Crypto Hacks Top $17B as Private Keys and Bridges Become Prime Targets

Crypto hacks have crossed a grim milestone: more than $17 billion stolen over the past decade, according to DefiLlama data. The pattern is getting uglier, too — attackers are moving away from pure smart contract bugs and straight toward private keys, phishing, credential theft, and bridge infrastructure.

• 518 hacks logged since 2014
• Over $17 billion in total losses
• Private keys, phishing, and bridges are the main targets now
• Kelp DAO’s rsETH bridge exploit is the biggest DeFi hit of 2026 so far

That’s not a minor accounting problem. That’s a giant flashing sign that crypto security has improved in some places while still leaving massive holes elsewhere. The code may be getting tighter, but the humans behind the systems are still making thieves rich.

DefiLlama has logged 518 crypto hacking incidents over the past 10 years, with total losses above $17 billion, according to data reported by Cointelegraph. The headline number matters, but the real story is the shift in how the damage happens. The industry used to get wrecked mostly by smart contract bugs — logic errors, broken assumptions, and sloppy code that let attackers drain funds. Those issues have not vanished, but they are no longer the only game in town. Today, a growing share of losses comes from private key leaks, phishing and credential theft, plus the kind of social engineering that turns a secure system into a very expensive joke.

In plain English: a private key is the secret that controls a crypto wallet or account. If an attacker gets it, they own the funds. No court order, no rollback, no “sorry bro.” And if that key is held by a developer, validator, or signer with protocol access, the blast radius can be enormous.

That’s why crypto security is no longer just a code problem. It’s an operational security problem. You can audit a protocol until the coffee runs cold, but if someone clicks the wrong link, approves the wrong prompt, or stores a seed phrase like they’re hiding a grocery list, the whole setup can still get smoked.

One of the dirtiest weak spots remains bridge infrastructure. Bridges move assets and messages between blockchains. Useful? Absolutely. Also a target-rich environment for attackers? Also absolutely. DefiLlama’s numbers show that around $3 billion of roughly $11.8 billion categorized as “total value hacked” is tied to bridges. That should surprise no one who remembers the carnage from Ronin, Wormhole, and Multichain — three reminders that cross-chain plumbing can become a security nightmare fast.

Why are bridges so dangerous? Because they often rely on trust assumptions that are harder to secure than a simple on-chain transfer. A bridge may depend on external validators, message relays, wrapped assets, or cross-chain verification logic. If any of those pieces are weak, the attacker does not need to break everything. They just need one gap wide enough to slip through.

The latest ugly example is Kelp DAO’s rsETH bridge exploit, which hit on April 18. According to the figures cited, an attacker forged a cross-chain message using a LayerZero-based link and drained about 116,500 rsETH, worth roughly $290 million to $293 million. That represented around 18% of rsETH’s total supply, and it has been described as the largest DeFi hack of 2026 so far.

rsETH is a token tied to restaked Ether, a structure that sits on top of Ethereum staking and restaking mechanisms. That layering can create useful yield opportunities, but it also stacks more moving parts into the system. More moving parts usually means more places for bad actors to poke holes.

“DefiLlama has logged 518 crypto hacking incidents over the past 10 years, with total losses above $17 billion.”

“A growing share of that damage comes from private key leaks, phishing and credential theft rather than pure smart contract bugs.”

“The latest example is Kelp DAO’s rsETH bridge exploit, which drained about 116,500 rsETH worth roughly $290–$293 million.”

“Bridge infrastructure has been a particular weak point.”

The Kelp DAO incident also highlights a brutal truth about cross-chain systems: if message validation is wrong, or if trust assumptions are too loose, the attacker does not need to “hack blockchain” in some Hollywood sense. They just need to convince the system to accept something it should have rejected. That’s the kind of failure that makes engineers stare at logs and mutter creatively.

The quarterly numbers tell the same story. In Q1 2026, hackers reportedly stole about $168.6 million from 34 DeFi protocols. The biggest single loss in that period was the $40 million Step Finance theft, which was tied to a private key compromise. Not a miracle exploit. Not quantum wizardry. Just a stolen key. Mundane, ugly, and painfully effective.

That shift matters because it changes where teams need to spend their attention. Audits are still useful. Formal verification, which is a more rigorous method of mathematically checking whether code behaves as intended, is also useful. But neither one can fully protect a protocol if its key management is garbage.

That’s why the usual advice keeps coming back around, because it actually matters: use hardware keys, set up multi-sig where appropriate, keep signing devices segregated, tighten key management, and stop treating phishing hygiene like a boring side quest. A hardware key is a physical device that approves logins or transactions, making remote theft harder. Multi-sig, short for multi-signature, requires more than one approval before funds can move. In other words, it adds friction on purpose. Friction is annoying. Replacing a stolen treasury is worse.

There are also more everyday attack paths that users and teams keep underestimating. Fake wallet prompts, malicious browser extensions, bogus support messages, phishing links in Discord or Telegram, and SIM-swap-style attacks all remain in the toolbox. The scams are often low-tech in concept and high-tech in execution. AI just makes the bait better. The bad actors are getting better at sounding like someone you trust, which is the sort of progress nobody asked for.

Security firms have warned that AI-assisted scams may make the problem worse. A year or two ago, many phishing attempts were laughably sloppy. Now they can be tailored, convincing, and timed around a victim’s normal workflow. That means the threat is not only that attackers are scaling up; it’s that they are getting more personalized, more persistent, and far less embarrassing to themselves.

The uncomfortable counterpoint is that crypto has not made zero progress. Many teams have improved code review, bug bounties, custody practices, monitoring, and incident response. Better audits have likely prevented some disasters from becoming even larger disasters. But “better than before” is not the same as “safe,” and the numbers prove it. The industry has gotten smarter in the lab while attackers keep winning in the hallway.

For users, the lesson is simple: do not assume a polished interface means strong security. For teams, the lesson is harsher: if keys, bridges, and approval flows are sloppy, the smartest smart contract in the world will not save you. One compromised credential is enough to turn another line in DefiLlama’s hacks database into a nine-figure disaster.

Key questions and takeaways

How much has crypto hacking cost over the last decade?
More than $17 billion, across 518 incidents recorded since 2014. The losses are big enough to be a sector-wide credibility tax.

What kind of attacks are working best now?
Private key compromise, phishing, credential theft, and social engineering are doing more damage than many pure smart contract bugs. Human failure is still the easiest entry point.

Why are crypto bridges such a problem?
Bridges rely on complex trust assumptions across blockchains, making them attractive targets. When bridge logic fails, attackers can move fast and steal big.

What happened in the Kelp DAO rsETH exploit?
An attacker reportedly forged a cross-chain message through a LayerZero-based link and drained about 116,500 rsETH, worth roughly $290 million to $293 million.

Was the Kelp DAO exploit the biggest DeFi hack of 2026 so far?
Yes, based on the figures cited, it was the largest DeFi hack of 2026 so far.

Are audits enough to protect DeFi protocols?
No. Audits and formal verification are necessary, but not sufficient. Strong key custody, hardware security, and anti-phishing discipline matter just as much.

What is the most important security lesson for crypto teams?
It only takes one compromised credential to turn another line in DefiLlama’s hacks database into a nine-figure loss. If key management is weak, the rest is just expensive decoration.