What Happened
On March 27, CertiK Alert posted its Q1 2026 running total to X: 103 security incidents, 36 phishing scams, approximately $480 million in estimated total losses since January 1. The figure is being cited across crypto media as evidence that 2026 is on pace for a damaging year. That framing requires context.
January alone accounted for $370 million of the quarter's losses. Of that, $284 million came from a single incident: the social engineering attack in which a threat actor impersonated Trezor customer support and manipulated a victim into revealing their seed phrase, draining Bitcoin and Litecoin holdings. That one event, already covered in depth on this site, represents 59% of the entire quarter's reported losses. February fell to $35.7 million, the lowest monthly total in nearly a year. March's largest single incident was the Resolv protocol exploit on March 22 ($26.8 million), where an attacker compromised a private key stored in AWS Key Management Service and used it to authorize massively inflated stablecoin minting.
What the Breakdown Actually Shows
The five largest protocol incidents of Q1 follow a consistent pattern. Step Finance lost $27.3 million when attackers compromised treasury wallets. Resolv lost $26.8 million through a single externally owned account controlling a minting key with no multisig protection, no maximum mint limits, and no oracle checks. Truebit lost $26.6 million to a smart contract flaw. Swapnet lost $13.3 million. YieldBlox lost $10.5 million. In each case the failure point was not an undiscovered zero-day in the core protocol. It was a single point of control: one key, one wallet, one compromised credential.
This is what TRM Labs identified as the dominant structural pattern in 2025 and what is continuing into 2026: infrastructure attacks, defined as compromises of private keys, seed phrases, wallet infrastructure, and privileged access, drove 76% of total dollar losses in 2025 across just 45 incidents. Code exploits were more frequent but far smaller per incident. The $480 million headline obscures this: the expensive attacks are not the clever ones. They are the ones where a single trusted key or a single trusted person failed.
What This Means for You
The $284 million social engineering attack is the Q1 story for individual holders. It was not a protocol hack. It was not a sophisticated exploit. It was one person, a phone call, a convincing impersonation, and a seed phrase revealed. That attack vector does not require any technical sophistication from the attacker and has no technical defense if the target complies. The only protection is operational: no support call, email, or message from any hardware wallet company, exchange, or service will ever ask for your seed phrase. That phrase leaves your possession exactly once — when you type it into a new hardware wallet to restore access to your own funds. Every other context in which you are asked for it is an attack.
For the protocol risk picture, the Resolv exploit on March 22 is the most instructive recent example. A privileged minting key stored in a cloud key management service, controlled by a single externally owned account, with no multisig requirement and no mint limits, allowed an attacker to create $80 million in unbacked stablecoins and convert them to approximately $25 million in ETH before the protocol could respond. The lesson is not that cloud key management is inherently bad. It is that a single-signature privileged key with no validation controls is a single point of failure regardless of where it is stored.
What to Watch
CertiK's end-of-quarter report will provide the final Q1 2026 figures. Watch whether March finishes below $50 million in losses, which would make Q1 one of the better quarters by baseline metrics excluding the January social engineering outlier. Watch also whether the Resolv pattern repeats: AWS KMS as a key storage location for privileged protocol functions has appeared in multiple incidents. If researchers begin probing that attack surface more systematically, it becomes a category risk rather than an isolated event.