The cryptocurrency security landscape underwent a fundamental shift in early 2026. For years, the most damaging attacks targeted vulnerabilities in smart contract code—flash loan exploits, reentrancy bugs, and oracle manipulation schemes that drained millions from DeFi protocols. But data from the first two months of 2026 tells a different story: social engineering attacks, particularly phishing and address poisoning, have overtaken technical exploits as the primary threat to crypto users.
TL;DR
- Crypto losses in February 2026 totaled approximately $228 million, with $102 million coming from phishing and rug pulls alone
- Signature phishing attacks surged 207% in January, draining $6.27 million from 4,741 victims
- Address poisoning scams stole over $62 million from just two high-profile victims in December 2025 and January 2026
- Lower Ethereum transaction fees following the Fusaka upgrade enabled mass dusting campaigns at unprecedented scale
- Security experts say user behavior, not protocol code, has become the weakest link in crypto’s security chain
The Numbers Behind the Shift
Blockchain security monitoring platforms compiled data showing that the cryptocurrency sector lost roughly $228 million to security incidents in February 2026. Of that total, approximately $126 million came from hacks and smart contract vulnerabilities across 18 documented cases—a 9.2% decline from January. Meanwhile, 13 phishing and authorization hijacking incidents accounted for 41.9% of all breaches, many leveraging AI-simulated phishing pages designed to mimic legitimate wallet interfaces and decentralized exchanges.
The trend accelerated sharply in January, when signature phishing attacks exploded by 207% compared to December 2025. Security firm Scam Sniffer reported that a single month saw $6.27 million stolen across 4,741 victims, with just two attacker wallets responsible for 65% of total losses. The largest individual incidents included the theft of $3.02 million in tokens such as SLVon and XAUt, and $1.08 million drained from aEthLBTC holdings.
Address Poisoning: The $62 Million Lesson
Perhaps the most alarming development came from address poisoning attacks, a deceptively simple social engineering technique that exploits the way users interact with their wallet transaction histories. In this scheme, attackers generate wallet addresses sharing the same first and last characters as a target’s known contacts. They then send tiny “dust” transactions from these look-alike addresses, which appear in the victim’s transfer history.
When the victim later needs to send funds, they often copy the address from a recent transaction rather than entering it manually. If they select the wrong entry—one planted by the attacker—the funds are irrecoverably sent to the scammer’s wallet. In December 2025, one victim lost approximately $50 million through this method. Just weeks later, in January 2026, another user lost $12.25 million the same way. Together, these two cases alone account for over $62 million in losses.
Web3 Antivirus described address poisoning as one of the most reliable ways scammers extract large sums from crypto users, noting that tracked losses from the tactic have ranged from $4 million to $126 million per incident. Researchers have documented over 270 million address poisoning attempts targeting approximately 17 million wallets over the past two years, resulting in cumulative losses exceeding $83.8 million.
The Fusaka Factor: Lower Fees, Higher Risk
A key enabler of the recent surge in address poisoning is Ethereum’s Fusaka upgrade, which went live in December 2025 and significantly reduced transaction costs on the network. While lower fees benefit legitimate users, they also made it economically viable for scammers to launch mass dusting campaigns—sending millions of tiny transactions to poison wallet histories at minimal cost.
Coin Metrics reported that stablecoin-related dust transactions now account for 11% of all Ethereum transactions and 26% of daily active addresses. Its analysis of 227 million stablecoin wallet balance updates between November 2025 and January 2026 found that 38% were worth less than one cent—a pattern consistent with mass address poisoning activity rather than genuine transfers.
Additionally, blockchain intelligence firm Whitestream noted that DAI has become a favored stablecoin for illicit actors due to its governance structure, which does not support wallet freezes. This feature has made DAI a frequent destination in recent address poisoning and money laundering operations.
Major Protocol Exploits in February 2026
While social engineering dominated the threat landscape, several notable protocol-level attacks also occurred in February. CrossCurve suffered a $3 million cross-chain bridge exploit when an attacker bypassed validation logic in functions processing messages from the Axelar network, forging malicious cross-chain messages to release tokens without real deposits. Moonwell lost approximately $1.78 million to a smart contract pricing bug in its Vibe Coding feature. YieldBloxDAO on Stellar was hit with a $10 million oracle manipulation attack, while IoTeX’s ioTube bridge suffered a $4.4 million private key compromise. Seneca lost roughly $6.5 million to an arbitrary call exploit.
FOOMCASH also fell victim to a $2.26 million loss stemming from a zkSNARK misconfiguration. Each of these incidents involved different attack vectors, but all shared a common thread: they exploited gaps in protocol security that audits had either missed or that emerged from recent code changes.
Why This Matters
The crypto industry has invested heavily in smart contract auditing—formal verification, bug bounties, and multi-layer security reviews. Those investments are paying off, as the frequency of protocol-level exploits continues to decline. But attackers have pivoted to a softer target: the end user.
For Bitcoin traders navigating the market with BTC hovering around $67,659 and ETH near $1,957, the lesson is clear. Your smartest security investment isn’t another hardware wallet—it’s developing better habits. Never copy addresses from transaction history. Use saved contacts or ENS names for recurring transfers. Verify the full address string, not just the first and last few characters. And be skeptical of any unsolicited transaction, no matter how small.
The threat landscape of early 2026 demonstrates that the most sophisticated blockchain technology in the world cannot protect users from their own shortcuts. As long as humans remain the weakest link in the security chain, social engineering will continue to be crypto’s most costly vulnerability.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding the protection of your digital assets.
address poisoning stealing 62M from just two victims. the ROI on these scams is insane which is why they keep escalating
It’s fascinating to see this shift. While developers have definitely leveled up their security game with more rigorous auditing and formal verification, scammers have simply pivoted to the path of least resistance: the users themselves. Social engineering is far more scalable than hunting for obscure zero-days in complex DeFi protocols. We desperately need better wallet-level warnings for transaction signing to combat this.
marcus thorne wallet level warnings for transaction signing is the answer. if metamask flagged suspicious contract interactions the way gmail flags phishing, most of these attacks fail
Man, the phishing game is getting out of hand lately. I’ve seen some incredibly sophisticated clones of popular DEXs that look 100% legit until you check the contract address. It’s a good reminder that no matter how ‘safe’ a protocol is, your own operational security is the final line of defense. Always bookmark your dApps and never click links from random DMs!
I’m actually pretty skeptical that we’ll see this trend reverse anytime soon. The UX in crypto is still so clunky that ‘blind signing’ transactions feels normal to most people, which is exactly what phishers exploit. We can audit every line of Solidity code in existence, but until signing a transaction is as intuitive as reading a credit card receipt, the human element will always be the biggest exploit.
This is exactly why I’ve started using a dedicated burner wallet for all my daily DeFi interactions. It’s way easier for a bad actor to spin up a fake airdrop claim page than it is to actually hack a major bridge or vault. The data really highlights that education is just as important as code quality in this industry. Stay vigilant, everyone!