continues to bypass even technically robust systems.
Exploits tied to code vulnerabilities contributed around $5.1 million in losses. These hacks typically stem from flaws in smart contract logic, missing access controls, or unanticipated interactions between contracts. While this category was smaller than wallet compromise or price manipulation, it highlights that technical risks in decentralized finance and related sectors are far from resolved. Exit scams, where project operators disappear with investor funds, added another $2.1 million to the monthly total.
On a protocol‑by‑protocol basis, losses were concentrated in a handful of incidents. Instadapp recorded the largest single hit of the month at roughly $10.5 million. EFX followed at about $8.9 million, while Kasm and Initia each suffered incidents in the $2.1-2.2 million range. CryptoFarm was exploited twice, with combined losses of $2.7 million across the two events. Smaller cases rounded out the picture, including UCC and Hedgehog at around $400,000 each, and Lending and SEI Token reporting losses of about $200,000 per incident.
DeFi platforms once again bore the brunt of exploit activity, with total losses reaching about $14.4 million across multiple attacks. As the largest pool of on‑chain liquidity and the backbone of many crypto trading and lending strategies, DeFi remains an obvious target. Its open‑source nature, composability, and complex incentive structures create an environment where even minor oversights can become high‑value opportunities for skilled attackers.
AI‑related crypto projects emerged as the second‑most targeted segment, chalking up approximately $8.9 million in stolen funds. Many of these initiatives sit at the intersection of two fast‑moving fields – artificial intelligence and blockchain – where hype, rapid development cycles, and experimental business models can outpace security best practices. This makes AI‑themed tokens and platforms especially appealing to attackers looking for less mature, poorly audited codebases with enthusiastic but inexperienced user bases.
Gambling platforms and high‑risk gaming or betting applications were also on the radar of hackers, posting around $2.3 million in combined losses. In parallel, address poisoning and wallet drainer schemes together accounted for roughly $2.7 million. In address poisoning scenarios, attackers insert look‑alike wallet addresses into a user’s history, hoping the victim copies the wrong one when sending funds. Wallet drainer tools, on the other hand, are scripts or contracts specifically designed to empty wallets once users sign a malicious transaction.
Despite the continuing wave of attacks, February brought a notable improvement in the recovery of stolen assets. About $11.3 million in funds were either frozen or returned, representing roughly 30% of the total losses. These recoveries often stem from rapid incident response, exchange blacklisting of stolen funds, white‑hat negotiations, or flaws in the attackers’ laundering strategies. The growing share of recovered funds indicates that coordination between security firms, protocols, and infrastructure providers is improving.
When viewed in a broader context, February’s $37.7 million in losses marks a clear deviation from the higher monthly totals seen during most of 2025. CertiK’s data indicates that both January and February 2026 recorded lower figures than the majority of months in the previous year. Nonetheless, the charted incident counts show that attack frequency has not declined meaningfully – the big difference lies in the absence of extremely large, headline‑grabbing hacks.
Phishing data reinforces this pattern. February’s $8.6 million in phishing‑related losses closely mirrored January’s numbers, suggesting a stable baseline of social‑engineering‑driven crime that is proving harder to suppress. Meanwhile, losses from technical exploits and protocol‑level incidents fell from January’s elevated totals to February’s subdued $37.7 million, largely thanks to the lack of single events on the scale of the biggest 2025 breaches.
For market participants, the current environment is a mixed signal. On one hand, fewer massive hacks can bolster confidence, reduce systemic fear, and limit cascading liquidations in leveraged markets. On the other hand, the steady drumbeat of smaller attacks shows that the underlying security challenges of the crypto ecosystem remain unresolved. Bad actors have not disappeared; they are simply harvesting value in smaller increments and across a broader set of targets.
The dominance of wallet compromise in February underscores a critical lesson: individual user behavior and device security are just as important as protocol‑level defenses. Even the most thoroughly audited smart contract cannot protect a user who signs arbitrary transactions, stores seed phrases insecurely, or installs unvetted browser extensions and wallet plug‑ins. Multi‑factor authentication, hardware wallets, transaction simulators, and strict verification of every contract interaction are becoming baseline requirements, not optional extras.
For DeFi developers and project teams, the figures highlight the need for robust risk management that goes beyond one‑time audits. Ongoing monitoring, bug bounties, formal verification where feasible, and staged rollouts with limits on initial liquidity can all help reduce the blast radius of inevitable bugs. Protocols that embrace transparent disclosure, real‑time security analytics, and rapid‑response playbooks are better positioned to keep losses low even when incidents occur.
AI‑linked crypto projects, which are quickly gaining traction, face a unique set of pressures. Rapid feature launches, marketing‑driven tokenomics, and complex off‑chain/on‑chain interactions create many attack surfaces. These projects need to resist the temptation to sacrifice security for speed. Mandatory security reviews, cautious treasury management, and conservative permissioning of AI agents that can trigger on‑chain actions will be essential to avoid becoming the next high‑profile target.
On the regulatory and institutional front, lower aggregate losses can encourage more cautious capital to re‑enter the space. Institutional investors and regulated entities often track exploit statistics closely, using them as a proxy for operational risk. A sustained downtrend in hack volumes – especially if accompanied by improved recovery rates and more mature compliance frameworks – could accelerate the ongoing shift toward more professional, less speculative crypto participation.
At the same time, sophisticated attackers are adapting. As protocols harden core contracts and large custodians improve defenses, opportunistic hackers are increasingly looking for weak links: small‑cap tokens, cross‑chain bridges with limited audits, obscure gambling platforms, and AI or meme projects with rapidly assembled infrastructure. This fragmentation of risk means that while systemic threats might be diminishing, localized blow‑ups will likely remain a recurring feature of the market.
For individual users and smaller projects, February’s data can serve as a practical roadmap for defense. The largest loss categories – wallet compromise, price manipulation, and phishing – highlight where to focus efforts:
– Strengthen wallet hygiene: use hardware wallets, avoid signing blind transactions, and compartmentalize funds across multiple addresses.
– Scrutinize trading venues: be wary of thin‑liquidity tokens and platforms with opaque pricing mechanisms that are prime targets for manipulation.
– Resist social engineering: verify URLs, double‑check contract addresses, and treat unsolicited messages or “urgent” calls to action as red flags.
Looking ahead, the key question is whether February’s low loss figure marks the beginning of a sustained trend or a temporary lull between larger exploit waves. Historical patterns in crypto security show that long quiet periods can end abruptly with a single high‑impact hack. Continuous improvement in tooling, education, and protocol design will be necessary to turn this encouraging month into a durable shift rather than an anomaly.
For now, the numbers send a cautiously optimistic message: despite an unchanged level of attacker activity, the crypto ecosystem appears to be absorbing blows more effectively, limiting the scale of damage per incident, and recovering a larger share of stolen funds. How long this balance holds will depend on whether developers, businesses, and users treat February 2026 as a warning that progress is possible – but complacency remains the biggest vulnerability.