In a sobering start to the year, the cryptocurrency sector saw a staggering $370.3 million lost to hacks, exploits, and scams in January 2026.
According to the latest data from blockchain security firm CertiK, this figure represents a 277% increase compared to January 2025. While the number of incidents remained relatively steady at around 40, the severity of individual attacks spiked, marking the highest monthly loss total in nearly a year.
The Anatomy of January’s Losses
The surge was largely driven by sophisticated social engineering and phishing campaigns rather than direct code exploits, proving that the “human element” remains the most vulnerable link in the chain.
Social Engineering Giant: A single, massive social engineering scam accounted for roughly $284 million of the total losses—nearly 77% of the entire month’s stolen value.
Phishing Dominance: Phishing attacks alone were responsible for $311.3 million in total theft, as scammers utilized urgent messaging and “drainer” scripts to trick users into signing malicious transactions.
Smart Contract Exploits: While secondary to phishing, technical flaws still took a toll. The Truebit protocol suffered a $26.4 million loss on January 8 due to a minting flaw, while Step Finance lost $28.9 million after attackers breached several treasury wallets.
Emerging Threat: Address Poisoning
A particularly insidious trend identified by Citi analysts in early 2026 is the rise of “address poisoning” (or spoofing) campaigns.
The Tactic: Scammers use software to generate “vanity addresses” that match the first and last few characters of a victim’s real wallet address. They then send a tiny, unsolicited amount of crypto to the victim.
The Trap: When the victim goes to copy their own address from their recent transaction history for a future trade, they accidentally copy the scammer’s nearly identical address instead.
The Result: Funds are sent directly to the attacker, often with no way to recover them due to the irreversible nature of blockchain transactions.
Crypto Losses: January Year-over-Year
| Period | Total Losses | Primary Threat Type |
| January 2024 | $182 Million | Smart Contract Bugs |
| January 2025 | $98 Million | Protocol Hacks |
| January 2026 | $370.3 Million | Phishing & Social Engineering |
How to Protect Your Assets in 2026
Security experts are urging both retail and institutional investors to move beyond basic passwords and adopt “Zero Trust” principles for their digital assets.
Verify Every Character: Never rely on just the first or last few digits of a wallet address. Check the entire string before hitting “Send.”
Don’t Copy from History: Avoid copying addresses from your recent transaction history. Instead, use a QR code or a Name Service (like ENS) which provides a readable name (e.g.,
yourname.eth).Hardware Wallets: Store significant holdings in cold storage. Use “blind signing” protections on modern hardware wallets to see exactly what a smart contract is requesting before you approve it.
Whitelisting: Enable “Address Whitelisting” on exchanges and wallets. This feature prevents withdrawals to any address that hasn’t been pre-approved and held for a 24-48 hour security period.
“Simple lies and well-crafted messages beat code this time. This spike is a stark reminder that as our technical defenses grow, attackers will pivot to manipulating the person behind the screen.” — CertiK Threat Report, Feb 2026
