Welcome to DeFi Due Diligence
January 2026 just set a record nobody wanted.
$370 million stolen. The highest monthly total in 11 months. Nearly 4x higher than January 2025.
But here's what's interesting: smart contract hacks are actually declining.
So where's all the money going?
Phishing. Social engineering. Good old-fashioned manipulation.
$311 million of that $370 million came from phishing attacks. Not code exploits. Not flash loans. Just people getting tricked into giving up their keys.
The hackers aren't getting smarter at breaking code. They're getting smarter at breaking people.
The $282 Million Mistake
On January 10th, one person lost $282 million in Bitcoin and Litecoin.
Not a protocol hack. Not a smart contract bug. Not an exchange breach.
A phone call.
Blockchain investigator ZachXBT reported it as a "hardware wallet social engineering scam." The attacker convinced the victim to reveal their wallet recovery phrase. Then they drained everything.
That single incident accounted for 80% of January's total losses.
Think about that. One person. One conversation. $282 million gone.
This wasn't a sophisticated zero-day exploit. It was someone pretending to be customer support.
How it works:
1. Attacker identifies high-value wallet (on-chain data is public)
2. They research the owner through social media, LinkedIn, domain registrations
3. They call pretending to be Ledger support, Trezor support, exchange security
4. They create urgency: "Your wallet has been compromised. We need to verify your recovery phrase."
5. Victim panics. Shares phrase. Funds gone in seconds.
The victim wasn't stupid. They were scared. That's all it takes.
The lesson: No legitimate company will ever ask for your recovery phrase. Ever. Not Ledger. Not Trezor. Not Coinbase. Not anyone.
If someone asks for your seed phrase, they're stealing from you. Full stop.
Why Phishing Is Winning
Here's the uncomfortable truth: your smart contracts are safer than your brain.
Attack Type | January 2026 Losses | % of Total |
|---|---|---|
Phishing/Social Engineering | $311.3M | 84% |
Protocol Exploits | $58.7M | 16% |
Impersonation scams are up 1,400% year-over-year. Not 14%. Not 140%. Fourteen hundred percent.
The attackers have realized something: breaking code is hard. Breaking people is easy.
Why spend months finding a smart contract vulnerability when you can:
Send a fake MetaMask email
Create a pixel-perfect phishing site
Call someone pretending to be support
DM them on Discord with a "verification" link
Social engineering scales. It doesn't require technical skills. And it works on everyone - from retail users to developers to exchange employees.
The Bybit hack last year ($1.5B) started with a compromised employee. Not a code flaw. A person.
The DeFi Crime Blotter
Step Finance: $28.9M stolen from Solana portfolio tracker
Attackers compromised multiple treasury wallets and drained 261,000 SOL. If you used Step Finance, check your connected wallets and revoke any unnecessary permissions.
The team is investigating. No recovery announced.
Truebit Protocol: $26.4M exploit
A smart contract flaw allowed an attacker to mint tokens at minimal cost. The TRU token crashed hard. Another reminder that "audited" doesn't mean "safe."
Trust Wallet Chrome Extension: $7M from 3,000 wallets
Trust Wallet confirmed attackers stole roughly $7 million after compromising their Chrome browser extension. If you use the browser extension, check your balances immediately.
Better yet: don't use browser extension wallets for significant funds. Hardware wallets exist for a reason.
Matcha Meta: $13.5M drained
The 0x-built DeFi aggregator was hit on January 25th. Users who had granted approvals to the protocol were at risk. If you used Matcha Meta, revoke all token approvals now at revoke.cash.
Stat of the Week
Less than 1% recovered
Metric | Value |
|---|---|
Total stolen in January | $370M |
Total recovered | $2.7M |
Recovery rate | 0.7% |
When your crypto is gone, it's gone. Most recoveries came from MEV bots front-running attackers or white-hat interventions. If you're counting on getting your money back after a hack, don't.
Prevention is the only strategy that works.
What Actually Protects You
The attackers have upgraded. Have you?
Against phishing:
Never click links in emails or DMs claiming to be from crypto services
Always type URLs manually or use bookmarks
Enable phishing protection in your browser
Use a dedicated device for high-value transactions
Against social engineering:
Your seed phrase is never needed by anyone. Ever.
Hang up on anyone claiming to be support who called you
Verify all support contacts through official websites
Take 24 hours before acting on any "urgent" security request
Against extension compromises:
Don't use browser extension wallets for significant funds
Use hardware wallets for anything over $10K
Regularly audit your token approvals (revoke.cash)
Keep your browser extensions minimal
The code is getting more secure. The humans aren't. Be the exception.
The Bottom Line
$370 million stolen in January. 84% from phishing and social engineering. One victim lost $282 million to a fake support call.
The attackers aren't breaking your smart contracts. They're breaking you.
This week's action items:
Check your email for recent crypto-related messages. Are any of them phishing attempts?
Audit your token approvals at revoke.cash
Move significant funds to hardware wallets if they're not there already
Tell one person in your life about social engineering risks
The recovery rate is 0.7%. Prevention is the only strategy.
Want to check a protocol before you ape? @serisitsafebot on Telegram gives you a risk score in under 5 seconds. Free. No signup. Just ask.
Don't get got.
Anson
P.S. Know someone still clicking links in Discord DMs? Forward this to them before they become a statistic.