Crypto Hack Statistics in 2026: The Newest Knowledge and Trade Insights

Crypto hacks have change into a serious, ongoing drawback for the business. What as soon as felt like occasional incidents now occurs yearly, with losses reaching billions of {dollars} throughout exchanges, DeFi platforms, and Web3 initiatives.

This development is seen throughout yearly losses, main exploits, and the methods attackers function. This text explores the important thing crypto-hack statistics shaping 2026, overlaying annual developments, main incidents, assault strategies, and the patterns driving these losses.

The Scale of the Downside

12 months-over-12 months at a Look

• Crypto theft reached $3.4 billion in 2025, the best annual complete on report, with the highest 3 hacks alone producing 69% of all service losses for the yr.
• In 2025, the most important single hack was greater than 1,000x the median incident measurement for the primary time in crypto historical past.
• As of early 2026, the ten greatest crypto trade hacks have collectively stolen over $4.3 billion, with particular person assault sizes rising from simply $8.75 million in 2011 to $1.5 billion in 2025. 
• DefiLlama’s cumulative tracker places complete crypto hack losses at over $16.5 billion all-time, with DeFi-specific losses close to $7.7 billion and bridge exploits alone accounting for $2.9 billion. 

2026 Operating Whole

• By the top of April 2026, cumulative losses had reached $771.8 million throughout 47 incidents in simply 4 and a half months, with April’s harm alone coming in at 3.7x the whole Q1 complete. 
• April 2026 set a report as the only worst month in crypto historical past, with $629.69 million drained throughout the business, of which $614.17 million got here from DeFi protocols alone. 
• DeFi logged 47 incidents within the first 4.5 months of 2026 versus 28 over the identical window in 2025, a 68% year-over-year enhance. 
• The 2 Lazarus-linked assaults in April 2026 alone precipitated 95% of the month’s complete harm, triggering a mass exit from DeFi. Within the 48 hours following the exploits, greater than $8.4 billion fled Aave, and complete DeFi TVL shed over $13 billion. 

Q1 2026 in Element

Overview

• Q1 2026 recorded at the least $168 million stolen throughout 34 confirmed incidents above $1M, earlier than the large April exploits pushed the annual complete far increased.
• Counting all Web3 safety incidents, together with infrastructure breaches, Q1 2026 losses exceeded $450 million throughout 145 incidents spanning greater than 10 blockchains.
• Sensible contract exploit losses particularly dropped roughly 89% year-over-year in Q1 2026, as attackers pivoted to social engineering and infrastructure-level assaults.

Month by Month

• January 2026 was the worst single month of Q1, with $340 million misplaced when counting all incidents, practically 80% of which got here from one social engineering assault alone. Counting solely confirmed protocol exploits above $1M, January totaled roughly $86 million throughout 16 hacks. 
• In January 2026, DeFi protocols have been liable for roughly 78% of complete hack losses, with 6 main protocol incidents draining roughly $42 million mixed. 
• February 2026 was the quietest month of Q1 at roughly $10 to $26.5 million in losses, relying on scope, a 98.2% year-over-year decline closely distorted by the $1.5 billion Bybit outlier in February 2025. 
• March 2026 noticed hack exercise rebound with roughly $25 to $52 million stolen, a 96% surge from February’s confirmed figures. 

Q1 2026 Assault Vectors

• Social engineering and phishing have been the only most damaging class in Q1 2026, liable for $290 million in losses, greater than all different assault varieties mixed. Regardless of accounting for less than 10% of incidents by rely, the greenback harm was outsized as a result of one single $282 million assault.
• Flash mortgage and worth manipulation assaults have been probably the most frequent exploit sort at 22% of all Q1 2026 incidents, showing in at the least 10 separate instances. 
• Contract vulnerabilities have been the second most typical assault sort at 20% of incidents.
• Entry management failures accounted for 18% of incidents however drove a few of the largest losses, together with the $40 million Step Finance breach and the $25 million Resolv Labs exploit.
• Oracle manipulation represented 15% of incidents, affecting at the least 5 main protocols in Q1 2026 alone, together with Aave V3, Venus Protocol, Moonwell, Mix Protocol, and Valinity. 
• Rugpulls made up 5% of incidents, a persistent however smaller share as attackers shifted focus towards larger-scale social engineering and treasury exploits.

January 2026 Incidents

• In January 2026, a single social engineering assault drained $282 million, one of many largest phishing-driven exploits in Web3 historical past.
• Even excluding that outlier, January nonetheless recorded over $60 million in losses, led by a $40 million breach at Step Finance on Solana brought on by entry management and provide chain failures.
• In January 2026, a Truebit good contract coding error value customers roughly $26.2 million, a Saga bridge incident added one other $7 million, and Makina’s flash mortgage assault resulted in roughly $4.13 million stolen.
• Additionally in January 2026, signature-phishing drained roughly $6.3 million from person wallets, a 207% month-over-month soar, with two victims accounting for practically 65% of these losses. 

February 2026 Incidents

• In February 2026, Mix Protocol misplaced $10 million to oracle manipulation on Stellar, and the IoTeX bridge on Ethereum was drained of $4.4 to $8 million via non-public key leakage and entry management failures. 
• The IoTeX breach in February 2026 mirrored a recurring sample the place bridge infrastructure stays extremely uncovered to key compromise as soon as administrative entry is misplaced.
• The Moonwell exploit on Base in February 2026, which resulted in roughly $1.7 million in losses, demonstrated that governance mechanisms are actually getting used as a direct assault floor, combining oracle and governance vectors in a single operation.

March 2026 Incidents

• March 2026 was headlined by the $25 million Resolv Labs exploit on Ethereum, triggered by entry management failures and enter validation gaps.
• Oracle reliability remained a systemic drawback in March 2026, with Aave V3 ($1 million), Venus Protocol ($2 to $5 million), and Resolv Labs all struggling losses tied to manipulable worth feeds. 

The Greatest Hacks of 2025 and 2026

Bybit

• • On February 21, 2025, Dubai-based Bybit suffered the most important single crypto theft in historical past, shedding 400,000 ETH value $1.4 billion inside minutes after attackers exploited a non-public key vulnerability in its sizzling pockets system. 

• • • By February 26, 2025, the US FBI formally attributed the breach to Lazarus Group and TraderTraitor, who used malware-laden buying and selling purposes to infiltrate techniques.

Phemex

• • • In January 2025, Phemex misplaced over $85 million in a sizzling pockets breach spanning 16 blockchains, making it one of the vital geographically dispersed trade hacks of the yr.

Coinbase 

• • • Coinbase’s 2025 insider-assisted information breach uncovered private info of practically 70,000 clients, with projected complete prices estimated between $180 million and $400 million.
    • In 2025, attackers demanded a $20 million ransom after bribing abroad help brokers, which Coinbase refused, as an alternative providing that very same quantity as a reward for info resulting in the criminals’ identification.

BtcTurk 

• • • In August 2025, Turkish trade BtcTurk suffered its second main hack in simply over a yr, shedding roughly $48 million from sizzling wallets throughout seven blockchains. The prior 2024 breach had already value the trade $55 million, highlighting persistent key administration failures.

Nobitex 

• • • In June 2025, hacking group Predatory Sparrow siphoned over $90 million from Iran’s largest crypto trade Nobitex, with funds despatched to “vainness” pockets addresses with no recognized non-public keys, successfully destroying them completely.

Drift Protocol 

• • • On April 1, 2026, Solana-based Drift Protocol had roughly $270 to $285 million drained from its vaults, wiping out over 50% of its TVL inside hours.
    • Safety agency TRM Labs attributed the assault to UNC4736, a North Korean state-sponsored group that ran a six-month social engineering marketing campaign since fall 2025, with operatives depositing over $1 million of their very own capital into Drift to construct credibility.
    • As soon as inside, attackers whitelisted a nugatory token (CVT) as collateral, artificially inflated its worth through manipulated oracles, deposited 500 million CVT, and drained $285 million in USDC, SOL, and ETH in simply 12 minutes.
    • Inside an hour of the April 1, 2026 exploit, Drift’s TVL collapsed from $550 million to beneath $300 million. The DRIFT token plunged over 40% within the fast aftermath.

KelpDAO and the Aave Fallout 

• • • On April 18, 2026, the attacker cast a cross-chain message to deceive LayerZero’s messaging layer, inflicting Kelp’s bridge to launch 116,500 rsETH (roughly 18% of the token’s complete circulating provide) to an attacker-controlled deal with value roughly $292 million. 
    • The breach was made potential as a result of KelpDAO’s bridge relied on a single-DVN setup, requiring just one verifier to approve a cross-chain message, a single level of failure.
    • As a result of the drained bridge held reserves backing wrapped rsETH throughout greater than 20 blockchains, each downstream protocol accepting rsETH as collateral was immediately uncovered.
    • Kelp’s emergency multisig paused contracts solely 46 minutes after the drain started, by which level the $292 million was already gone. Arbitrum’s Safety Council later froze $71 million of linked belongings on the behest of regulation enforcement. 
    • Following the theft, the stolen ETH was routed via Twister Money inside hours of the April 18 exploit, roughly $175 million in ETH was then moved via THORChain and transformed to Bitcoin with no operator intervention.
    • The KelpDAO exploit in April 18, 2026 triggered a financial institution run on Aave, with the platform’s insurance coverage fund holding simply $80 to $100 million in opposition to practically $200 million in potential losses. Stablecoin lenders pulled $5 billion from Aave in a preemptive exit, driving DeFi stablecoin rates of interest to spike to roughly 10%.
    • As of April 23, 2026, an estimated $100 to $120 million in losses remained unresolved after the Aave insurance coverage fund was absolutely depleted. The AAVE token dropped 19% through the disaster, whereas demand for ETH, USDT, and USDC hit 100% utilization, blocking depositors from withdrawing funds.
    • When the KelpDAO bridge broke in April 2026, Aave misplaced $6 billion in TVL from person withdrawals, regardless that Aave’s personal contracts have been by no means touched.

CoW Swap (April 14, 2026)

• • • On April 14, 2026, CoW Swap suffered a front-end DNS assault that briefly halted companies, tricking customers into approving malicious transfers whereas additionally trying pockets draining, seed phrase assortment, and password theft.
    • A autopsy launched on April 16, 2026, estimated roughly $1.2 million in person losses. CoW DAO later arrange a grants program to reimburse affected customers.

How Attackers Are Evolving

North Korea and the Lazarus Group

• • • In response to a TRM Labs report printed April 30, 2026, North Korean state-linked hackers accounted for 76% of all cryptocurrency stolen globally in 2026 via simply two assaults totaling $577 million, whereas representing solely 3% of complete hack incidents by rely.
    • North Korea-linked hackers stole at the least $2.02 billion in 2025, a 51% enhance from 2024, with centralized exchanges as the first goal.
    • North Korea’s cumulative crypto theft since 2017 has now surpassed $6 billion. North Korean state-linked teams have been tied to at the least 3 of the highest 10 largest trade hacks in historical past.
    • THORChain served as the first laundering route for each the 2025 Bybit breach and the 2026 KelpDAO hack, processing lots of of tens of millions in stolen ETH with no mechanism to reject transfers.
    • In a March 2024 report, A UN panel of consultants estimated that illicit cyber exercise funds roughly 40% of North Korea’s weapons improvement applications.

The Shift from Code to Human Targets

• • • In 2025, off-chain assault vectors, together with compromised credentials, social engineering, and provide chain manipulation, drove 76% of complete hack losses ($2.2 billion), marking a basic shift away from code-based exploits towards human focusing on.
    • Non-public key compromises accounted for 88% of stolen funds in Q1 2025, a development that carried into 2026. 
    • Impersonation scams surged 1,400% year-over-year in 2025, making social engineering one of many fastest-growing crypto menace vectors.
    • The Drift hack operation started as early as fall 2025, roughly 5 months earlier than any funds moved, with DPRK operatives utilizing third-party intermediaries who could themselves have been unaware they have been working for the North Korean state.
    • In a January 2026 interview, Immunefi CEO Mitchell Amador famous that over 90% of initiatives nonetheless carry essential exploitable vulnerabilities, fewer than 1% use firewall instruments, and beneath 10% deploy AI-based detection techniques. 

Bridge Infrastructure as a Structural Weak spot

• • • Since 2022, cross-chain bridges have gathered over $2.9 billion in cumulative losses, representing roughly 40% of all worth hacked in Web3.
    • Bridge TVL reached $21.94 billion as of March 2026, making bridge infrastructure one of many highest-value targets in crypto.
    • Cross-chain bridge exploits resulted in additional than $1.5 billion stolen by mid-2025. 
    • The April 2026 occasions uncovered three structural vulnerabilities in DeFi lending: dependence on poorly verified third-party collateral information, chronically underfunded insurance coverage reserves, and the position of crypto mixers in enabling criminals to launder stolen funds undetected. 

Pockets and Phishing Threats

• • • Private pockets compromises reached 158,000 incidents in 2025, affecting at the least 80,000 distinctive victims, with complete particular person losses hitting $713 million, down 52% from $1.5 billion in 2024.
    • Phishing and address-poisoning assaults precipitated roughly $83.8 million in wallet-related losses throughout as much as 17 million affected addresses in 2025.
    • In January 2026, signature-phishing drained roughly $6.3 million from person wallets, a 207% month-over-month soar, with two victims accounting for practically 65% of these losses.
    • In 2025, ransomware assaults focusing on crypto holders rose 75% to 72 incidents, with losses reaching $40.9 million.

Widespread Vulnerabilities Throughout the Trade

• • • In 2025, entry management vulnerabilities drove roughly 59% of DeFi losses, totaling over $1.6 billion, whereas good contract flaws precipitated 67% of DeFi losses, with unverified contracts liable for over $630 million.
    • In H1 2025, DeFi safety breaches exceeded $3.1 billion, already surpassing the full-year 2024 complete of $2.85 billion.
    • In response to Coinlaw 2026, an absence of normal auditing left 52% of DeFi protocols struggling at the least one breach inside their first yr of operation.
    • In 2025, outdated two-factor authentication techniques contributed to a 32% rise in account takeovers, weak API safety precipitated 27% of centralized trade breaches, and poor inside entry controls enabled unauthorized worker entry in 11% of trade hacks.
    • Third-party service flaws, equivalent to misconfigured cloud storage, contributed to 24% of infrastructure-related breaches in 2025, whereas an absence of good contract audits precipitated over $540 million in DeFi losses.
    • In response to Chainalysis information via 2025, sizzling pockets vulnerabilities have been the basis reason behind 80% of main trade breaches on report.

References

• • Acuna, O. (2026). Crypto hacks hit $17 billion in 2025, however the true menace was folks, not code. [online] Coindesk.com. Out there at: https://www.coindesk.com/enterprise/2026/01/19/crypto-s-worst-year-for-hacks-wasn-t-a-smart-contract-problem-it-was-a-people-problem [Accessed 13 May 2026].
  • Adewale Olarinde (2026). Crypto hack losses hit $112.5m within the first two months of 2026, PeckShield information. [online] AMBCrypto. Out there at: https://ambcrypto.com/crypto-hack-losses-hit-112-5m-in-first-two-months-of-2026-peckshield-data/ [Accessed 13 May 2026].
  • administrator (2025). The ten Greatest Crypto Hacks in Historical past. [online] Crystal Intelligence. Out there at: https://crystalintelligence.com/investigations/the-10-biggest-crypto-hacks-in-history/ [Accessed 12 May 2026].
  • Bashir, Okay. (2026). April 2026 Turns into Worst Month for Crypto Hacks Since February 2025. [online] BeInCrypto. Out there at: https://beincrypto.com/april-2026-crypto-hacks-606m/ [Accessed 13 May 2026].
  • Bonner, W. (2026). Crypto Hacks and DeFi Runs – Financial institution Coverage Institute. [online] Financial institution Coverage Institute. Out there at: https://bpi.com/crypto-hacks-and-defi-runs/ [Accessed 12 May 2026].
  • Cryptoimpacthub.com. (2026). The Drift Protocol Hack: How North Korea Performed the Lengthy Recreation for $285 Million. [online] Out there at: https://cryptoimpacthub.com/drift-protocol-hack-north-korea-social-engineering-2026/ [Accessed 13 May 2026].
  • Cryip.co. (2026). Crypto Hacks Report in Q1 2026: $450M Misplaced Throughout Phishing, Exploits, and Infrastructure Assaults. [online] Out there at: https://cryip.co/crypto-hacks-report-q1-2026/ [Accessed 12 May 2026].
  • Dan (2026). April Crypto Hacks Simply Hit $606 Million in 18 Days, Making It the Worst Month Since February 2025. [online] Phemex.com. Out there at: https://phemex.com/blogs/april-2025-crypto-hacks-606-million [Accessed 13 May 2026].
  • Dan (2026). Each Main DeFi Hack in 2026 So Far and Why Bridge Exploits Preserve Getting Larger. [online] Phemex.com. Out there at: https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained [Accessed 12 May 2026].
  • Danga, B. (2026). North Korea accounts for 76% of 2026 crypto hack losses, with theft since 2017 topping $6 billion: TRM Labs. [online] The Block. Out there at: https://www.theblock.co/submit/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs [Accessed 13 May 2026].
  • Elad, B. (2026). Crypto Change Hacks and Safety Statistics 2026: Cyber Danger Tendencies. [online] CoinLaw. Out there at: https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/ [Accessed 12 May 2026].
  • Elad, B. (2026). Cryptocurrency Safety and Fraud Statistics 2026: Massive Threats. [online] CoinLaw. Out there at: https://coinlaw.io/cryptocurrency-security-fraud-statistics/ [Accessed 13 May 2026].
  • Faridi, O. (2026). Crypto Exploit Losses Climb Sharply in March 2026 as Safety Threats Evolve, Report Reveals. [online] Crowdfund Insider. Out there at: https://www.crowdfundinsider.com/2026/04/270705-crypto-exploit-losses-climb-sharply-in-march-2026-as-security-threats-evolve-report-reveals/ [Accessed 13 May 2026].
  • GNcrypto (2026). April 2026: 30 crypto hacks, $625M stolen, bridges hit. [online] GNcrypto. Out there at: https://www.gncrypto.information/information/april-2026-30-crypto-hacks-625m-stolen-bridges-hit/ [Accessed 13 May 2026].
  • IndexBox Inc (2026). Crypto losses exceeded $606M in April 2026 as a result of hacks linked to the Lazarus Group. [online] Indexbox.io. Out there at: https://www.indexbox.io/weblog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/ [Accessed 13 May 2026].
  • Lee, J. (2026). DeFi exploits, on-chain interventions, and the non-public key: Current developments in crypto-asset restoration. [online] Travers Smith. Out there at: https://www.traverssmith.com/data/knowledge-container/defi-exploits-on-chain-interventions-and-the-private-key-recent-developments-in-crypto-asset-recovery/ [Accessed 13 May 2026].
  • Luker (2026). This month’s Crypto Safety Report. [online] Metamask.io. Out there at: https://metamask.io/information/crypto-security-report-2026 [Accessed 12 May 2026].
  • MEXC. (2026). Report: Crypto Hacks Rose 96% in March as Losses Hit $52M. [online] Out there at: https://www.mexc.com/information/1005025 [Accessed 13 May 2026].
  • Miah, S. (2025). 14 Greatest Crypto Hacks of All Time. [online] Webopedia. Out there at: https://www.webopedia.com/crypto/be taught/biggest-crypto-hacks/ [Accessed 12 May 2026].
  • North (2026). North Korean hackers tied to $290M crypto heist, agency says. [online] UPI. Out there at: https://www.upi.com/Top_News/World-Information/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/ [Accessed 13 May 2026].
  • Sherlock (2026). The Sherlock Web3 Safety Report Q1 2026: Each Main Hack, Exploit, and Development. [online] Sherlock.xyz. Out there at: https://sherlock.xyz/submit/the-sherlock-web3-security-report-q1-2026-every-major-hack-exploit-and-trends [Accessed 13 May 2026].
  • The Crypto Instances. (2026). $629M Misplaced: April 2026 Marks Worst Month for Crypto Hacks. [online] Out there at: https://www.cryptotimes.io/2026/04/30/629m-lost-april-2026-marks-worst-month-for-crypto-hacks/ [Accessed 13 May 2026].
  • Thorp, J. (2026). Crypto Hackers Drain $1.08 Billion in 68 Assaults as Social Engineering Surges. [online] The Forex Analytics. Out there at: https://thecurrencyanalytics.com/defi/crypto-hackers-drain-1-08-billion-in-68-attacks-as-social-engineering-surges-255542 [Accessed 13 May 2026].
  • Trmlabs.com. (2026). North Korea Stole 76% of All Crypto Hack Worth in 2026 — With Simply Two Assaults. [online] TRM Labs. Out there at: https://www.trmlabs.com/assets/weblog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks [Accessed 13 May 2026].