crypto phishing attack
News

Crypto Phishing Attack Surge Drives $49M February Losses

Rodrigo Minton
Rodrigo Minton
18 March 2026 4 Min Read
17 0

Crypto hacks dropped to $49 million in February. Down 87% from January’s $385 million. But here’s the problem: attackers shifted tactics.

The crypto phishing attack method now dominates. Social engineering caused more damage than smart contract exploits last month, per Nominis monthly security report. Scammers stopped hunting protocol bugs. Started hunting careless users instead.

Not ideal.

Step Finance Lost $30M

One breach accounted for most February losses. Step Finance, a Solana portfolio dashboard, got drained for roughly $30 million. The largest single hit of the month.

That left $19 million spread across smaller attacks. Most targeted individual wallet holders, not exchanges or DeFi protocols. Private users became the prime victim category.

I’ve seen this pattern before. 2019. When hackers realized exploiting humans is easier than exploiting code. Same playbook now.

Authorization Abuse Dominated

The most common attack vector: malicious wallet approvals. Users unknowingly granted permissions that let attackers move funds directly from their accounts. One signature. Entire wallet drained.

The crypto phishing attack typically works like this: user clicks malicious link, connects wallet to fake site, signs what looks like legitimate transaction. Instead, they just approved unlimited token access. Attacker empties the wallet minutes later.

No smart contract bug required. No protocol vulnerability exploited. Just one careless click.

Blockchain security firm PeckShield reported similar findings. Their data showed $26.5 million in February exploits—the lowest monthly total since March 2025. The discrepancy between PeckShield’s $26.5M and Nominis’ $49M comes down to classification differences. What counts as hack vs scam vs rug pull.

Both firms agree on the trend: protocol exploits down, phishing up.

Compare February to January

January saw $385 million stolen. February: $49 million. That’s an 87% month-over-month decline. One month doesn’t make a trend, but the data is clear.

Large-scale protocol breaches went quiet in February. The multi-million-dollar smart contract exploits that defined 2023 and 2024? Absent last month. Instead, attackers ran hundreds of smaller phishing campaigns targeting retail users.

Every past cycle followed similar evolution. Early days: exchange hacks. Middle stage: DeFi protocol exploits. Late stage: phishing and social engineering. We’re entering the late stage.

Why Phishing Works

Smart contract security improved. Audits became standard. Bug bounties hit seven figures. Formal verification tools matured. Exploiting protocols got harder.

Exploiting users? Still easy.

The crypto phishing attack requires no technical sophistication. Fake website. Spoofed social media account. Urgent-sounding message. That’s the entire toolkit. Works on enough people to make it profitable.

Authorization abuse particularly effective because users got trained to connect wallets and sign transactions. Normal Web3 behavior became the attack vector. How do you distinguish legitimate dApp from malicious clone? Most users can’t.

Question is whether the industry builds better wallet UX around permissions. Right now, signing a transaction looks identical whether you’re approving $50 or unlimited access to all tokens.

Bybit’s Defense Numbers

Crypto exchange Bybit recently disclosed its Q4 fraud prevention stats. The platform blocked over $300 million in unauthorized withdrawals during the final three months of last year.

Bybit flagged roughly 350 high-risk fraud addresses. Prevented around 8,000 users from completing potentially fraudulent transactions. Those numbers show scale of the problem—and that detection systems can work when implemented properly.

But Bybit operates centralized infrastructure with KYC. They can freeze withdrawals and reverse suspicious activity. Decentralized wallets? No such safety net. Once you sign that malicious approval, funds are gone.

For now, centralized exchanges offer better protection against phishing than self-custody. Uncomfortable truth for the decentralization maximalists.

Broader Context: $3.4B Lost in 2024

February’s $49 million looks small against the annual picture. Chainalysis data showed $3.4 billion in cumulative crypto hack losses last year. That’s the entire industry bleeding nearly $300 million monthly on average.

The February drop doesn’t erase the structural problem. Crypto remains high-value target with mixed security maturity. Some protocols run military-grade security. Others deploy unaudited contracts with admin keys held by anonymous devs.

Attackers go where the money is easiest. Right now, that’s user wallets via the crypto phishing attack, not protocol treasuries via smart contract exploits.

Private individuals hold billions in crypto across thousands of self-custody wallets. Most lack security expertise. Many reuse passwords, click suspicious links, don’t verify contract addresses before signing. Perfect target demographic.

What Changed in February

Two factors likely drove the decline. First, January’s $385 million included several large protocol hacks that didn’t repeat in February. Attackers need time to find new vulnerabilities after major exploits get patched.

Second, improved security practices across major protocols. PeckShield cited stronger risk controls and better monitoring. More projects now use multi-sig wallets, timelocks on upgrades, formal audits before mainnet deployment.

The data shows protocol defense improving. User defense? Not so much. Which explains the tactical shift to phishing.

Similar pattern played out in traditional finance. Once banks hardened infrastructure against direct attacks, criminals pivoted to phishing customers. Same evolution happening in crypto, just faster.

What’s Next

Short term: expect more phishing campaigns. The crypto phishing attack delivers better risk-adjusted returns than hunting smart contract bugs. Lower technical barrier, harder to trace, victims less likely to report.

Medium term: wallet providers need better permission management. Revoking approvals should be simple. Warning systems for suspicious contracts should be standard. Most wallets still treat this as optional feature.

Long term: either user education improves or losses accelerate. Every newcomer to crypto is potential phishing victim. The industry onboards millions with minimal security training.

Leverage kills in trading. Carelessness kills in security. February proved that second part.

Next month’s numbers drop mid-April. Watch whether phishing continues dominating attack methods.

Share Article

Rodrigo Minton

Rodrigo Minton

Rodrigo Minton is a cryptocurrency analyst and blockchain technology writer. Having followed the digital asset space since the early days of Bitcoin, he specializes in breaking down crypto market trends, DeFi innovations, and regulatory developments. Rodrigo's passion lies in making blockchain technology accessible to mainstream audiences while maintaining technical accuracy. His work focuses on identifying emerging projects, analyzing token economics, and exploring the intersection of traditional finance and digital assets. Outside of crypto, Rodrigo is an avid traveler and amateur photographer.

  • bitcoinBitcoin (BTC) $ 74,186.00 0.01%
  • ethereumEthereum (ETH) $ 2,330.19 0.54%
  • tetherTether (USDT) $ 1.00 0.02%
  • xrpXRP (XRP) $ 1.52 0.55%
  • bnbBNB (BNB) $ 674.85 0.16%
  • usd-coinUSDC (USDC) $ 0.999855 0.01%
  • solanaSolana (SOL) $ 94.31 0.07%
  • tronTRON (TRX) $ 0.302397 0.55%
  • staked-etherLido Staked Ether (STETH) $ 2,265.05 3.46%
  • cardanoCardano (ADA) $ 0.289600 1.29%
  • avalanche-2Avalanche (AVAX) $ 10.26 0.13%
  • the-open-networkToncoin (TON) $ 1.34 0.38%