The Biggest Crypto Hacks of 2026 (So Far): What Happened and How to Stay Safe

The crypto industry lost over $3.7 billion to hacks, exploits, and scams in 2025 alone. 2026 has continued the trend. Every hack follows a pattern. Every stolen fund leaves a trail. And every exploit carries lessons that, if learned, could prevent the next one.

This article breaks down the most significant crypto hacks from 2025 into early 2026. For each, we explain what happened in plain language, how the attack worked, how much was stolen, and what you can do to check if your funds or addresses were involved.

2025-2026 Hack Overview: The Numbers

Before the individual breakdowns, here is the scale of the problem:

• Total stolen (2025): approximately $3.7 billion across all chains
• Largest single hack: Bybit at $1.46 billion
• Most common attack vector: private key compromise (47% of total value stolen)
• Second most common: smart contract exploits (29%)
• Funds recovered: approximately 12% of total stolen, primarily through on-chain negotiation and bug bounties
• State-sponsored attacks: Lazarus Group (North Korea) linked to at least 3 major hacks totaling over $1.7 billion

The trend is clear: attackers are moving away from smart contract bugs (which are getting caught by auditors) and toward infrastructure attacks targeting private keys, multi-sig setups, and human operators. This shift demands a different kind of security thinking.

Bybit: The $1.46 Billion Exchange Breach

What Happened

In February 2025, Bybit, one of the world's largest cryptocurrency exchanges, suffered the single largest hack in crypto history. Attackers compromised the exchange's Ethereum hot wallet and drained approximately 401,347 ETH, worth $1.46 billion at the time.

How the Attack Worked

The attack targeted Bybit's multi-signature wallet infrastructure. According to post-incident analysis, the attackers compromised the signing process for the exchange's cold-to-hot wallet transfer system. The attack involved:

1. Social engineering of key personnel involved in the signing process
2. UI manipulation that showed signers a legitimate-looking transaction while the actual payload was different
3. Rapid exfiltration once the malicious transaction was signed and broadcast

The stolen ETH was subsequently moved through multiple intermediary wallets and partially bridged to other chains. Blockchain analysis firms attributed the attack to North Korea's Lazarus Group based on on-chain patterns matching their previous operations.

Current Status

Bybit covered user losses from its reserves and insurance fund. A bounty program was launched to track the stolen funds, with partial success in freezing assets at cooperating exchanges. The majority of the funds remain in attacker-controlled addresses that are tracked across multiple threat intelligence platforms including ThreatChain.

WazirX: $230 Million Multi-Sig Compromise

What Happened

WazirX, India's largest cryptocurrency exchange, lost $230 million when attackers compromised their multi-signature wallet managed through a custody solution. The attack exploited the gap between what the multi-sig signers saw on their screens and what was actually submitted to the blockchain.

How the Attack Worked

The multi-sig wallet required multiple signers to approve transactions. The attackers:

1. Compromised the transaction display layer so that signers saw a routine internal transfer
2. The actual transaction changed the wallet's implementation contract to one controlled by the attacker
3. Once the implementation was swapped, the attacker had full control and drained all assets

This attack demonstrated a critical vulnerability in multi-sig operations: if signers cannot verify the raw transaction data they are approving, the security of multi-sig is illusory. The human layer was the weakest link.

Radiant Capital: $50 Million Cross-Chain Exploit

What Happened

Radiant Capital, a cross-chain lending protocol, was exploited for $50 million across Arbitrum and BNB Chain. Attackers gained control of enough multi-sig keys to execute unauthorized transactions from the protocol's contracts.

How the Attack Worked

Post-mortem analysis revealed that the attackers compromised multiple team members' devices through sophisticated malware delivered via social engineering. The malware:

1. Targeted developers by posing as a former contractor sharing a PDF about a smart contract bug
2. Installed a backdoor that intercepted hardware wallet signing requests
3. When team members signed what appeared to be routine transactions, the malware substituted the actual payload
4. With enough compromised signers, the attacker could authorize arbitrary transactions from Radiant's contracts

The attack was attributed to Lazarus Group. It showed that even hardware wallets provide limited protection when the host computer that communicates with them is compromised.

Munchables: $62 Million Insider Attack

What Happened

Munchables, an NFT gaming project on Blast L2, was exploited by one of its own developers. The developer had been hired under a false identity and had manipulated the project's smart contracts to include a backdoor.

How the Attack Worked

The rogue developer:

1. Joined the team using a fabricated identity linked to North Korean operatives
2. During development, assigned themselves an enormous ETH balance in the contract's storage slots, hidden in a proxy upgrade
3. When the time was right, withdrew the $62 million from the contract

In a rare positive outcome, the developer returned the funds after community pressure and the fact that the funds were on Blast L2, where the sequencer operator (Blast team) could potentially intervene. The incident highlighted the critical risk of insider threats and the importance of thorough code review for every commit, not just initial audits.

Orbit Chain: $80 Million Bridge Hack

What Happened

Orbit Chain, a cross-chain bridge protocol, lost $80 million when attackers compromised enough bridge validators to authorize fraudulent transfers. The stolen assets included ETH, DAI, USDT, and USDC.

How the Attack Worked

Cross-chain bridges work by locking assets on one chain and minting equivalent tokens on another. The bridge validators are the entities that verify these transfers and sign off on them. In Orbit Chain's case:

1. The bridge required 7 out of 10 validators to approve transactions
2. Attackers compromised at least 7 validator keys through methods not fully disclosed
3. With control of the threshold, they authorized transfers of $80 million in assets from the bridge's reserves

Bridge hacks remain one of the most devastating attack categories because bridges hold enormous concentrated funds and their security depends on the weakest validator in the set.

DMM Bitcoin: $305 Million Private Key Theft

What Happened

DMM Bitcoin, a Japanese cryptocurrency exchange, lost 4,502.9 BTC (approximately $305 million) in a straightforward private key theft. The exchange's Bitcoin wallet was drained in a single unauthorized transaction.

How the Attack Worked

Details of how the private key was obtained were not fully disclosed, but investigation indicated the attack involved social engineering of a contractor with access to the exchange's wallet infrastructure. The simplicity of the attack underscores a painful truth: the most expensive hacks are often the least technically sophisticated. No smart contract exploit. No flash loan. Just stolen keys.

DMM Bitcoin was unable to recover the funds and ultimately transferred all customer accounts to SBI VC Trade, effectively ending operations.

How ThreatChain Records These Threats Permanently

Every hack listed above generated hundreds of wallet addresses: attacker wallets, intermediary wallets, mixer interactions, and bridge transfers. These addresses are threat intelligence. Knowing them helps the community identify when stolen funds are being moved, prevent laundering through cooperating exchanges, and detect related attacks.

ThreatChain records these threat indicators on a decentralized blockchain, which means:

• Permanence - Unlike a centralized database, threat records on ThreatChain cannot be deleted. Even if a legal entity demands removal, the data remains on-chain
• Timestamping - Every submission has a cryptographic timestamp. You can prove when a threat was first reported, which matters for incident response and legal proceedings
• Validator consensus - Multiple independent validators must confirm a threat before it is marked as verified. This prevents false reports and maintains data quality
• Cross-reference - ThreatChain links related addresses, so searching for one attacker wallet reveals the entire network of associated addresses

For the hacks above, ThreatChain's database includes the primary attacker addresses, known intermediary wallets, and mixer deposit addresses. Security teams and exchanges use this data to flag and freeze funds when they appear at their platforms.

You can search any address associated with these hacks at threatchain.io/search. If you discover new addresses connected to these or other exploits, you can submit them to help the community and earn $.

Lessons Learned: How to Stay Safe

After analyzing these hacks, several patterns emerge that individual users and protocols can learn from:

For Individual Users

1. Do not keep large amounts on exchanges - Every exchange hack in this list would not have affected users who held their own keys. Use exchanges for trading, then withdraw to self-custody
2. Check addresses before interacting - Use ThreatChain to verify any address you plan to interact with. If it is connected to a known exploit, you will know immediately
3. Be skeptical of all documents and links - Multiple hacks started with a PDF or document shared via social engineering. Never open files from unverified sources without checking the hash first
4. Use separate devices for high-value operations - If you manage significant crypto, use a dedicated device for signing transactions that is not used for email, messaging, or web browsing
5. Monitor your wallet addresses - Set up alerts for any transactions involving your addresses. The faster you notice unauthorized activity, the better your chance of response

For Protocols and Teams

1. Verify raw transaction data - Multi-sig signers must verify the actual on-chain payload, not just what a UI shows them. The WazirX and Bybit hacks both exploited UI-level deception
2. Assume your team's devices are compromised - Design signing processes that remain secure even if individual computers are compromised. Hardware wallet verification of transaction details is critical
3. Thorough background checks - The Munchables hack was an insider who used a fake identity. Verify the identity and history of every team member with access to critical infrastructure
4. Review every code change - An audit at deployment is not enough. Every subsequent upgrade and code change must receive equal scrutiny. Many exploits are introduced after the initial audit
5. Minimize bridge exposure - If your protocol uses cross-chain bridges, minimize the amount of funds locked in bridge contracts. The more concentrated the funds, the bigger the target

The common thread across all these hacks is not technical sophistication. It is attacking the human layer: social engineering, device compromise, insider threats, and UI deception. The smartest contract in the world cannot protect against a compromised signer.