Security upgrades are making it harder to break crypto code, so criminals are changing tactics. Instead of attacking protocols, hackers are now focusing on people through crypto phishing attacks and wallet permission scams.
The number sounds like a victory lap: total crypto losses dropped to roughly $49 million in February, down from a staggering $385 million in January. But if you look closer, the criminals didn’t take the month off. They just stopped attacking the machines and started attacking the people using them.
For the first time in years, the biggest threat to your crypto isn’t a flaw in the code. It’s a fake text message, a lookalike website, or a request to “just sign this quick transaction.”
The stealing just looks different now
Let’s talk about what actually happened last month. According to security firms tracking the mayhem, the crypto industry lost about $49.3 million in February. That is an 87% drop from January. On paper, it looks like the good guys finally got their act together.
And in some ways, they did. Exchanges like Bybit quietly blocked more than $300 million in fraudulent withdrawal attempts in just the final months of 2025. Smart contract audits are getting better. Protocols are watching their own code like hawks.
But here is the part that should worry you: the criminals didn’t pack up and go home. They just changed their target. Instead of trying to break into a heavily guarded bank vault, they started following the bank manager home and asking for the keys.
The one attack that skewed everything
Almost two-thirds of February’s losses came from a single incident. Step Finance, a platform built on Solana, lost about $30 million.
Here is what makes that attack different from the hacks you are used to reading about.
Nobody exploited a bug in the code. Attackers compromised devices belonging to company executives. They went after the humans, not the software. Once they had access to those personal devices, they had access to the treasury.
If you strip that one event out of the numbers, February would have been the quietest month in nearly a year. PeckShield, a blockchain security company, put total February losses even lower at $26.5 million, the smallest monthly figure since March 2025.
Why hackers stopped hacking code
There is a reason criminals are shifting tactics. Breaking into protocols got too hard. Think about it this way. A few years ago, DeFi protocols were the Wild West. Coders rushed projects to market, and hackers found loopholes everywhere.
Today, most major protocols run through multiple audits. They have bug bounty programs where white hat hackers get paid to find flaws before the bad guys do. Exchanges built monitoring systems that flag suspicious transactions in real time.
One major exchange reported stopping more than $300 million in fraudulent withdrawals during late 2025. That is a massive number. It means the gates are getting stronger. So, criminals asked themselves a simple question. Why keep trying to break down a reinforced door when the people with the keys will open it for you if you ask nicely?
The new playbook: Crypto phishing attacks and wallet approval scams
Here is what February’s crypto phishing attacks landscape actually looked like. Security researchers saw a sharp climb in phishing campaigns. Fake messages flooded Discord servers, email inboxes, and Twitter DMs. The goal is simple: get you to click a link and sign a transaction you shouldn’t.
The most effective method right now is called authorization abuse. Here is how it works. A scammer sends you to a fake website that looks exactly like a real exchange or NFT marketplace. You connect your wallet. The site asks you to sign what looks like a routine approval. Once you do, you have just given the attacker permission to drain your wallet whenever they want.
You walk away thinking everything is fine. Meanwhile, the criminal now holds the keys to your money. Security firms say private individuals suffered the most from these attacks in February, not big exchanges or protocols.
The tricks are getting scary good
Let me walk you through some of what researchers are seeing, because the creativity is alarming. There is something called address poisoning. Attackers create a wallet address that looks almost identical to one you have transacted with before. They send you a tiny, worthless transaction just so their fake address appears in your transaction history.
Later, when you go to send money, you copy the wrong address from your history without checking every character. Your funds go straight to the thief. Researchers have identified millions of these attacks targeting Ethereum users.
Then there are the fake websites. Scammers buy Google ads for keywords like “Uniswap,” so their fake site appears above the real one in search results. The design is perfect. You cannot tell the difference. You connect your wallet, sign what you think is a login, and your assets disappear.
In one recent case, attackers compromised the website of a token launch platform and pushed a wallet-draining prompt through the real site. Users who signed a fake “terms of service” message lost funds immediately.
Even the big January numbers tell the same story
January 2026 was brutal. Total losses hit about $385 million, the highest in 11 months. But here is the detail that matters.
Security firm CertiK reported that phishing and social engineering accounted for $311 million of that total. A single victim lost around $284 million in a social engineering attack. One person. One trick. Nearly $300 million. That is not a code exploit. That is human psychology.
The Brooklyn case that explains everything
There is a criminal case from January that illustrates this perfectly. A 23-year-old in Brooklyn named Ronald Spektor was charged with stealing roughly $16 million from about 100 Coinbase users. He did not hack Coinbase. He did not exploit a smart contract.
He picked up the phone. Spektor posed as a Coinbase employee. He called the victims and told them their funds were at immediate risk. He pressured them to transfer crypto to wallets he controlled. He created panic to override their skepticism.
Prosecutors said the scheme relied on “panic tactics rather than technical hacks.”
That is the future of crypto crime. No code required. Just a convincing story and a sense of urgency.
The bigger picture nobody is talking about
Here is what keeps security researchers up at night. New wallet features are making crypto phishing attacks more powerful than ever. Some wallets now allow something called delegated authorization. You sign a single message giving someone permission to access your funds in the future. If a scammer tricks you into signing that one message, they can drain your wallet weeks later.
The attack happens in two stages. You never see the money leave. You just wake up one morning, and it is gone.
Meanwhile, the annual numbers remain staggering. Chainalysis estimates crypto hacks will cost the industry $3.4 billion in 2025. North Korean hacking groups, particularly the Lazarus Group, stole over $2 billion of that. These are state-sponsored actors running sophisticated phishing campaigns, fake job interviews, and malware attacks targeting crypto employees.
To conclude on crypto phishing attacks
Crypto was built on a simple promise: code is law. You do not have to trust a bank or a government because the math protects you. But the math does not protect you from yourself.
In February, protocol-level hacks dropped sharply. Total losses fell to roughly $49 million. That is progress. But the criminals adapted. They stopped trying to break the code and started trying to trick the people using it.
The weakest link in crypto security is no longer the smart contract. It is the person holding the phone, reading the email, and deciding whether to click that link.
And that means the industry has a new problem. How do you patch the human?
