Crypto Losses Drop 87% in February, But Hackers Are Now Targeting People, Not Code

Crypto losses fell to $49M in February, but attackers are shifting toward phishing and user manipulation, says Nominis.

A report by blockchain security firm Nominis shows that in February, total losses from crypto attacks fell by 87%, going from $385 million in January to $49.3 million last month.

However, while the drop in total value stolen suggests improved protocol security, Nominis claims that a closer examination of the month’s events shows that attackers are moving their focus away from exploiting code and toward manipulating the people who use it.

The Anatomy of February’s Crypto Attacks

According to the Nominis report, an attack on Step Finance, a Solana-based decentralized finance (DeFi) platform, caused more than 60% of February’s total losses.

In that case, attackers are said to have hacked devices belonging to the project’s executive team, which may have exposed private keys or allowed unauthorized transaction approvals. After that, they unstaked and moved 261,854 SOL worth up to $40 million from wallets that the project owned.

The damage was so severe that Step Finance was forced to shut down its core platform and affiliated projects, including SolanaFloor and Remora Markets.

The remaining losses came from a scattered mix of attacks, including $3 million lost by CrossCurve, a cross-chain protocol bridge, when an attacker exploited flawed validation logic in the contract responsible for processing incoming messages from the Axelar network.

Elsewhere, YieldBlox, a DeFi lending platform, lost about $10.2 million after a bad actor changed its collateral pricing logic so that it could borrow more than it was allowed to.

You may also like:

There were also several address poisoning scams targeting individuals, with their losses ranging from about $100,000 to nearly $600,000. Others were drained after unknowingly signing malicious token approval transactions. This is a method in which a fake prompt tricks people into giving criminals permission to take money from their wallets.

A Broader Pattern is Emerging

Apart from the direct attacks, there were also several notable findings made in February by investigators and law enforcement. For instance, SlowMist published a technical breakdown of a phishing campaign that specifically targeted administrators of crypto projects.

In that campaign, attackers made fake versions of real token vesting tools to trick operators into giving them access to contracts.

Meanwhile, authorities in South Korea are investigating a case in which a seed phrase was accidentally exposed in a publicly shared photograph, which allowed attackers to reconstruct the wallet and steal nearly $5 million worth of crypto.

As far as enforcement was concerned, the U.S. Department of Justice reported that it had seized more than $61 million in cryptocurrency connected to a pig butchering investment fraud scheme. The investigators were able to trace the money through blockchain analysis and obtain a legal forfeiture of the funds.

Based on the February incidents, the loss of funds is not primarily through exploiting unknown vulnerabilities in the underlying code. The Nominis study found that most losses now come from compromised user accounts, misleading transactional requests, and users copying the wrong wallet address. According to the firm, the most vulnerable aspects of the cryptocurrency ecosystem are not the blockchains themselves, but rather, they are the human behaviors and operational practices that surround them.