Blockchain security firm PeckShield said that crypto hack and scam losses in February 2026 totaled about $26.5 million across 15 incidents, the lowest monthly figure since March 2025. On the surface, that’s a relief-print for the industry, but the more important signal is what changed in the risk mix: fewer mega events, more concentrated, targeted losses.
PeckShield’s data also frames the drop as dramatic in both directions: a 98.2% year-on-year decline versus February 2025 and a 69.2% month-on-month decline versus January 2026. Those headline deltas imply the absence of a single “catastrophic” exploit and a lower aggregate theft level across protocols, not a disappearance of threat activity.
#PeckShieldAlert In Feb. 2026, the crypto space saw 15 main hacks totaling $26.5M, representing a 98.2% YoY decrease compared to Feb. 2025 ($1.5B, including the $1.4B #Bybit drain) and a notable 69.2% MoM decrease from Jan. 2026 ($86.01M in losses).#Top5 Hacks :… pic.twitter.com/Svp7SZWp5w
— PeckShieldAlert (@PeckShieldAlert) March 1, 2026
What drove the February total
PeckShield recorded $26.5 million in stolen funds across 15 reported incidents, contrasting it with roughly $1.5 billion in February 2025, which was dominated by a single mega-exploit. That comparison is a reminder that monthly totals can be shaped more by one outlier than by a broad change in attacker capability. February 2026 simply did not have a comparable mega event, and overall losses stayed smaller across the board.
Two incidents made up a large share of the month. YieldBlox was hit for roughly $10 million via an oracle price manipulation against a DAO-managed lending pool, and IoTeX saw about $8.9 million lost in a compromise PeckShield attributed to a private-key breach, noting IoTeX initially reported a smaller figure. The pattern here is important: one event is a market-structure exploit (oracle manipulation), the other is a pure control failure (private-key compromise).
Why “lower losses” doesn’t mean “lower risk”
PeckShield also highlighted that phishing and social engineering remain persistent even as smart-contract exploits appear to be declining. The report attributes some of the reduction to improved protocol security practices, citing more frequent audits, formal verification, real-time monitoring, and automated vulnerability scanning. In other words, the industry may be getting better at hardening code paths, but attackers are still finding high-impact routes through keys, humans, and weak operational hygiene.
That’s consistent with the counterparty lens institutions use. Dominick John of Kronos Research was quoted saying that “capital is becoming more discerning, favoring protocols with robust security frameworks.” The institutional translation is simple: security posture is increasingly a gating variable for allocation, custody acceptance, and partner integration, not just a best practice.
For compliance teams, the key insight is distributional, not just numerical. When losses shift from “one mega breach” toward targeted private-key failures and oracle attacks, AML monitoring has to align more tightly with operational security controls and forensic traceability. Fewer big hacks can reduce immediate headline pressure, but it can also hide a more uncomfortable reality: compromises that look “small” at the market level can still be existential at the treasury or protocol level.
What treasuries, custodians, and VASPs should take away
Lower monthly theft totals may improve insurer appetite and reduce some counterparty friction, but they don’t remove jurisdictional or operational risk. If you want these lower numbers to translate into durable risk reduction, the work is still the same: segregated custody, rigorous private-key lifecycle management, and audit trails that hold up under forensic review. The month’s data is best treated as a signal to keep tightening standards—especially around keys and human-factor vectors—rather than as proof the threat environment has cooled.
