DefiLlama logs 518 crypto hacks and over $17b in losses in 10 years, with attackers shifting from smart contracts to keys, bridges and wallets, as rsETH loses ~$290m.
Summary
- DefiLlama has logged 518 crypto hacking incidents over the past 10 years, with total losses above $17 billion.
- A growing share of that damage comes from private key leaks, phishing and credential theft rather than pure smart contract bugs.
- The latest example is Kelp DAO’s rsETH bridge exploit, which drained about 116,500 rsETH worth roughly $290–$293 million — 2026’s largest DeFi hack so far.
Crypto’s security bill over the past decade has quietly climbed past $17 billion, according to DefiLlama data cited by Cointelegraph, with at least 518 documented hacks and exploits hitting exchanges, DeFi protocols, bridges and wallets since 2014. That figure captures everything from early exchange blow‑ups to today’s sophisticated cross‑chain attacks, and it comes even as the overall pace of large on‑chain exploits has slowed from peak‑mania years like 2021–2022.
A decade of $17b in crypto losses
Under the surface, however, the composition of those losses is shifting. Where early DeFi hacks often hinged on smart contract bugs and unchecked flash‑loan logic, recent incidents show attackers increasingly targeting the soft tissue around crypto — private keys, signing infrastructure and user devices — with credential theft, social engineering and SIM‑swap‑style attacks. Security firms told Cointelegraph that they expect 2026 to bring more advanced phishing and AI‑assisted scams capable of tricking even technically savvy users into signing malicious transactions or revealing seed phrases.
Bridge infrastructure has been a particular weak point. DefiLlama’s hacks dashboard shows that bridges account for almost $3 billion of the roughly $11.8 billion it categorises as “total value hacked,” with large single incidents like the Ronin, Wormhole and Multichain exploits setting the tone for cross‑chain risk. The latest addition to that list is Kelp DAO’s rsETH cross‑chain bridge, which was hit on April 18 after an attacker forged a cross‑chain message on a LayerZero‑based link and minted or released 116,500 rsETH to an attacker‑controlled address.
Those tokens — representing “restaked” Ether — were worth about $290–$293 million at the time, or roughly 18% of rsETH’s total supply, and have been called the largest DeFi exploit of 2026 so far by outlets including Bloomberg. The incident forced Kelp DAO to pause the bridge, coordinate emergency responses with exchanges and protocols, and sparked a blame game over LayerZero’s default single‑validator configuration, which critics argue left the system effectively one‑key‑away from catastrophic minting.
Even away from headline‑grabbing exploits, everyday credential compromises continue to rack up damage. DefiLlama data cited by Cointelegraph shows that in the first quarter of 2026 alone, hackers stole about $168.6 million from 34 DeFi protocols, with the largest single hit — a $40 million Step Finance theft — traced back to a private key compromise rather than a pure code bug. That trend suggests DeFi’s smart contract security is slowly hardening, while attackers respond by moving upstream into the tools and human processes that sit between wallets and protocols.
For users and teams, the lesson is brutal but clear: audits and formal verification are necessary, but not sufficient. Hardware keys, multi‑sig schemes, segregated signing devices, strict key‑management policies, and relentless phishing hygiene are now as critical to safeguarding crypto as gas optimisations and bug bounties ever were — because it only takes one compromised credential to turn another line in DefiLlama’s hacks database into a nine‑figure loss.
