Crypto Losses Hit $370M in January as Phishing Dominates

Cryptocurrency-related incidents in January 2026 resulted in confirmed losses totaling approximately $370.3 million, according to blockchain security firm CertiK. Phishing attacks accounted for roughly 84% of the total, with a single social engineering heist draining $284.8 million from one victim.

The data, released through CertiK’s official alert account on X, reveals a troubling shift in attack patterns. Non-technical attacks such as phishing, wallet compromises, and deception now far outpace traditional smart contract exploits.

#CertiKStatsAlert 🚨

Combining all the incidents in January we’ve confirmed ~$370.3M lost to exploits.

~$311.3M of the total is attributed to phishing with one victim losing ~$284M due to a social engineering scam.

More details below 👇 pic.twitter.com/uXhi0P6dl5

— CertiK Alert (@CertiKAlert) January 31, 2026

Only $4.4 million in stolen funds were recovered during the month. That figure represents just 1.2% of total losses, highlighting the difficulty of retrieving assets once attackers obscure their trails.

Record-Breaking Crypto Social Engineering Heist

The largest incident occurred on January 10, when a crypto user lost over $282 million worth of Bitcoin and Litecoin. Blockchain investigator ZachXBT confirmed the victim was tricked into revealing their seed phrase linked to a hardware wallet.

The attacker drained 2.05 million Litecoin, worth approximately $153 million, and 1,459 Bitcoin valued at around $139 million. Within hours, the stolen assets began moving through multiple networks to obscure their origin.

The cybercriminal converted significant portions of the haul into Monero through instant exchange services. This activity triggered a noticeable spike in XMR’s market price as large volumes flowed through privacy-focused channels.

Meanwhile, substantial amounts of Bitcoin were bridged across Ethereum and Litecoin using THORChain. The decentralized cross-chain protocol enabled value transfers without relying on centralized exchanges, reigniting debate around infrastructure misuse during large-scale thefts.

Beyond the massive social engineering case, several DeFi protocols suffered significant losses. Truetbit lost $26.7 million, followed by Swapnet at $13.3 million and Saga at $6.2 million.

Makina Finance reported losses of $4.2 million, while Aperture Finance lost $3.2 million. Smaller incidents affected TKX, Xlayer, Mitail Money, Futureswap, and Molecular Finance, each losing under $1 million.

When categorized by attack vector, phishing led overwhelmingly at $311.4 million. Code vulnerabilities followed at $55.6 million, with price manipulation accounting for $5.8 million.

Wallet compromises totaled $1.1 million, and exit scams contributed just $0.5 million to the monthly total. The disparity underscores how attackers increasingly target human error rather than technical flaws.

By incident type, social engineering topped all categories at $284.8 million. DeFi-related incidents accounted for $21.8 million, while address poisoning attacks claimed $12.9 million.

Layer 1 attacks resulted in $6.2 million in losses. Wallet drainer schemes added another $4.7 million to the total damage.

Ongoing Laundering Operations

Separately, a cybercriminal who drained $27.3 million from a compromised multisig wallet in December 2025 continues laundering operations. Blockchain security firm PeckShield reported fresh fund movements on January 6.

#PeckShieldAlert The multisig drainer who stole $27.3M from a compromised wallet has withdrawn 1K $ETH ($3.24M) from #Aave and laundered it via #TornadoCash.

They have deposited a total of 6,300 $ETH ($19.4M) to #TornadoCash so far

The drainer, who controls the compromised… pic.twitter.com/zYjuY9jGw7

— PeckShieldAlert (@PeckShieldAlert) January 6, 2026

The attacker has routed $19.4 million through Tornado Cash across multiple transactions totaling 6,300 ETH. An additional 1,000 ETH worth $3.24 million was withdrawn from Aave before entering the crypto mixer.

The drainer still controls the victim’s compromised wallet, which holds a $9.75 million leveraged long position. The position includes $20.5 million in ETH collateral against $10.7 million in DAI debt.

Only approximately $2 million in liquid assets remains unlaundered from the original theft. The attacker has moved aggressively since the December 18 incident first surfaced publicly.

CertiK’s monthly report paints a stark picture of the current threat landscape. As attackers shift focus toward social engineering tactics, wallet security and seed phrase protection remain critical for crypto holders.