Crypto Losses Surge to $370M in January, Phishing Dominates

The total included roughly 40 incidents, with a single social engineering scam accounting for about $284 million of the losses. Phishing attacks were the primary source of theft, responsible for $311.3 million of the total stolen during the month. Separately, cross-chain protocol CrossCurve reported a smart contract exploit of its bridge that resulted in approximately $3 million in losses across multiple networks. 

Crypto Scams and Hacks Jump Sharply

Cryptocurrency-related losses from exploits and scams surged sharply last month, reaching $370.3 million, according to new data from blockchain security firms. This was the highest monthly total in almost a year and a dramatic escalation from the start of 2025. In fact, the figure is a near fourfold increase from January 2025.

Blockchain security firm CertiK said the bulk of the losses stemmed from just one incident. Out of roughly 40 exploit and scam events that were recorded during the month, a single victim lost approximately $284 million in a large-scale social engineering attack.

Phishing scams were by far the most damaging attack vector, and accounted for $311.3 million of the total stolen. The dominance of phishing reflects forms part of a trend in which attackers increasingly exploit human behavior rather than technical vulnerabilities by using impersonation, fake interfaces, and deceptive communications to gain access to private keys or authorize malicious transactions.

The latest numbers were the largest monthly crypto loss total since February of 2025, when attackers stole around $1.5 billion. This figure was largely driven by the $1.4 billion exploit of crypto exchange Bybit, according to CertiK. Compared with more recent periods, the rise is equally stark. January’s losses were more than 277% higher than the $98 million stolen in January 2025 and represented a 214% increase from December, when reported losses totaled $117.8 million.

PeckShield also shared that, beyond phishing and social engineering, several protocol-level exploits also contributed to January’s tally. PeckShield identified the hack of Step Finance as the largest single technical exploit of the month. In that incident, attackers compromised multiple treasury wallets, stealing roughly $28.9 million, including more than 261,000 SOL from the Solana-based decentralized finance portfolio tracker.

The second-largest exploit involved the Truebit protocol, which suffered a $26.4 million attack on Jan. 8 after a smart contract flaw allowed an attacker to mint tokens at almost no cost. This triggered a sharp collapse in the price of the TRU token. PeckShield also mentioned a $13.3 million hack on liquidity provider SwapNet and a $7 million exploit targeting the blockchain protocol Saga.

Despite the surge in total losses, PeckShield explained that January saw 16 hacking incidents in total, with combined losses of $86.01 million from hacks alone. 

CrossCurve Bridge Exploited for $3M

February could see a continuation of January’s record-breaking numbers. Cross-chain protocol CrossCurve confirmed that its bridge infrastructure was exploited in a smart contract attack that resulted in roughly $3 million in losses across multiple blockchain networks. The project disclosed the incident late on Sunday, and warned users to immediately pause all interactions with the protocol while an investigation is underway.

In a post on X, CrossCurve said the exploit stemmed from a vulnerability in one of the smart contracts used by its cross-chain bridge. The team did not initially disclose the full technical details but acknowledged that attackers were able to improperly unlock funds, which led to an emergency response from security partners.

Some more details were shared by Defimon Alerts, an account associated with blockchain security firm Decurity. According to Defimon Alerts, the exploit allowed an attacker to spoof cross-chain messages, bypassing standard gateway validation checks. The vulnerability reportedly enabled anyone to call a specific function on a receiver contract, triggering token unlocks on another contract without proper authorization. The issue affected multiple networks.

The incident also prompted a response from Curve Finance, which has a partnership with CrossCurve. Curve warned users who allocated voting power or liquidity to CrossCurve-related pools to reassess their exposure and consider removing votes if necessary. 

In an effort to recover the stolen funds, CrossCurve CEO Boris Povar publicly appealed to the attacker. Povar shared a list of ten blockchain addresses that he said received funds from the exploit and offered a 10% bounty if the assets were returned within 72 hours. In his message, Povar suggested the exploit may not have been intentional and expressed hope for cooperation to resolve the matter without escalation.

However, he also made clear that failure to return the funds or establish contact in the stated timeframe would lead CrossCurve to treat the incident as malicious.