Crypto Hack Statistics in 2026: The Latest Data and Industry Insights

Crypto hacks have grow to be a serious, ongoing drawback for the trade. What as soon as felt like occasional incidents now occurs yearly, with losses reaching billions of {dollars} throughout exchanges, DeFi platforms, and Web3 tasks.

This pattern is seen throughout yearly losses, main exploits, and the methods attackers function. This text explores the important thing crypto-hack statistics shaping 2026, protecting annual tendencies, main incidents, assault strategies, and the patterns driving these losses.

The Scale of the Downside

12 months-over-12 months at a Look

• Crypto theft reached $3.4 billion in 2025, the very best annual complete on file, with the highest 3 hacks alone producing 69% of all service losses for the 12 months.
• In 2025, the most important single hack was greater than 1,000x the median incident dimension for the primary time in crypto historical past.
• As of early 2026, the ten largest crypto alternate hacks have collectively stolen over $4.3 billion, with particular person assault sizes rising from simply $8.75 million in 2011 to $1.5 billion in 2025. 
• DefiLlama’s cumulative tracker places complete crypto hack losses at over $16.5 billion all-time, with DeFi-specific losses close to $7.7 billion and bridge exploits alone accounting for $2.9 billion. 

2026 Working Complete

• By the tip of April 2026, cumulative losses had reached $771.8 million throughout 47 incidents in simply 4 and a half months, with April’s harm alone coming in at 3.7x your entire Q1 complete. 
• April 2026 set a file as the one worst month in crypto historical past, with $629.69 million drained throughout the trade, of which $614.17 million got here from DeFi protocols alone. 
• DeFi logged 47 incidents within the first 4.5 months of 2026 versus 28 over the identical window in 2025, a 68% year-over-year enhance. 
• The 2 Lazarus-linked assaults in April 2026 alone prompted 95% of the month’s complete harm, triggering a mass exit from DeFi. Within the 48 hours following the exploits, greater than $8.4 billion fled Aave, and complete DeFi TVL shed over $13 billion. 

Q1 2026 in Element

Overview

• Q1 2026 recorded a minimum of $168 million stolen throughout 34 confirmed incidents above $1M, earlier than the large April exploits pushed the annual complete far greater.
• Counting all Web3 safety incidents, together with infrastructure breaches, Q1 2026 losses exceeded $450 million throughout 145 incidents spanning greater than 10 blockchains.
• Sensible contract exploit losses particularly dropped roughly 89% year-over-year in Q1 2026, as attackers pivoted to social engineering and infrastructure-level assaults.

Month by Month

• January 2026 was the worst single month of Q1, with $340 million misplaced when counting all incidents, practically 80% of which got here from one social engineering assault alone. Counting solely confirmed protocol exploits above $1M, January totaled roughly $86 million throughout 16 hacks. 
• In January 2026, DeFi protocols had been accountable for roughly 78% of complete hack losses, with 6 main protocol incidents draining roughly $42 million mixed. 
• February 2026 was the quietest month of Q1 at roughly $10 to $26.5 million in losses, relying on scope, a 98.2% year-over-year decline closely distorted by the $1.5 billion Bybit outlier in February 2025. 
• March 2026 noticed hack exercise rebound with roughly $25 to $52 million stolen, a 96% surge from February’s confirmed figures. 

Q1 2026 Assault Vectors

• Social engineering and phishing had been the one most damaging class in Q1 2026, accountable for $290 million in losses, greater than all different assault sorts mixed. Regardless of accounting for under 10% of incidents by rely, the greenback harm was outsized as a consequence of one single $282 million assault.
• Flash mortgage and worth manipulation assaults had been essentially the most frequent exploit sort at 22% of all Q1 2026 incidents, showing in a minimum of 10 separate circumstances. 
• Contract vulnerabilities had been the second most typical assault sort at 20% of incidents.
• Entry management failures accounted for 18% of incidents however drove among the largest losses, together with the $40 million Step Finance breach and the $25 million Resolv Labs exploit.
• Oracle manipulation represented 15% of incidents, affecting a minimum of 5 main protocols in Q1 2026 alone, together with Aave V3, Venus Protocol, Moonwell, Mix Protocol, and Valinity. 
• Rugpulls made up 5% of incidents, a persistent however smaller share as attackers shifted focus towards larger-scale social engineering and treasury exploits.

January 2026 Incidents

• In January 2026, a single social engineering assault drained $282 million, one of many largest phishing-driven exploits in Web3 historical past.
• Even excluding that outlier, January nonetheless recorded over $60 million in losses, led by a $40 million breach at Step Finance on Solana brought on by entry management and provide chain failures.
• In January 2026, a Truebit good contract coding error value customers roughly $26.2 million, a Saga bridge incident added one other $7 million, and Makina’s flash mortgage assault resulted in roughly $4.13 million stolen.
• Additionally in January 2026, signature-phishing drained roughly $6.3 million from person wallets, a 207% month-over-month soar, with two victims accounting for practically 65% of these losses. 

February 2026 Incidents

• In February 2026, Mix Protocol misplaced $10 million to oracle manipulation on Stellar, and the IoTeX bridge on Ethereum was drained of $4.4 to $8 million by way of personal key leakage and entry management failures. 
• The IoTeX breach in February 2026 mirrored a recurring sample the place bridge infrastructure stays extremely uncovered to key compromise as soon as administrative entry is misplaced.
• The Moonwell exploit on Base in February 2026, which resulted in roughly $1.7 million in losses, demonstrated that governance mechanisms are actually getting used as a direct assault floor, combining oracle and governance vectors in a single operation.

March 2026 Incidents

• March 2026 was headlined by the $25 million Resolv Labs exploit on Ethereum, triggered by entry management failures and enter validation gaps.
• Oracle reliability remained a systemic drawback in March 2026, with Aave V3 ($1 million), Venus Protocol ($2 to $5 million), and Resolv Labs all struggling losses tied to manipulable worth feeds. 

The Largest Hacks of 2025 and 2026

Bybit

• • On February 21, 2025, Dubai-based Bybit suffered the most important single crypto theft in historical past, dropping 400,000 ETH price $1.4 billion inside minutes after attackers exploited a personal key vulnerability in its scorching pockets system. 

• • • By February 26, 2025, the US FBI formally attributed the breach to Lazarus Group and TraderTraitor, who used malware-laden buying and selling functions to infiltrate techniques.

Phemex

• • • In January 2025, Phemex misplaced over $85 million in a scorching pockets breach spanning 16 blockchains, making it some of the geographically dispersed alternate hacks of the 12 months.

Coinbase 

• • • Coinbase’s 2025 insider-assisted knowledge breach uncovered private info of practically 70,000 clients, with projected complete prices estimated between $180 million and $400 million.
    • In 2025, attackers demanded a $20 million ransom after bribing abroad assist brokers, which Coinbase refused, as an alternative providing that very same quantity as a reward for info resulting in the criminals’ identification.

BtcTurk 

• • • In August 2025, Turkish alternate BtcTurk suffered its second main hack in simply over a 12 months, dropping roughly $48 million from scorching wallets throughout seven blockchains. The prior 2024 breach had already value the alternate $55 million, highlighting persistent key administration failures.

Nobitex 

• • • In June 2025, hacking group Predatory Sparrow siphoned over $90 million from Iran’s largest crypto alternate Nobitex, with funds despatched to “vainness” pockets addresses with no identified personal keys, successfully destroying them completely.

Drift Protocol 

• • • On April 1, 2026, Solana-based Drift Protocol had roughly $270 to $285 million drained from its vaults, wiping out over 50% of its TVL inside hours.
    • Safety agency TRM Labs attributed the assault to UNC4736, a North Korean state-sponsored group that ran a six-month social engineering marketing campaign since fall 2025, with operatives depositing over $1 million of their very own capital into Drift to construct credibility.
    • As soon as inside, attackers whitelisted a nugatory token (CVT) as collateral, artificially inflated its worth through manipulated oracles, deposited 500 million CVT, and drained $285 million in USDC, SOL, and ETH in simply 12 minutes.
    • Inside an hour of the April 1, 2026 exploit, Drift’s TVL collapsed from $550 million to beneath $300 million. The DRIFT token plunged over 40% within the quick aftermath.

KelpDAO and the Aave Fallout 

• • • On April 18, 2026, the attacker cast a cross-chain message to deceive LayerZero’s messaging layer, inflicting Kelp’s bridge to launch 116,500 rsETH (roughly 18% of the token’s complete circulating provide) to an attacker-controlled handle price roughly $292 million. 
    • The breach was made attainable as a result of KelpDAO’s bridge relied on a single-DVN setup, requiring just one verifier to approve a cross-chain message, a single level of failure.
    • As a result of the drained bridge held reserves backing wrapped rsETH throughout greater than 20 blockchains, each downstream protocol accepting rsETH as collateral was immediately uncovered.
    • Kelp’s emergency multisig paused contracts solely 46 minutes after the drain started, by which level the $292 million was already gone. Arbitrum’s Safety Council later froze $71 million of linked belongings on the behest of legislation enforcement. 
    • Following the theft, the stolen ETH was routed by way of Twister Money inside hours of the April 18 exploit, roughly $175 million in ETH was then moved by way of THORChain and transformed to Bitcoin with no operator intervention.
    • The KelpDAO exploit in April 18, 2026 triggered a financial institution run on Aave, with the platform’s insurance coverage fund holding simply $80 to $100 million towards practically $200 million in potential losses. Stablecoin lenders pulled $5 billion from Aave in a preemptive exit, driving DeFi stablecoin rates of interest to spike to roughly 10%.
    • As of April 23, 2026, an estimated $100 to $120 million in losses remained unresolved after the Aave insurance coverage fund was totally depleted. The AAVE token dropped 19% through the disaster, whereas demand for ETH, USDT, and USDC hit 100% utilization, blocking depositors from withdrawing funds.
    • When the KelpDAO bridge broke in April 2026, Aave misplaced $6 billion in TVL from person withdrawals, although Aave’s personal contracts had been by no means touched.

CoW Swap (April 14, 2026)

• • • On April 14, 2026, CoW Swap suffered a front-end DNS assault that briefly halted companies, tricking customers into approving malicious transfers whereas additionally making an attempt pockets draining, seed phrase assortment, and password theft.
    • A autopsy launched on April 16, 2026, estimated roughly $1.2 million in person losses. CoW DAO later arrange a grants program to reimburse affected customers.

How Attackers Are Evolving

North Korea and the Lazarus Group

• • • In accordance with a TRM Labs report printed April 30, 2026, North Korean state-linked hackers accounted for 76% of all cryptocurrency stolen globally in 2026 by way of simply two assaults totaling $577 million, whereas representing solely 3% of complete hack incidents by rely.
    • North Korea-linked hackers stole a minimum of $2.02 billion in 2025, a 51% enhance from 2024, with centralized exchanges as the first goal.
    • North Korea’s cumulative crypto theft since 2017 has now surpassed $6 billion. North Korean state-linked teams have been tied to a minimum of 3 of the highest 10 largest alternate hacks in historical past.
    • THORChain served as the first laundering route for each the 2025 Bybit breach and the 2026 KelpDAO hack, processing a whole lot of tens of millions in stolen ETH with no mechanism to reject transfers.
    • In a March 2024 report, A UN panel of specialists estimated that illicit cyber exercise funds roughly 40% of North Korea’s weapons improvement applications.

The Shift from Code to Human Targets

• • • In 2025, off-chain assault vectors, together with compromised credentials, social engineering, and provide chain manipulation, drove 76% of complete hack losses ($2.2 billion), marking a basic shift away from code-based exploits towards human concentrating on.
    • Personal key compromises accounted for 88% of stolen funds in Q1 2025, a pattern that carried into 2026. 
    • Impersonation scams surged 1,400% year-over-year in 2025, making social engineering one of many fastest-growing crypto risk vectors.
    • The Drift hack operation started as early as fall 2025, roughly 5 months earlier than any funds moved, with DPRK operatives utilizing third-party intermediaries who could themselves have been unaware they had been working for the North Korean state.
    • In a January 2026 interview, Immunefi CEO Mitchell Amador famous that over 90% of tasks nonetheless carry crucial exploitable vulnerabilities, fewer than 1% use firewall instruments, and beneath 10% deploy AI-based detection techniques. 

Bridge Infrastructure as a Structural Weak point

• • • Since 2022, cross-chain bridges have collected over $2.9 billion in cumulative losses, representing roughly 40% of all worth hacked in Web3.
    • Bridge TVL reached $21.94 billion as of March 2026, making bridge infrastructure one of many highest-value targets in crypto.
    • Cross-chain bridge exploits resulted in additional than $1.5 billion stolen by mid-2025. 
    • The April 2026 occasions uncovered three structural vulnerabilities in DeFi lending: dependence on poorly verified third-party collateral knowledge, chronically underfunded insurance coverage reserves, and the function of crypto mixers in enabling criminals to launder stolen funds undetected. 

Pockets and Phishing Threats

• • • Private pockets compromises reached 158,000 incidents in 2025, affecting a minimum of 80,000 distinctive victims, with complete particular person losses hitting $713 million, down 52% from $1.5 billion in 2024.
    • Phishing and address-poisoning assaults prompted roughly $83.8 million in wallet-related losses throughout as much as 17 million affected addresses in 2025.
    • In January 2026, signature-phishing drained roughly $6.3 million from person wallets, a 207% month-over-month soar, with two victims accounting for practically 65% of these losses.
    • In 2025, ransomware assaults concentrating on crypto holders rose 75% to 72 incidents, with losses reaching $40.9 million.

Frequent Vulnerabilities Throughout the Business

• • • In 2025, entry management vulnerabilities drove roughly 59% of DeFi losses, totaling over $1.6 billion, whereas good contract flaws prompted 67% of DeFi losses, with unverified contracts accountable for over $630 million.
    • In H1 2025, DeFi safety breaches exceeded $3.1 billion, already surpassing the full-year 2024 complete of $2.85 billion.
    • In accordance with Coinlaw 2026, an absence of normal auditing left 52% of DeFi protocols struggling a minimum of one breach inside their first 12 months of operation.
    • In 2025, outdated two-factor authentication techniques contributed to a 32% rise in account takeovers, weak API safety prompted 27% of centralized alternate breaches, and poor inside entry controls enabled unauthorized worker entry in 11% of alternate hacks.
    • Third-party service flaws, equivalent to misconfigured cloud storage, contributed to 24% of infrastructure-related breaches in 2025, whereas an absence of good contract audits prompted over $540 million in DeFi losses.
    • In accordance with Chainalysis knowledge by way of 2025, scorching pockets vulnerabilities had been the foundation reason for 80% of main alternate breaches on file.

References

• • Acuna, O. (2026). Crypto hacks hit $17 billion in 2025, however the true risk was individuals, not code. [online] Coindesk.com. Obtainable at: https://www.coindesk.com/enterprise/2026/01/19/crypto-s-worst-year-for-hacks-wasn-t-a-smart-contract-problem-it-was-a-people-problem [Accessed 13 May 2026].
  • Adewale Olarinde (2026). Crypto hack losses hit $112.5m within the first two months of 2026, PeckShield knowledge. [online] AMBCrypto. Obtainable at: https://ambcrypto.com/crypto-hack-losses-hit-112-5m-in-first-two-months-of-2026-peckshield-data/ [Accessed 13 May 2026].
  • administrator (2025). The ten Largest Crypto Hacks in Historical past. [online] Crystal Intelligence. Obtainable at: https://crystalintelligence.com/investigations/the-10-biggest-crypto-hacks-in-history/ [Accessed 12 May 2026].
  • Bashir, Okay. (2026). April 2026 Turns into Worst Month for Crypto Hacks Since February 2025. [online] BeInCrypto. Obtainable at: https://beincrypto.com/april-2026-crypto-hacks-606m/ [Accessed 13 May 2026].
  • Bonner, W. (2026). Crypto Hacks and DeFi Runs – Financial institution Coverage Institute. [online] Financial institution Coverage Institute. Obtainable at: https://bpi.com/crypto-hacks-and-defi-runs/ [Accessed 12 May 2026].
  • Cryptoimpacthub.com. (2026). The Drift Protocol Hack: How North Korea Performed the Lengthy Recreation for $285 Million. [online] Obtainable at: https://cryptoimpacthub.com/drift-protocol-hack-north-korea-social-engineering-2026/ [Accessed 13 May 2026].
  • Cryip.co. (2026). Crypto Hacks Report in Q1 2026: $450M Misplaced Throughout Phishing, Exploits, and Infrastructure Assaults. [online] Obtainable at: https://cryip.co/crypto-hacks-report-q1-2026/ [Accessed 12 May 2026].
  • Dan (2026). April Crypto Hacks Simply Hit $606 Million in 18 Days, Making It the Worst Month Since February 2025. [online] Phemex.com. Obtainable at: https://phemex.com/blogs/april-2025-crypto-hacks-606-million [Accessed 13 May 2026].
  • Dan (2026). Each Main DeFi Hack in 2026 So Far and Why Bridge Exploits Preserve Getting Greater. [online] Phemex.com. Obtainable at: https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained [Accessed 12 May 2026].
  • Danga, B. (2026). North Korea accounts for 76% of 2026 crypto hack losses, with theft since 2017 topping $6 billion: TRM Labs. [online] The Block. Obtainable at: https://www.theblock.co/submit/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs [Accessed 13 May 2026].
  • Elad, B. (2026). Crypto Alternate Hacks and Safety Statistics 2026: Cyber Threat Developments. [online] CoinLaw. Obtainable at: https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/ [Accessed 12 May 2026].
  • Elad, B. (2026). Cryptocurrency Safety and Fraud Statistics 2026: Large Threats. [online] CoinLaw. Obtainable at: https://coinlaw.io/cryptocurrency-security-fraud-statistics/ [Accessed 13 May 2026].
  • Faridi, O. (2026). Crypto Exploit Losses Climb Sharply in March 2026 as Safety Threats Evolve, Report Reveals. [online] Crowdfund Insider. Obtainable at: https://www.crowdfundinsider.com/2026/04/270705-crypto-exploit-losses-climb-sharply-in-march-2026-as-security-threats-evolve-report-reveals/ [Accessed 13 May 2026].
  • GNcrypto (2026). April 2026: 30 crypto hacks, $625M stolen, bridges hit. [online] GNcrypto. Obtainable at: https://www.gncrypto.information/information/april-2026-30-crypto-hacks-625m-stolen-bridges-hit/ [Accessed 13 May 2026].
  • IndexBox Inc (2026). Crypto losses exceeded $606M in April 2026 as a consequence of hacks linked to the Lazarus Group. [online] Indexbox.io. Obtainable at: https://www.indexbox.io/weblog/crypto-losses-exceed-606m-in-april-2026-due-to-hacks-linked-to-lazarus-group/ [Accessed 13 May 2026].
  • Lee, J. (2026). DeFi exploits, on-chain interventions, and the personal key: Latest developments in crypto-asset restoration. [online] Travers Smith. Obtainable at: https://www.traverssmith.com/information/knowledge-container/defi-exploits-on-chain-interventions-and-the-private-key-recent-developments-in-crypto-asset-recovery/ [Accessed 13 May 2026].
  • Luker (2026). This month’s Crypto Safety Report. [online] Metamask.io. Obtainable at: https://metamask.io/information/crypto-security-report-2026 [Accessed 12 May 2026].
  • MEXC. (2026). Report: Crypto Hacks Rose 96% in March as Losses Hit $52M. [online] Obtainable at: https://www.mexc.com/information/1005025 [Accessed 13 May 2026].
  • Miah, S. (2025). 14 Largest Crypto Hacks of All Time. [online] Webopedia. Obtainable at: https://www.webopedia.com/crypto/study/biggest-crypto-hacks/ [Accessed 12 May 2026].
  • North (2026). North Korean hackers tied to $290M crypto heist, agency says. [online] UPI. Obtainable at: https://www.upi.com/Top_News/World-Information/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/ [Accessed 13 May 2026].
  • Sherlock (2026). The Sherlock Web3 Safety Report Q1 2026: Each Main Hack, Exploit, and Pattern. [online] Sherlock.xyz. Obtainable at: https://sherlock.xyz/submit/the-sherlock-web3-security-report-q1-2026-every-major-hack-exploit-and-trends [Accessed 13 May 2026].
  • The Crypto Instances. (2026). $629M Misplaced: April 2026 Marks Worst Month for Crypto Hacks. [online] Obtainable at: https://www.cryptotimes.io/2026/04/30/629m-lost-april-2026-marks-worst-month-for-crypto-hacks/ [Accessed 13 May 2026].
  • Thorp, J. (2026). Crypto Hackers Drain $1.08 Billion in 68 Assaults as Social Engineering Surges. [online] The Foreign money Analytics. Obtainable at: https://thecurrencyanalytics.com/defi/crypto-hackers-drain-1-08-billion-in-68-attacks-as-social-engineering-surges-255542 [Accessed 13 May 2026].
  • Trmlabs.com. (2026). North Korea Stole 76% of All Crypto Hack Worth in 2026 — With Simply Two Assaults. [online] TRM Labs. Obtainable at: https://www.trmlabs.com/assets/weblog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks [Accessed 13 May 2026].