trust3.org
pl
All articles
AdvancedSecurity

$400M Gone in January: Crypto Hacks Are Getting Personal

A single phishing victim lost $284M. Truebit drained $26.5M through a bonding curve exploit. North Korea doubled its pace. The 2026 hack landscape is already brutal.

February 25, 2026
4 min read

Dive Deeper with AI

Click → prompt copied → paste in AI chat

January 2026 saw $400 million stolen.

One month.

The most disturbing part? The single biggest loss wasn't a protocol hack. It was one person who picked up the phone.

The $284 million phone call

On January 16, a single investor lost $284 million to a phishing campaign.

Not a smart contract exploit. Not a flash loan attack. A phone call.

The attacker impersonated Trezor customer support. The victim - a hardware wallet user who thought they were doing everything right - revealed their recovery seed phrase.

That's it. One conversation. Nine figures.

CertiK called it the "singular, devastating social engineering scam" that defined January 2026.

The lesson is painful: hardware wallets protect your keys from software attacks. They don't protect you from yourself.

Truebit - the first major DeFi hack of 2026

Date: January 9, 2026 Loss: $26.5 million

What happened:

The attacker found a vulnerability in Truebit's smart contract pricing logic that allowed them to mint TRU tokens at zero cost.

The exploit was elegant and brutal:

  1. Mint TRU tokens for free (broken pricing logic)
  2. Sell tokens into the protocol's bonding curve
  3. Drain ETH reserves
  4. Repeat

The rapid buy-sell cycle emptied the protocol's reserves. TRU token value dropped almost 100% within hours.

The takeaway:

Bonding curve contracts need rigorous validation. The ability to mint at zero cost means the pricing function had no floor check - a basic logic error that cost $26.5 million.

IoTeX - disputed damages

Date: February 21, 2026 Official loss: $2 million (IoTeX's claim) Analyst estimate: $4.3 million (on-chain data)

The attacker drained multiple assets: USDC, USDT, IOTX, PAYG, WBTC, BUSD.

On-chain analyst Specter suggested IoTeX's private key may have been compromised - pointing to an operational security failure rather than a code vulnerability.

IoTeX disputed the higher loss figure and promised security upgrades within 48 hours.

The pattern: Private key compromises continue to dominate. It's not about smart contract code anymore - it's about who holds the keys and how they're stored.

North Korea doubled its pace

Elliptic's research shows that in January 2026 alone, North Korean hackers executed twice as many exploits compared to January 2025.

Combined gains from two campaigns:

  • DangerousPassword campaign
  • Contagious Interview campaign
  • Total: $37.5 million in January 2026

Social engineering remains the primary attack vector. The technical sophistication is there, but the initial compromise is overwhelmingly human.

The Bybit exploit anniversary (February 21) serves as a reminder: that single $1.46 billion theft in February 2025 still echoes through the industry.

The 2025 context

TRM Labs' 2026 Crypto Crime Report puts it in perspective:

2025 totals:

  • $2.87 billion stolen across ~150 hacks
  • Infrastructure attacks drove $2.2 billion (76%) across just 45 incidents
  • The Bybit breach alone was $1.46 billion (51% of all 2025 theft)

The trend:

Fewer incidents, bigger payouts. Attackers are getting more selective and more effective.

What's actually changed in 2026

The attack mix shifted further:

| Attack Type | Trend | |-------------|-------| | Smart contract exploits | Declining (better audits) | | Social engineering/phishing | Increasing (dominant) | | Private key compromise | Steady (still #1 by value) | | Supply chain attacks | Increasing | | Oracle manipulation | Steady |

Translation: Code is getting harder to exploit. People are not.

The $284 million phishing loss vs Truebit's $26.5 million code exploit tells the story. Social engineering pays 10x more than finding bugs.

Defense priorities for 2026

Based on where the money is actually going:

Priority 1: People (biggest risk)

  • Never share seed phrases with anyone, ever
  • Verify support contacts through official channels only
  • Train teams on social engineering tactics
  • Assume every unsolicited contact is an attack

Priority 2: Key management

  • Multi-sig for anything above $100K
  • Hardware security modules for institutional holdings
  • Regular key rotation
  • Separation of hot and cold storage

Priority 3: Code (improving but still matters)

  • Audit bonding curves and pricing logic especially
  • Test for zero-cost minting scenarios
  • Validate all input parameters have reasonable bounds
  • Multiple independent audits before launch

Bottom line

$400 million stolen in one month. The biggest single loss was social engineering, not code.

The 2026 hack landscape confirms what 2025 suggested: the attack surface moved from smart contracts to humans.

Hardware wallets, cold storage, audits - all necessary but not sufficient.

The weakest link in your security is still you.

Sources:

Liked this article? Follow me!

@t0tty3
#hacks#security#2026#phishing#north-korea#truebit

Dive Deeper with AI

Click → prompt copied → paste in AI chat

All articles