Crypto Thefts Quadruple Year-Over-Year to $370M in January

The value of crypto theft and scams surged to 370.3 million dollars in January, marking the highest monthly tally in almost a year. Security analytics firm CertiK noted 40 exploit and scam incidents in the month, with losses concentrated in a single social-engineering attack that drained roughly 284 million from one victim. A large chunk of the total came from phishing schemes, which accounted for 311.3 million dollars in January. The figure echoes an even larger breach landscape from February 2025, when attackers seized about 1.5 billion dollars in total for the month, led by a 1.4-billion-dollar hack on the Bybit exchange. The January numbers also show a stark year-over-year surge, up more than 277% from January 2025 and 214% from December.

Key takeaways

• January’s crypto-theft total reached 370.3 million dollars across 40 incidents, the highest for 11 months.
• A single social-engineering breach accounted for roughly 284 million, dominating the month’s losses.
• Phishing attacks alone stole 311.3 million dollars, underscoring how cyber deception remains a core risk vector.
• Compared with February 2025’s 1.5 billion-dollar month and the Bybit breach of 1.4 billion dollars, January’s losses reflect a sharp year-over-year rise and a continued security challenge for the ecosystem.
• Step Finance was the month’s largest hack at about 28.9 million dollars, followed by the Truebit protocol at 26.4 million dollars—a sign that DeFi services remained attractive targets.
• Across January, 16 hacks drained a total of 86.01 million dollars, a modest decline from a year earlier but a meaningful uptick versus December.

Tickers mentioned: $BTC, $ETH, $SOL, $TRU

Market context: The January pattern underscores persistent security challenges in crypto, with phishing and social-engineering attacks contributing to the bulk of losses amid elevated on-chain activity and cautious risk sentiment. The month’s figures echo a broader cycle of hacks and scams that has characterized the space into 2026, following the high-profile February 2025 breach on Bybit and a wider trend of DeFi-related vulnerabilities. The data emphasize the need for continued threat monitoring, improved authentication, and proactive security testing across wallets, bridges, and decentralized applications.

Why it matters

The January crime wave matters for a broad set of stakeholders. For users, the figures highlight how attackers rely on social engineering and phishing to harvest credentials and access funds, often bypassing standard defenses before on-chain safeguards can react. For auditors, security researchers, and builders, the month reinforces the importance of comprehensive smart-contract reviews, robust wallet infrastructures, and proactive incident response playbooks. The concentration of losses in social-engineering and phishing attacks also underscores gaps in user education and awareness, reminding the ecosystem that technical safeguards must be complemented by prudent user behavior and clear security guidance.

For markets and liquidity, the monthly surge sheds light on the precarious risk environment that can drive abrupt mover flows. While January’s total is far below the 1.5 billion-dollar February 2025 milestone, the year-over-year increase signals that attackers are adapting their methods and continuing to target high-value DeFi protocols and user wallets. The persistence of such threats keeps risk sentiment calibrated downward and keeps security tooling, monitoring services, and disclosure practices in the spotlight as investors weigh vulnerability alongside potential yield opportunities in an increasingly complex crypto landscape.

What to watch next

• Updates from CertiK and PeckShield on January’s observed exploits, including any new forensic findings or identified patterns behind the 40 incidents.
• Follow-up analyses on the large social-engineering breach that dominated losses, including whether a single point of failure was exploited and what mitigations have since been deployed.
• Monitoring for new advisories and security patches from DeFi projects implicated in January’s breaches (e.g., Step Finance, Truebit, SwapNet, Saga) and for broader user-education outreach from security researchers.
• Regulatory and industry responses aimed at phishing and social-engineering risks, with attention to how exchanges and wallets adapt authentication and verification requirements.

Sources & verification

• CertiK’s January security report detailing 40 exploits and the social-engineering loss of about 284 million dollars.
• PeckShieldAlert communications on Step Finance’s treasury hack (approximately 28.9 million dollars) and other January incidents.
• Cointelegraph reporting on the Truebit $26.4 million attack and the consequences for the TRU token.
• Cointelegraph coverage of the SwapNet liquidity provider hack ($13.3 million) and the Saga exploit ($7 million).
• CertiK’s notes comparing January 2026 losses to January 2025’s 98 million dollars and December’s 117.8 million dollars, as well as the broader context of a 16-hack month totaling 86.01 million dollars in losses.

Crypto theft and security: January 2026 in focus

The month’s headline figures paint a picture of a crypto security landscape that remains highly susceptible to manipulative social tactics and fast-moving on-chain exploits. In January, CertiK tracked 40 incidents with a cumulative value of 370.3 million dollars, the highest monthly tally in 11 months and a striking increase from the previous year. The lion’s share of losses stemmed from phishing, with 311.3 million dollars siphoned through credential-focused attacks. This pattern aligns with long-running trends in crypto where attackers exploit user behavior and trust channels to gain unauthorized access, often preceding more conventional on-chain exploits.

One breach in particular shaped the month’s totals: a social-engineering attack that alone accounted for roughly 284 million dollars. The incident underscores how a single well-executed scheme can dominate a month’s risk profile, illustrating the central role of human factors in crypto security. In response, researchers and security teams continue to emphasize multi-factor authentication, phishing-resistant protocols, and rigorous identity checks as essential layers of defense, especially for high-value wallets and treasury-controlled accounts.

Beyond the standout incident, other notable breaches added to the risk mosaic. Step Finance emerged as January’s largest confirmed hack, with approximately 28.9 million dollars stolen from several treasury wallets in a decentralized finance (DeFi) portfolio tracker incident. The breach resulted in the loss of more than 261,000 Solana Solana tokens and prompted a broader review of treasury security practices across DeFi projects. In parallel, the Truebit protocol faced a 26.4 million-dollar attack, traced to a smart-contract vulnerability that allowed token minting at minimal cost, inadvertently driving a price shock for the Truebit (TRU) token. The visual documentation of these incidents—the second figure in the report—cites the ongoing vigilance of security watchdogs such as PeckShield.

The January tally also included other notable breaches that illustrate the breadth of the threat landscape. SwapNet, a liquidity provider, suffered a 13.3 million-dollar hack on January 26, targeting liquidity pools and related treasury components. Earlier in the month, Saga faced a seven million-dollar exploit on its blockchain protocol, highlighting that even smaller platforms remain targets when vulnerabilities surface. Together, these incidents contributed to a monthly total of 86.01 million dollars in losses from 16 hacks, a figure that marks a 1.42% decrease versus the prior year but a more than 13% uptick versus December’s activity.

Looking ahead, the industry will likely scrutinize January’s spikes for patterns that could inform risk-management practices in 2026. The convergence of social engineering and on-chain vulnerability exploits suggests that both user education and protocol-level safeguards must advance in tandem. This means not only stronger wallet-security architectures and tighter access controls but also proactive disclosures, incident retrospectives, and standardized security benchmarks across DeFi projects. For investors, builders, and users, the January data reinforce a cautious stance: security remains a central determinant of risk, liquidity access, and overall market health in the rapidly evolving crypto economy.