Hackers stole $168.6 million from 34 decentralized finance protocols in Q1 2026, a significant drop from the same period in 2025 according to DefiLlama data. The largest incident was a $40 million private key compromise at Step Finance, followed by a $26.4 million smart contract exploit at Truebit. Experts warn that attack cycles are tied to market activity and concentrated liquidity, not specific calendar periods.
Crypto hackers stole over $168.6 million from 34 decentralized finance protocols in the first quarter of 2026. This figure falls significantly from the $1.58 billion stolen in the same period last year, which was heavily influenced by a single massive exploit.
The $40 million private key compromise of Step Finance in January was the quarter’s largest incident. A smart contract manipulation draining $26.4 million from Truebit and a private key attack on stablecoin issuer Resolv Labs were the next largest exploits.
Nick Percoco, chief security officer at crypto exchange Kraken, stated that cybercriminal activity tends to rise around market and event-driven cycles. He explained that threat actors are drawn to areas where liquidity is concentrated, making bull markets and major launches particularly attractive.
“Bull markets, major product launches and fast-moving growth phases all create more attractive conditions for attackers because more value is at stake and new infrastructure can introduce risk,” Percoco said. “That said, attacks are not confined to just these periods.”
The threat landscape is described as a broad and evolving mix of actors. This includes highly coordinated groups, organized cybercriminal networks, and opportunistic hackers scanning for weaknesses.
“It is a broad and evolving mix, but they are ultimately targeting the same thing: global, liquid and accessible value,” Percoco noted. “The most attractive targets tend to be those combining large concentrations of value, technical complexity and gaps in operational security.”
