Crypto Thieves Pivot To Phishing As Protocol Hacks Decline In February

Bybit blocked more than $300 million in unauthorized withdrawals during the final quarter of last year — a figure that puts February’s total crypto theft losses in sharp relief.

According to security firm Nominis, close to $50 million was stolen across the entire crypto industry last month, a fraction of what Bybit alone says it turned away in just three months.

Attackers Home In On Human Error

The drop from January’s $385 million in losses might look like progress, but security researchers say the more significant story is where the attacks are coming from.

Social engineering — scams that trick people into handing over access — caused more cumulative damage in February than traditional software exploits did.

Phishing campaigns climbed sharply during the month, with criminals sending fraudulent messages designed to get users to click malicious links or sign transactions they shouldn’t.

The most common method was authorization abuse. Victims were manipulated into granting wallet permissions without realizing what they’d approved.

Once those permissions were in place, attackers could move funds out freely. Private individuals bore the brunt of these attacks, not exchanges or large protocols.

One Breach Drove Most Of The Damage

A single incident accounted for most of February’s losses. Step Finance, a portfolio analytics platform built on Solana, was drained of approximately $30 million. Strip that one event out, and February would have been remarkably quiet by recent standards.

The broader numbers back that up. Blockchain security company PeckShield put February losses at $26.5 million — the lowest monthly figure since March 2025.

PeckShield credited stronger risk controls and better security practices across the industry for part of the decline.

Even with a quieter month on the books, the industry’s annual toll remains staggering. Data from Chainalysis shows crypto hacks cost the industry $3.4 billion last year. That figure underscores how much ground still needs to be covered before theft can be called a contained problem.

Bybit’s own numbers offer a window into how much active work that requires. The exchange said its fraud systems flagged roughly 350 high-risk addresses and stopped around 8,000 users from falling into potential scams — all in a single quarter.

Reports indicate that while large-scale protocol attacks appear to be easing, the rise in scams targeting everyday users signals that criminals are simply redirecting their efforts.

Better smart contract audits and stronger on-chain monitoring may be closing one door. But as long as people can be deceived into approving the wrong transaction, another door stays open.

Featured image from Trillium Mutual Insurance, chart from TradingView