Crypto-related exploits and losses saw a dramatic decline in the first quarter of 2026, offering a temporary respite for the industry. According to data from DefiLlama, hackers stole approximately $168.6 million from 34 decentralized finance (DeFi) protocols. This marks a steep drop from the $1.58 billion recorded in Q1 2025, a figure heavily skewed by the massive $1.4 billion Bybit exploit.
Despite the overall decrease in total value lost, security professionals warn that the threat environment is intensifying and becoming more complex. The nature of attacks is shifting from pure smart contract bugs to more targeted breaches involving private key compromises, social engineering, and cloud service vulnerabilities.
The largest single incident of Q1 2026 was a $40 million private key compromise at the Solana-based protocol Step Finance in January, where an executive's device was compromised via phishing, leading to the treasury being drained. This was followed by a $26.4 million smart contract manipulation exploit targeting verification protocol TrueBit on January 8. The third-largest breach occurred on March 21, targeting stablecoin issuer Resolv Labs, where an attacker used a compromised AWS Key Management Service key to mint unbacked stablecoins and drain over $25 million.
Security concerns were further highlighted by a separate, major $285 million exploit involving Drift Protocol on Solana, attributed to a private key leak with suspected links to North Korea-backed groups. Nick Percoco, Chief Security Officer at Kraken, explained that cybercriminal activity tends to rise around market and event-driven cycles where liquidity is concentrated, such as bull markets or major product launches. He described the current landscape as a broad mix of actors, from highly coordinated groups to opportunistic hackers, all deliberately assessing infrastructure, code, and human behavior.
Experts warn that 2026 is likely to see an increase in sophisticated credential theft and AI-powered attacks, emphasizing that protocol security must now extend far beyond code audits to encompass key management and operational security.
