Reported losses from cryptocurrency protocol exploits fell sharply to about $49 million in February 2026, down from roughly $385 million in January, according to Nominis. The drop marked a significant pullback in direct protocol losses after a much heavier start to the year.
That decline did not mean the threat environment became easier. Security firms said major smart-contract breaches eased, but social-engineering attacks gained momentum and shifted risk away from code and toward user behavior.
Fewer protocol breaches, but a different threat profile
Nominis placed February’s total exploit losses at $49 million, while PeckShield estimated an even lower monthly figure of $26.5 million. Both firms described February as the lowest month for exploit losses since March 2025. Analysts tied that improvement in part to stronger on-chain risk controls and better smart-contract security.
Even so, behavioral threats remained firmly in focus. AMLBot said social engineering accounted for about 65% of the crypto-related cases it investigated in 2025, highlighting how attackers continue to bypass protocol hardening by targeting users, wallets, and approval flows.
Among the most visible tactics, security firms pointed to address poisoning. The technique relies on small “dust” transactions sent from lookalike wallet addresses so victims later copy the wrong destination when moving funds. Cyvers said it was detecting more than one million such preparatory operations every day on Ethereum, while aggregated data cited by Trust Wallet estimated about 34,000 attacks per hour, potentially affecting around 17 million users.
The month still included several notable incidents, even if they were smaller than the outsized breaches seen in earlier periods. Step Finance reportedly lost about $30 million, YieldBlox DAO lending pool about $10 million, and crypto-AI project IoTeX about $8.8 million.
The operational burden is moving closer to the user
Those cases were far below the scale of previous headline events. By comparison, the February 2025 Bybit incident involved about $1.5 billion, underscoring how much smaller February 2026’s losses were even as attack frequency and user targeting remained serious concerns.
The broader takeaway is that operational risk is migrating rather than disappearing. Protocol audits and bug bounties still matter, but product and compliance teams now need to put greater weight on transaction-approval design, address-validation controls, and real-time phishing detection.
That shift also points to a different defensive model. The emerging priority is a layered approach that combines on-chain monitoring with off-chain protections and stronger custodial approval workflows to reduce user error and authorization abuse. Regulators and compliance teams are also likely to focus more closely on consumer protections, disclosure of social-engineering losses, and wallet-approval standards that can help reduce consent-based attacks.