Cybercriminals who target crypto are not operating on a fixed schedule. They move when the money moves. That was the key message from Kraken’s chief security officer, Nick Percoco, who told reporters that hacking activity in the crypto space tends to spike during bull markets, major product launches, and periods of rapid growth — not because of the calendar, but because those are the moments when the most value is concentrated in one place. “Vulnerabilities can be exploited in any market environment,” Percoco said, warning that security in crypto has to be treated as an ongoing effort, not a seasonal one. His comments came as new data showed a notable drop in crypto theft during the first three months of 2026. According to DefiLlama , hackers pulled $168 million from 34 decentralized finance protocols between January and March — a steep fall from the $1.58 billion stolen during the same period last year. Private Keys And Smart Contracts Remain Weak Spots That prior-year figure, however, was heavily skewed by a single incident: the $1.4 billion Bybit breach , which accounted for nearly the entire Q1 2025 total. Strip that out and the comparison looks less dramatic. Still, the losses in early 2026 were far from small. The biggest hit came in January, when portfolio management platform Step Finance lost $40 million after attackers compromised its private keys. Days later, on Jan. 8, decentralized protocol Truebit was drained of $26.4 million worth of ether through a smart contract manipulation. A third major incident struck stablecoin issuer Resolv Labs in late March, also through a private key compromise — the same method used in the Step Finance attack. Private key failures and code exploits are two very different problems, but both keep appearing in the data. One is a human and operational issue. The other is a code issue. Neither has been solved. North Korea-Linked Groups Remain A Persistent Concern Data shows that 34 separate DeFi protocols were hit across the quarter. The attacks were spread across the period, with January bearing the heaviest losses. Percoco described the threat pool as a mix of highly coordinated groups, organized criminal networks, and opportunistic individuals scanning for weak points in smart contracts and user-facing systems. North Korea-linked actors have been flagged repeatedly in connection with major crypto thefts. Suspected affiliates of that network were linked to an attack on decentralized exchange Drift Protocol, which lost an estimated $285 million to a private key leak. Featured image from Unsplash, chart from TradingView
