Q1 DeFi Hackers Stole $169M Across 34 Protocols, DefiLlama

The first quarter of 2026 saw crypto hackers siphon more than $168.6 million from 34 DeFi protocols, according to DefiLlama’s quarterly tally. The figure marks a sharp decline from the same window in 2025, which recorded roughly $1.58 billion in losses, largely driven by a $1.4 billion breach at Bybit.

Notable incidents in Q1 2026 included a $40 million private-key compromise at Step Finance in January, a $26.4 million ether drain from Truebit caused by a smart contract manipulation on January 8, and a March 21 private-key attack targeting stablecoin issuer Resolv Labs. DefiLlama notes that even a handful of high-value hacks can shape quarterly totals, underscoring the ongoing risk landscape in DeFi security.

Key takeaways

• DefiLlama records $168.6 million stolen across 34 DeFi protocols in Q1 2026, signaling a quieter quarter for hacks compared with 2025.
• The largest single incident was Step Finance’s $40 million private-key compromise in January.
• Bybit’s $1.4 billion breach in Q1 2025 dwarfed this quarter’s tally, illustrating how a few mega-hacks can skew year-over-year comparisons.
• Security experts caution that cyber threats in crypto correlate with market cycles and liquidity concentration, not with calendar quarters, emphasizing the need for continuous defense.

DefiLlama tally and incident snapshots

DefiLlama’s dataset highlights 34 security breaches across DeFi protocols in the first three months of 2026, totaling about $168.6 million in stolen funds. The quarter’s largest incident was Step Finance’s $40 million private-key compromise in January, followed by a $26.4 million Ethereum loss from a Truebit vulnerability on January 8. A third notable case involved a private-key breach targeting Resolv Labs, a stablecoin issuer, on March 21. The concentration of losses around a few high-value breaches demonstrates how theDeFi security landscape can be shaped by a small number of outsized events even as total losses remain lower than a year earlier. For context on the data source, see DefiLlama’s hack tracker at DefiLlama hacks.

Attacker incentives rise with liquidity and market activity

Analysts point to market dynamics as a core driver of cybercrime activity in crypto. Nick Percoco, chief security officer at Kraken, told Cointelegraph that threat actors tend to intensify during market cycles and around major product launches, when more liquidity and value are at stake.

The takeaway is clear: as long as liquidity concentrates and new tech enters the ecosystem, attackers will adapt. The industry’s challenge is sustaining rigorous security practices across evolving platforms and infrastructures.

Threat actors and the evolving risk landscape

North Korea-linked actors have long been a persistent threat to crypto investors and Web3-native companies. Attacks attributed to these groups have grown in visibility, including a high-profile Drift Protocol incident described as involving a private-key leak that led to an estimated $285 million in losses. Security experts describe the current threat landscape as a broad and evolving mix—ranging from highly coordinated groups targeting core infrastructure to opportunistic hackers scanning for weaknesses in smart contracts and client-facing systems.

As one industry voice summarized, “the most attractive targets tend to be those combining large concentrations of value, technical complexity and gaps in operational security.” The transparency of crypto networks can also aid opportunistic attackers in spotting emerging weaknesses, underscoring the need for vigilant, ongoing security measures. In tandem with these dynamics, researchers have warned that 2026 could see more credential theft, social engineering, and AI-powered attacks, elevating the overall risk profile for users, builders, and investors alike. A related Immunefi security report notes that hacked tokens often suffer substantial price declines and rarely recover, highlighting the lasting impact of breaches. See the related piece here: Hacked crypto tokens drop 61% on average and rarely recover, Immunefi report says.

As Q1 2026 closes, the industry faces a critical test: can security teams keep pace with rapid innovation and increasing attack surface, or will the trend towards bigger, more sophisticated exploits outpace defenders?

Readers should watch for ongoing upgrades in key management, more robust credential protection, and collaborative threat intelligence efforts across exchanges and projects as the market moves forward. The evolving threat landscape will continue to shape risk assessments, investment decisions, and security priorities in the months ahead.

This article was originally published as Q1 DeFi Hackers Stole $169M Across 34 Protocols, DefiLlama on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.