February Hacks Hit $35.7M - Quietest Month in a Year, But Attackers Still Got Paid
Image: February Hacks Hit $35.7M - Quietest Month in a Year, But At
The industry is calling February a quiet month. CertiK's numbers confirm it: crypto exploits totaled just $35.7 million last month, down more than 90% from January and the lowest monthly figure since March 2025.
Don't mistake the silence for safety. Attackers still collected. Two incidents alone accounted for $19 million of that figure, and phishing kits kept running on autopilot while everyone watched Bitcoin bleed into the Iran war noise.
Total lost: ~$35.7M
Phishing: ~$8.5M
DeFi protocols: highest target category
MoM change: -90%+ vs January 2026
YoY context: Feb 2025 = $1.5B (Bybit). Anomaly, yes. But still.
The YieldBlox Job: $10M From One Bad Trade
The month's largest single hit happened on February 22 on the Stellar network. A hacker targeted YieldBlox's community-managed Blend pool and walked away with $10 million. The mechanism was textbook oracle manipulation - but surgically executed.
The USTRY/USDC market on YieldBlox was thin. The attacker placed one abnormally large trade and inflated the USTRY price by a factor of 100. The protocol's valuation system saw that inflated price as real. The attacker then borrowed massively against collateral that was worth a fraction of what the oracle claimed.
Thin liquidity is not a niche edge case - it's the attack surface. Any market where a single order can move price 100x should not be feeding a lending protocol's collateral valuations. That's not a protocol-specific vulnerability. It's a category failure that's been documented since 2020.
IoTeX: $9M Through a Leaked Key
A day before YieldBlox, on February 21, the IoTeX Internet-of-Things blockchain disclosed a private key compromise. The attacker used the key to drain the project's token safe. CertiK estimates losses at nearly $9 million. IoTeX's own team put the figure closer to $2 million - a gap that is itself a red flag. Either someone miscounted, or someone doesn't want the real number public.
Private key leaks are not glamorous hacks. They're operational failures. Key management is solved infrastructure. Multisig exists. Hardware signing exists. Time-locks exist. If your treasury keys can be compromised in a single event and drained without a circuit breaker, that's not a security incident - it's a missing policy.
Phishing Never Takes a Month Off
Of the $35.7M total, $8.5M came from phishing. That number barely moved month-over-month. "Drainer-as-a-service" kits commoditize the attack - anyone willing to pay a subscription can spin up a wallet drainer, target users through fake mints or Discord link drops, and collect a cut while the kit operator takes the rest.
The model scales without technical skill. February's relative quiet in protocol hacks just meant the phishing share of the pie got larger proportionally. The drainers didn't slow down. The protocol exploiters did.
What This Actually Means
The $35.7M figure looks clean next to Bybit's $1.5 billion in February 2025. But comparisons to anomalies are meaningless. The actual trend is this: DeFi attack complexity is stable, oracle manipulation is repeatable and profitable, key management across Web3 projects remains dangerously casual, and the phishing infrastructure is industrialized.
A quiet month doesn't mean the attack surface shrank. It means the timing was off. The next nine-figure event is already being planned. It just hasn't hit yet.
1. YieldBlox (Stellar) - $10M oracle manipulation, Feb 22
2. IoTeX - ~$9M private key compromise, Feb 21
3. Foom.Cash - $2.2M zkSNARK proof forgery
Phishing total: $8.5M across multiple campaigns
CertiK's monthly wrap dropped Friday. The market was focused on BTC at $63K and war headlines. The security data barely registered. That's usually when the next one gets set up.