DefiLlama data shows $17 billion stolen across 518 incidents in a decade, and more than half of the losses came from stolen keys or phished humans. The protocols are hardening. The people are not.
Crypto users and protocols have lost more than $17 billion across 518 recorded incidents over the past decade, according to data platform DefiLlama. The striking part of the breakdown is not the total. It is that private key compromises and credential-based attacks now account for more documented losses than smart contract exploits, reversing the trend that defined the sectorโs early years.
The data arrives during the worst month for crypto security in 14 months. Between Drift Protocolโs $285 million exploit and KelpDAOโs $293 million bridge attack, April 2026 has already seen roughly $606 million drained across 12 separate incidents in 18 days. Neither of the two biggest hits was a pure code exploit. Both started with compromised humans or compromised infrastructure around the humans.
Where the $17 Billion Actually Went
The DefiLlama breakdown of attack vectors over the past decade shows a category that security audits were never designed to catch.
| Attack Vector | Share of Incidents | What Actually Happens |
|---|---|---|
| Private key compromise via brute force | 22.3% | Weak or leaked seed phrases cracked by automated tools |
| Private key compromise, method unknown | 18.2% | Keys stolen through channels the victim never identified |
| Phishing attacks on multi-signature wallets | 10% | Signers tricked into approving malicious transactions |
| Other vectors combined | 49.5% | Smart contract bugs, oracle manipulation, bridge exploits |
More than half of the tracked incidents trace back to credential failures rather than protocol flaws. That includes brute-forced seed phrases, keys stolen through phishing or malware, and multi-signature setups where the attackers never broke the cryptography. They just tricked the signers.
2025 Set the Pattern That 2026 Is Amplifying
Chainalysis estimated that the industry lost roughly $17 billion to scams and fraud in 2025 alone, making it the worst year on record by that measure. Impersonation scams grew 1,400% year over year, and AI-enabled schemes were 450% more profitable than traditional ones. The single largest theft on record remains the February 2025 Bybit hack, which drained $1.5 billion through a supply chain attack on the signing interface rather than any flaw in the exchangeโs smart contracts.
Immunefi CEO Mitchell Amador summarized the shift bluntly, telling CoinDesk in January that despite 2025 being the worst year for hacks on record, those hacks stemmed from Web2 operational failures rather than onchain code. His prediction for 2026 was that the main attack surface would be people. The first four months of the year have validated that forecast with uncomfortable precision.
The Drift and KelpDAO Playbooks Explained
The Drift Protocol exploit on April 1 was the clearest recent example of the new model. Attackers posed as a quant firm and spent roughly three weeks socially engineering the protocolโs security council into pre-signing durable nonce transactions. Once the signatures were in place, the attackers deployed a wash-traded fake token, manipulated its price on the protocol, and drained the vaults in roughly 12 minutes. The code worked exactly as designed. The signers did not.
The KelpDAO incident on April 18 followed a similar pattern at the infrastructure layer. Attackers compromised verifier nodes in the protocolโs LayerZero-powered bridge, poisoning two RPC nodes and launching DDoS attacks against a third. No smart contract was technically broken. The verification infrastructure around the contracts was. LayerZero attributed the attack to North Koreaโs Lazarus Group, which has spent years industrializing exactly this kind of campaign.
Aprilโs contagion extended well beyond those two headlines. CoW Swap lost $1.2 million to a domain hijack where attackers impersonated company staff and convinced the domain provider to hand over control. Rhea Finance lost $18.4 million to an oracle manipulation setup that took two days to prepare. Vercel, which hosts frontend infrastructure for a long list of crypto projects, disclosed a breach on April 19 traced to a compromised Google Workspace connection via a third-party AI tool.
Why the Audit-First Security Model Has Stopped Working
The industry has spent an estimated billions on smart contract audits over the past five years. Protocols routinely display badges from multiple auditing firms, with individual audits running $10,000 to $100,000 each. That investment has genuinely hardened onchain code. Amador estimates that 2026 will be the best year yet for onchain security from the perspective of DeFi protocol code itself.
The catch is that the same spending patterns have not extended to the layers around the code. Over 90% of projects still carry critical, exploitable vulnerabilities according to Amador. Less than 1% of the industry uses firewalls, and fewer than 10% use AI detection tools. Employee security, interface integrity, and third-party vendor risk are often treated as HR overhead rather than security investments, even though they are now where the losses actually happen.
Hacken CEO Dyma Budorin pointed to the rise of hacking-as-a-service tools on darknet platforms as a compounding factor. The tools lower the barrier to entry for attackers who do not need to write original exploits and can simply pay a platform to generate phishing infrastructure that drains wallets at scale. Web3 projects lost $482 million in the first quarter of 2026 alone, with phishing and social engineering responsible for $306 million of that total.
What This Means for Ordinary Users
For individual holders, the practical implication is that wallet hygiene now matters more than protocol selection. A user who splits funds across a hardware wallet for storage and a dedicated interaction wallet for DeFi activity, revokes stale token approvals every few months, and verifies every signing prompt on-device is protected against the majority of attacks that drained $17 billion.
For institutions, the Drift case made something explicit that most security teams had been quiet about. A well-funded, patient adversary willing to spend three weeks building a fake counterparty relationship can beat almost any purely technical defense. The fix is not more audits. It is out-of-band verification for sensitive signing operations, split recovery processes, and operational protocols that assume any inbound communication might be a deepfake of someone the team trusts.
The direction of travel is clear. Code is getting harder to break. Humans and the infrastructure around them are not. The next $17 billion in losses will almost certainly come from the same weak link, and the teams that rebuild their threat models around that reality will be the ones still standing to talk about it.
