TL;DR
- February 2026 recorded the lowest monthly crypto exploit losses since March 2025, totaling $37.7 million across all incidents
- The SOF token exploit led individual incidents at $10.5 million, followed by the IoTeX bridge hack at $8.9 million
- Phishing attacks accounted for $8.5 million, while wallet compromises caused over $16.6 million in losses according to CertiK
- Approximately $11.3 million of stolen funds were recovered or frozen during the month
- Despite lower total losses, attack frequency is rising as threat actors shift toward social engineering and authorization abuse
February 2026 offered a rare piece of positive news for cryptocurrency security. Monthly losses from hacks and exploits fell to $37.7 million, the lowest figure recorded since March 2025. The decline represents a stark contrast to the $385 million lost in January, which was inflated by the massive Bybit-related incident.
But the headline number tells only part of the story. Security researchers and blockchain analysts warn that the lower total masks a shift in attacker behavior that presents new challenges for the industry. The era of billion-dollar bridge hacks may be fading, but it is being replaced by a higher volume of smaller, more targeted attacks that are harder to detect and prevent.
Breaking Down February’s Incidents
The month’s largest confirmed exploit targeted the SOF token, resulting in a $10.5 million loss. The incident highlighted vulnerabilities in token contract design and the risks associated with newer, less battle-tested protocols.
Close behind was the IoTeX bridge hack, where a private key compromise of the ioTube cross-chain bridge led to the theft of approximately $8.9 million across multiple assets including USDC and WBTC. The attack reinforced an uncomfortable truth about cross-chain infrastructure: bridges remain one of the weakest links in the cryptocurrency ecosystem despite years of security improvements.
Other projects suffered smaller but significant losses. CrossCurve lost approximately $3 million to a cross-chain message forgery exploit. Additional incidents involving Foom, Ploutos, and other protocols added another $1.4 million to $2.2 million in combined losses.
Bitcoin was trading at approximately $69,281 on February 7, 2026, with Ethereum at $2,090, according to CoinMarketCap data. The broader market was in a pronounced downtrend, with BTC having fallen nearly 12% over the preceding seven days. The volatile environment created conditions that attackers frequently exploit, as users under pressure may be less careful about verifying transactions and approvals.
The Real Cost Breakdown
Security firm CertiK provided a detailed breakdown of February’s loss categories. Wallet compromises led all vectors at $16.6 million, underscoring the growing threat posed by attacks that target individual users rather than protocol infrastructure. Price manipulation schemes caused $11.4 million in damages, while code vulnerabilities contributed $5.1 million and exit scams accounted for $2.1 million.
Phishing attacks alone accounted for roughly $8.5 million of the monthly total. This figure reflects the broader trend identified in the NOMINIS monthly report, which found that social engineering attacks caused more cumulative damage in February than technical smart contract exploits.
DeFi platforms bore the brunt of February’s losses at $14.4 million, continuing their pattern as the most targeted sector in cryptocurrency. More notably, AI-focused projects lost nearly $8.9 million during the month, a figure that reflects the growing intersection between artificial intelligence and crypto and the new attack surfaces this convergence creates.
A Silver Lining: Recovery and Response
One encouraging development was the recovery rate. Approximately $11.3 million of February’s stolen funds were either recovered or frozen through rapid response efforts by security firms, blockchain analytics companies, and cooperative exchanges. This represents a recovery rate of roughly 30 percent, a figure that has been steadily improving as the industry matures.
The CrossCurve incident demonstrated how projects are increasingly adopting a carrot-and-stick approach to fund recovery. The team published the Ethereum addresses that received misdirected funds and offered a 10 percent bounty for voluntary returns within 72 hours. They threatened criminal complaints, civil litigation, and collaboration with exchanges and stablecoin issuers to freeze funds for non-cooperating recipients.
This approach mirrors a broader trend in the industry. Bug bounty platforms like Immunefi now host programs for over 400 protocols with maximum bounties reaching $10 million for critical vulnerabilities. The crypto insurance market has grown to over $5 billion in total coverage, with providers requiring rigorous security standards including multiple independent audits and formal verification.
The Evolution of Attack Vectors
What makes February 2026 significant is not just the lower losses but what the distribution of those losses reveals about the changing threat landscape. Smart contract vulnerabilities, once the dominant attack vector in cryptocurrency, now account for a relatively small portion of total losses.
Instead, attackers are pivoting toward methods that exploit human behavior rather than code flaws. Authorization abuse, where victims unknowingly approve transactions that grant attackers permission to transfer funds, has become the dominant vector. Address poisoning attacks are exceeding one million daily attempts on Ethereum alone, fueled by lower gas fees following the Fusaka upgrade.
Operational security failures, including private key exposure and seed phrase leaks, continue to produce high-impact incidents. The Step Finance breach, confirmed in early February, resulted in approximately $30 million in losses after attackers compromised devices belonging to the Solana-based project’s executive team. The platform ultimately announced it would shut down entirely.
What the Numbers Mean for the Industry
The decline in total losses is a positive signal that the industry’s substantial investment in security infrastructure is paying dividends. Formal verification has become standard practice for major DeFi protocols. Multi-layered security architectures combining real-time monitoring, automated pause mechanisms, time-locked transactions, and multi-signature governance are now the norm rather than the exception.
However, the shift toward social engineering and authorization-based attacks presents a different kind of challenge. These attacks do not target code that can be audited and patched. They target users who must be educated and protected through better wallet design and clearer transaction interfaces.
The $37.7 million figure for February should be viewed as a milestone, not a destination. The cryptocurrency industry has demonstrated that it can reduce losses from technical exploits. The next frontier is reducing losses from attacks that exploit the human element in the equation.
This article is for informational purposes only and does not constitute financial or investment advice. Always exercise caution when interacting with cryptocurrency protocols and verify all transaction details before confirming.
Only $37.7 million? That’s actually progress compared to the billion-dollar months we’ve seen. Hopefully, the evolving tactics are being met with even better security audits.
David $37.7M is progress but the CertiK data showing $16.6M from wallet compromises means social engineering is replacing smart contract exploits as the main threat
The ‘low’ might just be a lull before hackers find a new zero-day in a popular primitive. We shouldn’t get complacent just because February was relatively quiet.
sats the IoTeX bridge hack for $8.9M proves bridges are still a liability despite years of supposed improvements. same vulnerability different chain
Still too high if you ask me. $37.7 million is a lot of money to lose in just one month, even if it’s an 11-month low.