February 2026 was the quietest month for crypto hacks since March 2025. Depending on which security firm you ask, total losses ranged from $26.5 million (PeckShield) to $49.3 million (Nominis), down from $385 million in January. Year over year, the drop is even steeper: PeckShield pegs it at 98.2% below February 2025, a month that included the $1.5 billion Bybit breach.
The headline number looks like progress. The detail underneath it does not. Social engineering attacks, phishing, address poisoning, and authorization abuse caused more cumulative damage than smart contract exploits. Hackers did not get less ambitious. They changed targets.
The Code Held, the Users Did Not
Across 15 major incidents tracked by PeckShield in February, the five largest protocol-level hacks accounted for the bulk of losses: YieldBlox DAO ($10 million), IoTeX's ioTube bridge ($8.8 million, a private key compromise), CrossCurve ($4.95 million), FOOM Cash ($2.26 million), and Moonwell ($1.8 million). Together, these five made up 98% of PeckShield's $26.5 million total.
The gap between PeckShield's figure and Nominis's $49.3 million comes largely from how each firm classifies phishing and individual wallet drains. Nominis includes authorization abuse, where a user unknowingly signs a malicious transaction that grants an attacker full wallet access, as part of its loss tally. PeckShield focuses on protocol-level breaches.
That methodological difference is the story. When you count only code exploits, February was historically quiet. When you count what actually happened to people, the picture changes.
Authorization Abuse Is the New Exploit
Address poisoning attacks hit record frequency in February despite the lower dollar totals. The technique is simple: an attacker sends a tiny transaction from a wallet address that closely mimics one the victim has used before. When the victim copies that address from their transaction history for their next transfer, the funds go to the attacker.
Phishing-related losses exceeded $300 million in January alone, according to data cited by AMBCrypto. February's phishing numbers were lower in absolute terms but represented a larger share of the month's total damage. CertiK flagged approximately $8.5 million in phishing-specific incidents for February.
The broader pattern: as DeFi protocols mature and audit coverage improves, the weakest link in the chain has shifted from Solidity code to the person sitting at the keyboard. Wallet security now depends less on whether the smart contract is sound and more on whether the user can distinguish a legitimate approval request from a fraudulent one.
Why the Year-Over-Year Comparison Is Misleading
February 2025's $1.5 billion figure was almost entirely the Bybit hack, a single catastrophic event that skewed the entire month. Stripping Bybit out, February 2025 losses were roughly in line with a normal month. The 98.2% year-over-year decline says more about Bybit's outlier status than about structural improvement.
The more useful comparison is month over month. January 2026 saw 16 hacks totaling $86 million (PeckShield) to $385 million (broader estimates including phishing). The Step Finance breach alone accounted for $28.9 million in January. February had no single incident above $10 million.
That is genuine improvement, but it is the kind that resets with one bad week. A single bridge exploit or exchange compromise can erase months of declining loss charts overnight.
What This Means for Card and Wallet Users
For anyone using a crypto card loaded from a hot wallet, the shift from code exploits to social engineering changes the threat model. Your card issuer's smart contracts might be audited and secure. The bridge you use to fund your balance might have no known vulnerabilities. But if you approve a malicious token permission while managing your wallet, your balance drains before the card issuer can intervene.
Practical defenses that actually work against this wave:
- Revoke old token approvals. Tools like Revoke.cash let you see and cancel permissions you have granted to contracts. If you funded a card wallet six months ago through a DeFi protocol, check what approvals are still active.
- Never copy addresses from transaction history. Type them manually or use a verified address book. Address poisoning exploits the copy-paste habit specifically.
- Use hardware wallets for storage, hot wallets only for spending. The amount you keep in a self-custody card wallet should be what you can afford to lose, not your entire portfolio.
- Verify approval prompts. If your wallet asks you to approve an unlimited token spend for a contract you do not recognize, reject it. Legitimate dApps request specific amounts.
Overview
Crypto hack losses fell 87% month over month and 98% year over year in February 2026, hitting the lowest level since March 2025. But the decline in protocol-level exploits has been offset by a rise in social engineering, phishing, and authorization abuse targeting individual users. PeckShield counted $26.5 million across 15 incidents. Nominis, which includes phishing and wallet drains, counted $49.3 million. Address poisoning attacks reached record frequency. The code is getting harder to break. The humans using it are not.
