The first quarter of 2026 was expensive for DeFi, but it would have looked a lot worse without a single outlier from last year distorting the comparison.
According to data from DefiLlama, hackers drained $168.6 million from 34 decentralized finance protocols between January and March 2026. That’s a significant improvement on the $1.58 billion stolen in Q1 2025, though it’s worth noting that figure was almost entirely driven by the $1.4 billion Bybit exploit, one of the largest single hacks in crypto history.
Strip out that anomaly and the year-over-year picture looks considerably more mixed. DeFi or decentralized finance refers to financial applications built on blockchain networks that operate through code-based contracts rather than traditional intermediaries like banks. When those contracts contain vulnerabilities, or when private keys are compromised, funds can be drained with little recourse for victims.
The quarter’s biggest incidents
The largest single exploit of Q1 2026 was a $40 million private key compromise targeting Step Finance in January. Second was Truebit on Jan. 8, where a smart contract manipulation drained $26.4 million in ETH.
The third-largest was Resolv Labs, the stablecoin issuer that lost roughly $25 million in March after an attacker exploited a compromised key in its AWS cloud infrastructure to mint approximately 80 million unbacked tokens.
A private key in simple terms is the password that proves ownership of a crypto wallet. When that key is stolen or exposed, whoever holds it can move funds freely. Two of the three largest exploits this quarter exploited that exact vulnerability, which is a notable trend.
The Truebit attack, by contrast, used an older technique, a math error in smart contract code known as integer overflow, where a calculation produces a number larger than the system can store, causing it to wrap around unexpectedly. Attackers can exploit that behavior to bypass security checks and manipulate balances. It’s a known vulnerability that developers actively check for, yet it still occasionally finds its way into slipping through.
The quarter also ended with one of the largest DeFi hacks in recent memory happening just after the first quarter window closed. On April 1, Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, suffered a $285 million exploit.
Elliptic, the blockchain analytics firm, said on-chain behavior, laundering methods and network indicators were consistent with techniques previously attributed to North Korean state-linked hackers, which the US government has linked to the funding of Pyongyang’s weapons programs. Drift’s total value locked collapsed from approximately $550 million to under $250 million following the attack.
Why the quarter doesn’t tell the full story
Security experts caution against reading too much into any single quarter’s numbers. Nick Percoco, chief security officer at Kraken noted that cybercriminal activity in crypto tends to follow market cycles and event-driven conditions rather than calendar periods.
“Bull markets, major product launches and fast-moving growth phases all create more attractive conditions for attackers because more value is at stake and new infrastructure can introduce risk,” he said. He added that attacks are not confined to those periods, vulnerabilities can be exploited in any market environment.
Percoco described the threat landscape as a mix of highly coordinated groups targeting core infrastructure, organized criminal networks, and opportunistic actors scanning for smart contract weaknesses.
“They are ultimately targeting the same thing: global, liquid and accessible value. Targeting is rarely purely random,” he said. “Crypto’s transparency makes it easier for opportunistic actors to spot weaknesses as they emerge. The most attractive targets tend to be those combining large concentrations of value, technical complexity and gaps in operational security.”
That last point lands differently when you look at Q1’s biggest incidents. The two largest were private key compromises, the crypto equivalent of someone finding your password written on a sticky note.