OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Mar 27, 2026· 3 min read

One Phone Call Drove 59% of Q1's $480M Crypto Losses

On March 27, CertiK published its Q1 running total: 103 security incidents, 36 phishing scams, approximately $480 million in losses since January 1. The number sounds like escalation. The breakdown tells a different story. A single social engineering attack accounts for $284 million, or 59% of the entire quarter. Strip it and Q1 is tracking below the baseline pace of recent years.

Key takeaways

  1. CertiK recorded approximately $480 million in total crypto losses across 103 security incidents and 36 phishing scams from January 1 through March 27, 2026
  2. One incident — the January social engineering attack that cost a single victim $284 million in Bitcoin and Litecoin via a fake Trezor support call — represents 59% of the entire quarter's losses. Remove it and Q1 sits near $196 million across the remaining 138 incidents
  3. February came in at $35.7 million in losses, the lowest monthly total since March 2025. The quarter is not an escalation story — it is a one-event distortion story
  4. The five largest protocol incidents of the quarter: Step Finance ($27.3M treasury wallet compromise), Resolv ($26.8M AWS key management exploit), Truebit ($26.6M smart contract vulnerability), Swapnet ($13.3M), YieldBlox ($10.5M)
  5. Phishing and social engineering account for 36 of 139 total incidents but represent the overwhelming majority of dollar losses. Code exploits are down as an attack category. Infrastructure attacks and human-layer compromises are where the money is being taken

What Happened

On March 27, CertiK Alert posted its Q1 2026 running total to X: 103 security incidents, 36 phishing scams, approximately $480 million in estimated total losses since January 1. The figure is being cited across crypto media as evidence that 2026 is on pace for a damaging year. That framing requires context.

January alone accounted for $370 million of the quarter's losses. Of that, $284 million came from a single incident: the social engineering attack in which a threat actor impersonated Trezor customer support and manipulated a victim into revealing their seed phrase, draining Bitcoin and Litecoin holdings. That one event, already covered in depth on this site, represents 59% of the entire quarter's reported losses. February fell to $35.7 million, the lowest monthly total in nearly a year. March's largest single incident was the Resolv protocol exploit on March 22 ($26.8 million), where an attacker compromised a private key stored in AWS Key Management Service and used it to authorize massively inflated stablecoin minting.

What the Breakdown Actually Shows

The five largest protocol incidents of Q1 follow a consistent pattern. Step Finance lost $27.3 million when attackers compromised treasury wallets. Resolv lost $26.8 million through a single externally owned account controlling a minting key with no multisig protection, no maximum mint limits, and no oracle checks. Truebit lost $26.6 million to a smart contract flaw. Swapnet lost $13.3 million. YieldBlox lost $10.5 million. In each case the failure point was not an undiscovered zero-day in the core protocol. It was a single point of control: one key, one wallet, one compromised credential.

This is what TRM Labs identified as the dominant structural pattern in 2025 and what is continuing into 2026: infrastructure attacks, defined as compromises of private keys, seed phrases, wallet infrastructure, and privileged access, drove 76% of total dollar losses in 2025 across just 45 incidents. Code exploits were more frequent but far smaller per incident. The $480 million headline obscures this: the expensive attacks are not the clever ones. They are the ones where a single trusted key or a single trusted person failed.

What This Means for You

The $284 million social engineering attack is the Q1 story for individual holders. It was not a protocol hack. It was not a sophisticated exploit. It was one person, a phone call, a convincing impersonation, and a seed phrase revealed. That attack vector does not require any technical sophistication from the attacker and has no technical defense if the target complies. The only protection is operational: no support call, email, or message from any hardware wallet company, exchange, or service will ever ask for your seed phrase. That phrase leaves your possession exactly once — when you type it into a new hardware wallet to restore access to your own funds. Every other context in which you are asked for it is an attack.

For the protocol risk picture, the Resolv exploit on March 22 is the most instructive recent example. A privileged minting key stored in a cloud key management service, controlled by a single externally owned account, with no multisig requirement and no mint limits, allowed an attacker to create $80 million in unbacked stablecoins and convert them to approximately $25 million in ETH before the protocol could respond. The lesson is not that cloud key management is inherently bad. It is that a single-signature privileged key with no validation controls is a single point of failure regardless of where it is stored.

What to Watch

CertiK's end-of-quarter report will provide the final Q1 2026 figures. Watch whether March finishes below $50 million in losses, which would make Q1 one of the better quarters by baseline metrics excluding the January social engineering outlier. Watch also whether the Resolv pattern repeats: AWS KMS as a key storage location for privileged protocol functions has appeared in multiple incidents. If researchers begin probing that attack surface more systematically, it becomes a category risk rather than an isolated event.

59% of a quarter's losses came from one phone call. The number is not the story. The attack vector is.

Sources

  1. [1]CertiK Alert (@CertiKAlert) — Q1 2026 running total post, March 27, 2026
  2. [2]CryptoTimes — 'Crypto Losses Spike Toward $500M in 2026, CertiK Warns', March 27, 2026
  3. [3]CryptoNews — 'Crypto Losses Hit $370M in January 2026, Highest in 11 Months: CertiK', February 2, 2026
  4. [4]Bitget News — 'CertiK: Losses in the Crypto Industry Due to Exploits in February Amounted to Approximately $35.7 Million', March 2026
  5. [5]TRM Labs — '2026 Crypto Crime Report', March 2026
  6. [6]Yellow.com — 'Biggest Crypto Exploits of 2025-2026: What Really Went Wrong', March 2026

More in Threats

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price