New data from DefiLlama reveals that crypto hackers have stolen more than $17 billion across 518 incidents over the past decade, with a significant shift toward attacks targeting private keys and user credentials rather than protocol code. The figures underscore an evolving threat landscape where operational security failures and human error are increasingly exploited.
Credential-based attacks, including private key compromises and phishing, now constitute a large share of historical losses. This trend intensified in 2026, highlighted by major exploits such as the attack on Kelp DAO's LayerZero-powered bridge, where roughly 116,500 rsETH was drained, and the April 1 attack on Solana-based Drift Protocol. Together, these incidents contributed to over $600 million in losses from DeFi protocols in just 60 days, as reported by trading firm GSR.
GSR warned that with DeFi yields compressing toward traditional finance levels, the risk exposure to such hacks may no longer be justified for on-chain deposits. The firm noted that as smart contract audits improve, hackers are pivoting to target operational security and developer tooling.
Cybersecurity experts point to the rise of malware, AI-driven scams, and hacking-as-a-service platforms as factors lowering the barrier to entry for attackers. Dyma Budorin of Hacken stated that these tools enable hackers to automate processes and target the easiest victims, often through social engineering schemes like sending small transactions to trick users into copying malicious addresses.
Despite some positive signals—such as a reported decline in phishing losses in 2025 according to Scam Sniffer—the overall threat remains persistent. Hacken reported that Web3 projects lost $482 million in Q1 2026, with $306 million stemming from phishing and social engineering.
The vulnerability of self-custody is a central concern, with private key compromises alone accounting for approximately $8.5 billion of the decade's stolen assets. David Schwed, COO of SVRN and a cybersecurity expert, argues that while self-custody can be made safe, many crypto projects operate on tight budgets, prioritize speed over security, and lack experienced chief information security officers to implement robust safeguards. This culture, combined with investor pressure for rapid market entry, often leaves security as an afterthought.
