TLDR
- DefiLlama recorded $168.6M stolen from 34 DeFi protocols in Q1 2026.
- Step Finance lost $40M in January after a private key compromise.
- Truebit lost $26.4M in Ether on Jan. 8 through smart contract manipulation.
- Resolv Labs faced the quarter’s third-largest DeFi exploit on March 21.
- Q1 2025 thefts hit $1.58B, but the Bybit exploit drove most of that total.
Crypto hackers stole $168.6 million from 34 DeFi protocols in the first quarter of 2026, DefiLlama data shows. The total was far below the same period last year, yet major losses still hit the sector. Step Finance led the quarter after a private key compromise triggered a $40 million breach.
Q1 DeFi thefts fall from 2025 spike
DefiLlama data showed 34 separate DeFi protocols lost funds during the quarter. The combined theft reached $168.6 million across January, February and March. Most cases were smaller, but the combined toll stayed high. That total was far below the first quarter of 2025.
Last year’s figure reached $1.58 billion, and most of it came from the Bybit exploit. That single attack accounted for about $1.4 billion. As a result, year-on-year comparisons remain heavily shaped by one event. Without that case, the gap between periods would be narrower.
Kraken chief security officer Nick Percoco said attacks do not follow fixed calendar patterns. He said threat activity usually rises during bull markets and product launches. “Bull markets, major product launches and fast-moving growth phases all create more attractive conditions for attackers.” He added that security work must stay constant in every market.
Step Finance leads the quarter’s biggest losses
January brought the largest DeFi exploit of the quarter. Step Finance lost $40 million after a private key compromise. The attack became the biggest reported DeFi loss in Q1. Private key failures remained a common cause of losses.
Truebit suffered the second-largest exploit on Jan. 8. Attackers used smart contract manipulation to drain $26.4 million in Ether. The theft came just days after the quarter began. The case showed that code weaknesses still create major losses.
Resolv Labs recorded the third-largest attack on March 21. That incident was also linked to a private key compromise. The pattern kept private key security in focus throughout the quarter. It reinforced a risk already seen in other crypto breaches.
Attackers follow value and weak controls
Percoco said threat actors follow areas where liquidity builds fastest. He said fast growth can bring new systems and fresh risks. That mix can create easy openings for attackers. “More value is at stake, and new infrastructure can introduce risk.”
He described the threat field as broad and changing. It includes coordinated groups, criminal networks and opportunistic hackers. Many study code, access controls and staff behavior before attacking. Some attackers are highly skilled, while others exploit exposed mistakes.
Percoco also said crypto’s transparency can help attackers spot weak points. Large pools of value remain the most attractive targets. That keeps both technical and operational security under pressure. For DeFi teams, tighter key management and code checks remain basic defenses.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
