Crypto hackers stole over $168.6 million in cryptocurrency from 34 decentralized finance (DeFi) protocols in the first quarter of 2026, falling significantly from the same period last year, according to data from DefiLlama. 

The $40 million private key compromise of Step Finance in January was the largest exploit of the quarter, the data shows, followed by a smart contract manipulation that drained $26.4 million in ether 

ETH$2,064from Truebit on Jan. 8. The third-largest was a private key compromise targeting stablecoin issuer Resolv Labs on March 21.

The quarterly figure is low given that the industry saw $1.58 billion stolen in the first quarter of 2025, with the bulk coming from the $1.4 billion Bybit exploit. However, experts warn that crypto hacks aren’t tied to specific periods within a year.

Hackers are more active when industry is booming

Nick Percoco, the chief security officer at crypto exchange Kraken, told Cointelegraph that cybercriminal activity in crypto tends to rise around market and event-driven cycles rather than fixed periods.

Threat actors are also drawn to areas where liquidity is concentrated, meaning attack spikes often follow wherever value is accumulating fastest, according to Percoco.

“Bull markets, major product launches and fast-moving growth phases all create more attractive conditions for attackers because more value is at stake and new infrastructure can introduce risk,” he said.  

“That said, attacks are not confined to just these periods. Vulnerabilities can be exploited in any market environment, particularly in complex or rapidly evolving systems, underlining that security in crypto must be continuous.”

Crypto attackers are a “broad and evolving mix”

North Korea-linked actors have been a persistent threat to crypto investors and Web3-native companies alike. 

Hackers affiliated with the organization have been suspected of numerous attacks, including the Wednesday attack on Drift Protocol, a decentralized cryptocurrency exchange that lost an estimated $285 million to a private key leak.

Percoco said the threat landscape is a mix of actors with different levels of sophistication, highly coordinated groups targeting core infrastructure, organized cybercriminal networks and opportunistic hackers scanning for weaknesses in smart contracts and client-facing systems.

“It is a broad and evolving mix, but they are ultimately targeting the same thing: global, liquid and accessible value. Targeting is rarely purely random. In many cases, attackers are deliberate in how they assess infrastructure, code, access controls and even human behavior,” he said.

“At the same time, crypto’s transparency makes it easier for opportunistic actors to spot weaknesses as they emerge. The most attractive targets tend to be those combining large concentrations of value, technical complexity and gaps in operational security.”

Security experts previously told Cointelegraph that 2026 would likely see an increase in sophisticated credential theft, social engineering, and AI-powered attacks.