Crypto Losses Plummet 87% in February, but Hackers Pivot to Human Targets
Total thefts fell from $385 million in January to $49.3 million in February, yet the bulk of the remaining losses stem from phishing, compromised credentials and user‑error rather than code exploits, a new Nominis report shows.
Overview
A monthly security review released by blockchain‑security firm Nominus indicates a dramatic contraction in the dollar value of crypto‑related thefts for February 2026. While the headline figure – an 87 % drop compared with the previous month – suggests that the ecosystem’s technical defenses are strengthening, a deeper dive into the incidents reveals a shift in attacker tactics: social engineering and account‑compromise are now the dominant vectors.
What Drove February’s Numbers
| Incident | Approx. Loss | Primary Cause |
|---|---|---|
| Step Finance (Solana) | $40 M (≈ 60 % of February’s total) | Device compromise of senior staff, leading to unauthorized private‑key usage and large‑scale SOL transfers |
| YieldBlox | $10.2 M | Manipulation of collateral‑pricing logic, allowing borrower to over‑leverage |
| CrossCurve Bridge | $3 M | Flawed validation routine in the Axelar‑message handling contract |
| Various “address‑poisoning” and malicious‑approval scams | $0.1–0.6 M each | Users tricked into sending funds to wrong addresses or signing deceptive token approvals |
| South Korean seed‑phrase leak | $5 M | Private key exposed in a publicly posted photograph, enabling wallet reconstruction |
The Step Finance breach alone forced the DeFi aggregator and its satellite projects – SolanaFloor and Remora Markets – to shut down their core platforms. Unlike the earlier cases that hinged on vulnerable smart‑contract code, these incidents were triggered by compromised credentials, insider device access, or user‑level deception.
Emerging Threat Landscape
-
Targeted Phishing of Project Administrators – Security firm SlowMist dissected a campaign that distributed counterfeit versions of token‑vesting tools. By luring project operators into authenticating the fake interface, attackers harvested contract‑admin privileges.
-
Social‑Engineering “Pig‑Butchering” Scams – The U.S. Department of Justice announced the seizure of more than $61 million tied to a sophisticated investment‑fraud operation. Blockchain tracing was essential in identifying and forfeiting the proceeds.
- Operational Oversights – The South Korean case underscores how a single accidental exposure (a photo containing a seed phrase) can open a multi‑million‑dollar breach, highlighting the importance of data‑handling policies at both individual and organizational levels.
Collectively, these examples point to human behavior and procedural lapses as the current weak points, rather than inherent flaws in the underlying blockchains.
Analysis
-
Technical Improvements Pay Off – The steep decline from $385 million to $49 million suggests that many smart‑contract vulnerabilities that previously fueled large exploits are being identified and patched faster, thanks to rigorous audits and bug‑bounty incentives.
-
Attackers Adapt Quickly – As code‑level entry points become scarcer, threat actors pivot to the “human layer.” Phishing, credential theft, and social engineering require far less technical sophistication but can yield comparable payouts when successful.
-
Risk Concentration in High‑Value Custodial Roles – The Step Finance incident demonstrates that compromising a handful of privileged accounts can cascade into massive asset loss. Multi‑factor authentication, hardware security modules, and strict key‑management protocols are now critical defensive controls.
- Regulatory and Law‑Enforcement Momentum – Seizures and investigations by agencies in the United States and South Korea signal rising pressure on illicit actors. While enforcement alone will not eliminate social‑engineering scams, it raises the cost of operating large‑scale fraud networks.
Key Takeaways
-
Prioritise Account Security – Deploy hardware wallets, enforce MFA, and segment privileged keys to limit the blast radius of a single compromised credential.
-
Educate Teams and Users – Continuous phishing awareness training and simulated attacks can reduce the success rate of credential‑harvesting campaigns.
-
Implement Transaction Safeguards – Use whitelists, time‑locked approvals, and transaction‑preview tools to catch anomalous wallet movements before they are broadcast.
-
Strengthen Operational Hygiene – Avoid sharing screenshots or documents that contain private keys or seed phrases; adopt clean‑room policies for sensitive information.
-
Monitor for Social‑Engineering Indicators – Look for unusual communication patterns with project administrators, especially around token‑vesting or contract‑upgrade processes.
- Stay Informed on Legal Developments – Follow enforcement actions to understand emerging tactics used by fraudsters and adapt compliance and reporting frameworks accordingly.
Conclusion
February’s statistics reveal a two‑fold narrative: on the one hand, the crypto ecosystem is becoming technically sturdier, as evidenced by the sharp dip in monetary losses. On the other, human-centric attack vectors are now the primary threat, demanding heightened vigilance, robust key‑management practices, and ongoing education across the industry. Stakeholders that invest in these protective layers will be best positioned to safeguard assets as the threat landscape continues to evolve.
Source: https://cryptopotato.com/report-crypto-losses-drop-87-in-february-but-hackers-are-now-targeting-people-not-code/
