Crypto hackers made off with more than $168.6 million in digital assets from 34 DeFi protocols during the first three months of 2026. According to data from DefiLlama, while the number still stings, it marks a noticeable drop compared to Q1 in 2025.
The biggest single blow came in January with the $40 million private key compromise at Step Finance. Hackers got into executive devices and drained the treasury, eventually forcing the Solana-based portfolio platform to wind down operations entirely. Not long after, on January 8, a clever smart contract manipulation hit Truebit.
Attackers exploited an integer overflow in the protocol’s old purchase contract, minting tokens essentially for free and walking away with about $26.4 million worth of ETH (trading around $2,060 at the time).
Coming in third in the top three was a private key compromise of a stablecoin issuer called Resolv Labs on March 21. This allowed for unauthorized minting and an estimated $23-25 million in extracted value before everything was paused to try and limit the damage.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Even established DeFi protocols are not immune to security threats
These security threats demonstrate how even established DeFi protocols are not immune to security threats whenever human factors are involved.
The Q1 figures for all DeFi protocols are still much lower than the amount stolen in Q1 2025, which was a staggering $1.58 billion. This was largely due to a massive $1.4 billion exploit on a centralized exchange. Security experts, however, advise that you can’t really correlate hacker activities with a particular quarter of a year.
Hackers ramp up when the industry booms
Nick Percoco, chief security officer at Kraken, explained to Cointelegraph that cybercriminal interest in crypto tends to surge during market upswings and big product launches rather than fixed time frames. When liquidity piles up quickly in certain areas, attackers notice. They gravitate toward spots where value is concentrating fastest.
“Bull markets, major product launches, and fast-moving growth phases all create more attractive conditions for attackers because more value is at stake and new infrastructure can introduce risk,” Percoco said.
At the same time, he stressed that problems aren’t limited to boom times. Vulnerabilities in complex or rapidly changing systems can surface anytime, which is why robust security for DeFi protocols needs to be an ongoing priority, not something switched on only during hype cycles.
Many DeFi protocols have seen their fair share of scrutiny lately precisely because they handle large pools of accessible, liquid assets. When money flows in fast, the surface area for potential exploits grows. Teams building these platforms often move quickly to capture market share, sometimes at the expense of thoroughly auditing every layer, from smart contracts to operational controls. That’s where the gaps appear.
Crypto attackers keep evolving
North Korea-linked groups have stayed active against both regular crypto users and Web3-native projects. They’ve been tied to several high-profile incidents, including a recent massive strike on Drift Protocol, a decentralized exchange on Solana. That reportedly cost around $285 million through a private key leak and related manipulations, making it one of the standout events spilling into early Q2 discussions.
Percoco described the current threat actors as a “broad and evolving mix.” On one end you have highly coordinated, state-backed operations focusing on core infrastructure. On the other are organized cybercrime rings and lone opportunists who scan for weak spots in smart contracts or front-end interfaces. What unites them is the target: global, liquid, and easily accessible value.
“It is a broad and evolving mix, but they are ultimately targeting the same thing: global, liquid, and accessible value,” he noted.
“Targeting is rarely purely random. In many cases, attackers are deliberate in how they assess infrastructure, code, access controls, and even human behavior.”
The transparency built into blockchain systems works both ways. It helps users verify transactions, but it also lets opportunistic hackers spot emerging weaknesses in real time.
The juiciest targets often combine three factors: big concentrations of value, technical complexity that hides flaws, and gaps in day-to-day operational security.
Many DeFi protocols fit this description, and it’s precisely because of their emphasis on speed, composability, and user accessibility. This is precisely why security experts have been cautioning for months now that 2026 could see an escalation of more sophisticated plays.
Credential theft, sophisticated social engineering attacks, and even artificial intelligence-based attacks will be on the rise. Older DeFi protocols will be especially vulnerable, especially in light of the Truebit hack, where an older contract was exploited.
For teams running DeFi protocols, the message here is clear. Vigilance will be more important now than ever. For users, too, vigilance will be called for. When using a DeFi platform, double-checking permissions, being wary of suspicious links, and being aware of the risks of high-yield opportunities will be crucial.
While the Q1 numbers are down, the industry still can’t rest on its laurels. This is especially true as the amount of value currently locked in DeFi protocols continues to rise. This, in turn, will mean an escalation in the number of attacks. The recent hacks of Step Finance, Truebit, Resolv Labs, and now Drift serve as a reminder to all DeFi protocols that nobody is immune to a hack.
The Q1 data provided by DefiLlama for now indicates progress in managing the losses, but it is a sobering reminder that in the world of decentralized finance, the work of protecting user funds is never done.
