Crypto hackers stole more than $168.6 million from 34 decentralized finance (DeFi) protocols in the first quarter of 2026, according to data from DefiLlama.
The largest exploit of the quarter was a $40 million private key compromise at Step Finance in January. That was followed by a smart contract manipulation that drained $26.4 million in ether (ETH) from Truebit on Jan. 8. The third-largest incident was a private key compromise targeting stablecoin issuer Resolv Labs on March 21.
The quarter’s total is far lower than the $1.58 billion stolen in Q1 2025, a period dominated by the $1.4 billion Bybit exploit. Experts note, however, that hacks are not tied to specific calendar periods.
Nick Percoco, chief security officer at Kraken, told Cointelegraph that cybercriminal activity in crypto tends to rise around market and event-driven cycles rather than fixed times of year. Threat actors are drawn to where liquidity concentrates, so attack spikes often follow areas where value is accumulating quickly.
“Bull markets, major product launches and fast-moving growth phases all create more attractive conditions for attackers because more value is at stake and new infrastructure can introduce risk,” he said.
“That said, attacks are not confined to just these periods. Vulnerabilities can be exploited in any market environment, particularly in complex or rapidly evolving systems, underlining that security in crypto must be continuous.”
North Korea-linked actors remain a persistent threat to crypto investors and Web3-native companies. Such groups have been suspected in numerous attacks, including a recent incident at Drift Protocol, which lost an estimated $285 million to a private key leak.
Percoco described the threat landscape as a broad and evolving mix: state-affiliated actors and highly coordinated groups targeting core infrastructure, organized cybercriminal networks, and opportunistic hackers scanning for weaknesses in smart contracts and client-facing systems.
“It is a broad and evolving mix, but they are ultimately targeting the same thing: global, liquid and accessible value. Targeting is rarely purely random. In many cases, attackers are deliberate in how they assess infrastructure, code, access controls and even human behavior,” he said.
“At the same time, crypto’s transparency makes it easier for opportunistic actors to spot weaknesses as they emerge. The most attractive targets tend to be those combining large concentrations of value, technical complexity and gaps in operational security.”
Security experts have previously warned that 2026 would likely see increases in sophisticated credential theft, social engineering, and AI-powered attacks.
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy https://cointelegraph.com/editorial-policy
