Crypto Hack Statistics in 2026: The Latest Data and Industry Insights

Crypto hacks have become a major, ongoing problem for the industry. What once felt like occasional incidents now happens every year, with losses reaching billions of dollars across exchanges, DeFi platforms, and Web3 projects.

This trend is visible across yearly losses, major exploits, and the ways attackers operate. This article explores the key crypto-hack statistics shaping 2026, covering annual trends, major incidents, attack methods, and the patterns driving these losses.

The Scale of the Problem

Year-over-Year at a Glance

• Crypto theft reached $3.4 billion in 2025, the highest annual total on record, with the top 3 hacks alone generating 69% of all service losses for the year.
• In 2025, the largest single hack was more than 1,000x the median incident size for the first time in crypto history.
• As of early 2026, the 10 biggest crypto exchange hacks have collectively stolen over $4.3 billion, with individual attack sizes growing from just $8.75 million in 2011 to $1.5 billion in 2025. 
• DefiLlama’s cumulative tracker puts total crypto hack losses at over $16.5 billion all-time, with DeFi-specific losses near $7.7 billion and bridge exploits alone accounting for $2.9 billion. 

2026 Running Total

• By the end of April 2026, cumulative losses had reached $771.8 million across 47 incidents in just four and a half months, with April’s damage alone coming in at 3.7x the entire Q1 total. 
• April 2026 set a record as the single worst month in crypto history, with $629.69 million drained across the industry, of which $614.17 million came from DeFi protocols alone. 
• DeFi logged 47 incidents in the first 4.5 months of 2026 versus 28 over the same window in 2025, a 68% year-over-year increase. 
• The two Lazarus-linked attacks in April 2026 alone caused 95% of the month’s total damage, triggering a mass exit from DeFi. In the 48 hours following the exploits, more than $8.4 billion fled Aave, and total DeFi TVL shed over $13 billion. 

Q1 2026 in Detail

Overview

• Q1 2026 recorded at least $168 million stolen across 34 confirmed incidents above $1M, before the massive April exploits pushed the annual total far higher.
• Counting all Web3 security incidents, including infrastructure breaches, Q1 2026 losses exceeded $450 million across 145 incidents spanning more than 10 blockchains.
• Smart contract exploit losses specifically dropped approximately 89% year-over-year in Q1 2026, as attackers pivoted to social engineering and infrastructure-level attacks.

Month by Month

• January 2026 was the worst single month of Q1, with $340 million lost when counting all incidents, nearly 80% of which came from one social engineering attack alone. Counting only confirmed protocol exploits above $1M, January totaled roughly $86 million across 16 hacks. 
• In January 2026, DeFi protocols were responsible for roughly 78% of total hack losses, with 6 major protocol incidents draining approximately $42 million combined. 
• February 2026 was the quietest month of Q1 at roughly $10 to $26.5 million in losses, depending on scope, a 98.2% year-over-year decline heavily distorted by the $1.5 billion Bybit outlier in February 2025. 
• March 2026 saw hack activity rebound with roughly $25 to $52 million stolen, a 96% surge from February’s confirmed figures. 

Q1 2026 Attack Vectors

• Social engineering and phishing were the single most damaging category in Q1 2026, responsible for $290 million in losses, more than all other attack types combined. Despite accounting for only 10% of incidents by count, the dollar damage was outsized due to one single $282 million attack.
• Flash loan and price manipulation attacks were the most frequent exploit type at 22% of all Q1 2026 incidents, appearing in at least 10 separate cases. 
• Contract vulnerabilities were the second most common attack type at 20% of incidents.
• Access control failures accounted for 18% of incidents but drove some of the largest losses, including the $40 million Step Finance breach and the $25 million Resolv Labs exploit.
• Oracle manipulation represented 15% of incidents, affecting at least five major protocols in Q1 2026 alone, including Aave V3, Venus Protocol, Moonwell, Blend Protocol, and Valinity. 
• Rugpulls made up 5% of incidents, a persistent but smaller share as attackers shifted focus toward larger-scale social engineering and treasury exploits.

January 2026 Incidents

• In January 2026, a single social engineering attack drained $282 million, one of the largest phishing-driven exploits in Web3 history.
• Even excluding that outlier, January still recorded over $60 million in losses, led by a $40 million breach at Step Finance on Solana caused by access control and supply chain failures.
• In January 2026, a Truebit smart contract coding error cost users approximately $26.2 million, a Saga bridge incident added another $7 million, and Makina’s flash loan attack resulted in roughly $4.13 million stolen.
• Also in January 2026, signature-phishing drained approximately $6.3 million from user wallets, a 207% month-over-month jump, with two victims accounting for nearly 65% of those losses. 

February 2026 Incidents

• In February 2026, Blend Protocol lost $10 million to oracle manipulation on Stellar, and the IoTeX bridge on Ethereum was drained of $4.4 to $8 million through private key leakage and access control failures. 
• The IoTeX breach in February 2026 reflected a recurring pattern where bridge infrastructure remains highly exposed to key compromise once administrative access is lost.
• The Moonwell exploit on Base in February 2026, which resulted in approximately $1.7 million in losses, demonstrated that governance mechanisms are now being used as a direct attack surface, combining oracle and governance vectors in a single operation.

March 2026 Incidents

• March 2026 was headlined by the $25 million Resolv Labs exploit on Ethereum, triggered by access control failures and input validation gaps.
• Oracle reliability remained a systemic problem in March 2026, with Aave V3 ($1 million), Venus Protocol ($2 to $5 million), and Resolv Labs all suffering losses tied to manipulable price feeds. 

The Biggest Hacks of 2025 and 2026

Bybit

• • On February 21, 2025, Dubai-based Bybit suffered the largest single crypto theft in history, losing 400,000 ETH worth $1.4 billion within minutes after attackers exploited a private key vulnerability in its hot wallet system. 

• • • By February 26, 2025, the US FBI formally attributed the breach to Lazarus Group and TraderTraitor, who used malware-laden trading applications to infiltrate systems.

Phemex

• • • In January 2025, Phemex lost over $85 million in a hot wallet breach spanning 16 blockchains, making it one of the most geographically dispersed exchange hacks of the year.

Coinbase 

• • • Coinbase’s 2025 insider-assisted data breach exposed personal information of nearly 70,000 customers, with projected total costs estimated between $180 million and $400 million.
    • In 2025, attackers demanded a $20 million ransom after bribing overseas support agents, which Coinbase refused, instead offering that same amount as a reward for information leading to the criminals’ identification.

BtcTurk 

• • • In August 2025, Turkish exchange BtcTurk suffered its second major hack in just over a year, losing approximately $48 million from hot wallets across seven blockchains. The prior 2024 breach had already cost the exchange $55 million, highlighting persistent key management failures.

Nobitex 

• • • In June 2025, hacking group Predatory Sparrow siphoned over $90 million from Iran’s largest crypto exchange Nobitex, with funds sent to “vanity” wallet addresses with no known private keys, effectively destroying them permanently.

Drift Protocol 

• • • On April 1, 2026, Solana-based Drift Protocol had approximately $270 to $285 million drained from its vaults, wiping out over 50% of its TVL within hours.
    • Security firm TRM Labs attributed the attack to UNC4736, a North Korean state-sponsored group that ran a six-month social engineering campaign since fall 2025, with operatives depositing over $1 million of their own capital into Drift to build credibility.
    • Once inside, attackers whitelisted a worthless token (CVT) as collateral, artificially inflated its price via manipulated oracles, deposited 500 million CVT, and drained $285 million in USDC, SOL, and ETH in just 12 minutes.
    • Within an hour of the April 1, 2026 exploit, Drift’s TVL collapsed from $550 million to under $300 million. The DRIFT token plunged over 40% in the immediate aftermath.

KelpDAO and the Aave Fallout 

• • • On April 18, 2026, the attacker forged a cross-chain message to deceive LayerZero’s messaging layer, causing Kelp’s bridge to release 116,500 rsETH (roughly 18% of the token’s total circulating supply) to an attacker-controlled address worth approximately $292 million. 
    • The breach was made possible because KelpDAO’s bridge relied on a single-DVN setup, requiring only one verifier to approve a cross-chain message, a single point of failure.
    • Because the drained bridge held reserves backing wrapped rsETH across more than 20 blockchains, every downstream protocol accepting rsETH as collateral was instantly exposed.
    • Kelp’s emergency multisig paused contracts only 46 minutes after the drain began, by which point the $292 million was already gone. Arbitrum’s Security Council later froze $71 million of linked assets at the behest of law enforcement. 
    • Following the theft, the stolen ETH was routed through Tornado Cash within hours of the April 18 exploit, approximately $175 million in ETH was then moved through THORChain and converted to Bitcoin with no operator intervention.
    • The KelpDAO exploit in April 18, 2026 triggered a bank run on Aave, with the platform’s insurance fund holding just $80 to $100 million against nearly $200 million in potential losses. Stablecoin lenders pulled $5 billion from Aave in a preemptive exit, driving DeFi stablecoin interest rates to spike to approximately 10%.
    • As of April 23, 2026, an estimated $100 to $120 million in losses remained unresolved after the Aave insurance fund was fully depleted. The AAVE token dropped 19% during the crisis, while demand for ETH, USDT, and USDC hit 100% utilization, blocking depositors from withdrawing funds.
    • When the KelpDAO bridge broke in April 2026, Aave lost $6 billion in TVL from user withdrawals, even though Aave’s own contracts were never touched.

CoW Swap (April 14, 2026)

• • • On April 14, 2026, CoW Swap suffered a front-end DNS attack that temporarily halted services, tricking users into approving malicious transfers while also attempting wallet draining, seed phrase collection, and password theft.
    • A post-mortem released on April 16, 2026, estimated approximately $1.2 million in user losses. CoW DAO later set up a grants program to reimburse affected users.

How Attackers Are Evolving

North Korea and the Lazarus Group

• • • According to a TRM Labs report published April 30, 2026, North Korean state-linked hackers accounted for 76% of all cryptocurrency stolen globally in 2026 through just two attacks totaling $577 million, while representing only 3% of total hack incidents by count.
    • North Korea-linked hackers stole at least $2.02 billion in 2025, a 51% increase from 2024, with centralized exchanges as the primary target.
    • North Korea’s cumulative crypto theft since 2017 has now surpassed $6 billion. North Korean state-linked groups have been tied to at least 3 of the top 10 largest exchange hacks in history.
    • THORChain served as the primary laundering route for both the 2025 Bybit breach and the 2026 KelpDAO hack, processing hundreds of millions in stolen ETH with no mechanism to reject transfers.
    • In a March 2024 report, A UN panel of experts estimated that illicit cyber activity funds approximately 40% of North Korea’s weapons development programs.

The Shift from Code to Human Targets

• • • In 2025, off-chain attack vectors, including compromised credentials, social engineering, and supply chain manipulation, drove 76% of total hack losses ($2.2 billion), marking a fundamental shift away from code-based exploits toward human targeting.
    • Private key compromises accounted for 88% of stolen funds in Q1 2025, a trend that carried into 2026. 
    • Impersonation scams surged 1,400% year-over-year in 2025, making social engineering one of the fastest-growing crypto threat vectors.
    • The Drift hack operation began as early as fall 2025, roughly five months before any funds moved, with DPRK operatives using third-party intermediaries who may themselves have been unaware they were working for the North Korean state.
    • In a January 2026 interview, Immunefi CEO Mitchell Amador noted that over 90% of projects still carry critical exploitable vulnerabilities, fewer than 1% use firewall tools, and under 10% deploy AI-based detection systems. 

Bridge Infrastructure as a Structural Weakness

• • • Since 2022, cross-chain bridges have accumulated over $2.9 billion in cumulative losses, representing roughly 40% of all value hacked in Web3.
    • Bridge TVL reached $21.94 billion as of March 2026, making bridge infrastructure one of the highest-value targets in crypto.
    • Cross-chain bridge exploits resulted in more than $1.5 billion stolen by mid-2025. 
    • The April 2026 events exposed three structural vulnerabilities in DeFi lending: dependence on poorly verified third-party collateral data, chronically underfunded insurance reserves, and the role of crypto mixers in enabling criminals to launder stolen funds undetected. 

Wallet and Phishing Threats

• • • Personal wallet compromises reached 158,000 incidents in 2025, affecting at least 80,000 unique victims, with total individual losses hitting $713 million, down 52% from $1.5 billion in 2024.
    • Phishing and address-poisoning attacks caused approximately $83.8 million in wallet-related losses across up to 17 million affected addresses in 2025.
    • In January 2026, signature-phishing drained approximately $6.3 million from user wallets, a 207% month-over-month jump, with two victims accounting for nearly 65% of those losses.
    • In 2025, ransomware attacks targeting crypto holders rose 75% to 72 incidents, with losses reaching $40.9 million.

Common Vulnerabilities Across the Industry

• • • In 2025, access control vulnerabilities drove approximately 59% of DeFi losses, totaling over $1.6 billion, while smart contract flaws caused 67% of DeFi losses, with unverified contracts responsible for over $630 million.
    • In H1 2025, DeFi security breaches exceeded $3.1 billion, already surpassing the full-year 2024 total of $2.85 billion.
    • According to Coinlaw 2026, a lack of regular auditing left 52% of DeFi protocols suffering at least one breach within their first year of operation.
    • In 2025, outdated two-factor authentication systems contributed to a 32% rise in account takeovers, weak API security caused 27% of centralized exchange breaches, and poor internal access controls enabled unauthorized employee access in 11% of exchange hacks.
    • Third-party service flaws, such as misconfigured cloud storage, contributed to 24% of infrastructure-related breaches in 2025, while a lack of smart contract audits caused over $540 million in DeFi losses.
    • According to Chainalysis data through 2025, hot wallet vulnerabilities were the root cause of 80% of major exchange breaches on record.

References

• • Acuna, O. (2026). Crypto hacks hit $17 billion in 2025, but the real threat was people, not code. [online] Coindesk.com. Available at: https://www.coindesk.com/business/2026/01/19/crypto-s-worst-year-for-hacks-wasn-t-a-smart-contract-problem-it-was-a-people-problem [Accessed 13 May 2026].
  • Adewale Olarinde (2026). Crypto hack losses hit $112.5m in the first two months of 2026, PeckShield data. [online] AMBCrypto. Available at: https://ambcrypto.com/crypto-hack-losses-hit-112-5m-in-first-two-months-of-2026-peckshield-data/ [Accessed 13 May 2026].
  • administrator (2025). The 10 Biggest Crypto Hacks in History. [online] Crystal Intelligence. Available at: https://crystalintelligence.com/investigations/the-10-biggest-crypto-hacks-in-history/ [Accessed 12 May 2026].
  • Bashir, K. (2026). April 2026 Becomes Worst Month for Crypto Hacks Since February 2025. [online] BeInCrypto. Available at: https://beincrypto.com/april-2026-crypto-hacks-606m/ [Accessed 13 May 2026].
  • Bonner, W. (2026). Crypto Hacks and DeFi Runs – Bank Policy Institute. [online] Bank Policy Institute. Available at: https://bpi.com/crypto-hacks-and-defi-runs/ [Accessed 12 May 2026].
  • Cryptoimpacthub.com. (2026). The Drift Protocol Hack: How North Korea Played the Long Game for $285 Million. [online] Available at: https://cryptoimpacthub.com/drift-protocol-hack-north-korea-social-engineering-2026/ [Accessed 13 May 2026].
  • Cryip.co. (2026). Crypto Hacks Report in Q1 2026: $450M Lost Across Phishing, Exploits, and Infrastructure Attacks. [online] Available at: https://cryip.co/crypto-hacks-report-q1-2026/ [Accessed 12 May 2026].
  • Dan (2026). April Crypto Hacks Just Hit $606 Million in 18 Days, Making It the Worst Month Since February 2025. [online] Phemex.com. Available at: https://phemex.com/blogs/april-2025-crypto-hacks-606-million [Accessed 13 May 2026].
  • Dan (2026). Every Major DeFi Hack in 2026 So Far and Why Bridge Exploits Keep Getting Bigger. [online] Phemex.com. Available at: https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained [Accessed 12 May 2026].
  • Danga, B. (2026). North Korea accounts for 76% of 2026 crypto hack losses, with theft since 2017 topping $6 billion: TRM Labs. [online] The Block. Available at: https://www.theblock.co/post/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs [Accessed 13 May 2026].
  • Elad, B. (2026). Crypto Exchange Hacks and Security Statistics 2026: Cyber Risk Trends. [online] CoinLaw. Available at: https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/ [Accessed 12 May 2026].
  • Elad, B. (2026). Cryptocurrency Security and Fraud Statistics 2026: Big Threats. [online] CoinLaw. Available at: https://coinlaw.io/cryptocurrency-security-fraud-statistics/ [Accessed 13 May 2026].
  • Faridi, O. (2026). Crypto Exploit Losses Climb Sharply in March 2026 as Security Threats Evolve, Report Reveals. [online] Crowdfund Insider. Available at: https://www.crowdfundinsider.com/2026/04/270705-crypto-exploit-losses-climb-sharply-in-march-2026-as-security-threats-evolve-report-reveals/ [Accessed 13 May 2026].
  • GNcrypto (2026). April 2026: 30 crypto hacks, $625M stolen, bridges hit. [online] GNcrypto. Available at: https://www.gncrypto.news/news/april-2026-30-crypto-hacks-625m-stolen-bridges-hit/ [Accessed 13 May 2026].
  • IndexBox Inc (2026). Crypto losses exceeded $606M in April 2026 due to hacks linked to the Lazarus Group. [online] Indexbox.io. Available at: https://www.indexbox.io/blog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/ [Accessed 13 May 2026].
  • Lee, J. (2026). DeFi exploits, on-chain interventions, and the private key: Recent developments in crypto-asset recovery. [online] Travers Smith. Available at: https://www.traverssmith.com/knowledge/knowledge-container/defi-exploits-on-chain-interventions-and-the-private-key-recent-developments-in-crypto-asset-recovery/ [Accessed 13 May 2026].
  • Luker (2026). This month’s Crypto Security Report. [online] Metamask.io. Available at: https://metamask.io/news/crypto-security-report-2026 [Accessed 12 May 2026].
  • MEXC. (2026). Report: Crypto Hacks Rose 96% in March as Losses Hit $52M. [online] Available at: https://www.mexc.com/news/1005025 [Accessed 13 May 2026].
  • Miah, S. (2025). 14 Biggest Crypto Hacks of All Time. [online] Webopedia. Available at: https://www.webopedia.com/crypto/learn/biggest-crypto-hacks/ [Accessed 12 May 2026].
  • North (2026). North Korean hackers tied to $290M crypto heist, firm says. [online] UPI. Available at: https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/ [Accessed 13 May 2026].
  • Sherlock (2026). The Sherlock Web3 Security Report Q1 2026: Every Major Hack, Exploit, and Trend. [online] Sherlock.xyz. Available at: https://sherlock.xyz/post/the-sherlock-web3-security-report-q1-2026-every-major-hack-exploit-and-trends [Accessed 13 May 2026].
  • The Crypto Times. (2026). $629M Lost: April 2026 Marks Worst Month for Crypto Hacks. [online] Available at: https://www.cryptotimes.io/2026/04/30/629m-lost-april-2026-marks-worst-month-for-crypto-hacks/ [Accessed 13 May 2026].
  • Thorp, J. (2026). Crypto Hackers Drain $1.08 Billion in 68 Attacks as Social Engineering Surges. [online] The Currency Analytics. Available at: https://thecurrencyanalytics.com/defi/crypto-hackers-drain-1-08-billion-in-68-attacks-as-social-engineering-surges-255542 [Accessed 13 May 2026].
  • Trmlabs.com. (2026). North Korea Stole 76% of All Crypto Hack Value in 2026 — With Just Two Attacks. [online] TRM Labs. Available at: https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks [Accessed 13 May 2026].