Crypto scams spike as attackers pivot to phishing tactics

The data show how quickly “offchain” compromise can drain “onchain” value. CertiK said 40 incidents were recorded in January, but the month’s headline number was dominated by one case: a single victim lost roughly $284 million in a social engineering scam. That concentration matters because it suggests the marginal risk isn’t always a smart-contract bug – it can be identity, device, or workflow failure at the moment keys or approvals are exposed.

Phishing accounted for most of the month’s total, at about $311.3 million, implying that a large share of January’s damage came from credential capture, malicious signing flows, or other tactics designed to trick users into authorizing transfers. That pattern fits a broader security trend CertiK has highlighted: phishing has been one of the most frequent attack vectors, and the industry has repeatedly seen large losses tied to compromised access rather than protocol code alone.

2026 January’s figure represents a sharp step up from recent baselines. CertiK pegged January 2025 losses at $98 million, making this January’s total more than 277% higher year over year. It also marked a 214% increase from December, when $117.8 million was reported lost. The acceleration indicates that even when market activity cools, adversaries can still scale outcomes by targeting high-value individuals, institutions, or operational choke points.

The comparison set also underscores how “tail events” skew security statistics. CertiK noted the last larger monthly total was in February 2025, when around $1.5 billion was stolen, mostly tied to a roughly $1.4 billion attack on Bybit. Large, isolated events can dominate quarterly narratives, but January’s mix – one enormous social-engineering loss plus a wide band of phishing activity – shows that the threat surface spans both enterprise-grade breaches and retail-style deception at scale.

The market takeaway for operators is operational, not philosophical: more of the loss curve is being determined by how keys are stored, how approvals are reviewed, and how teams handle authentication and access control – especially when funds are held in hot environments or when transaction signing is delegated across devices and personnel. CertiK’s 2025 security reporting described a landscape in which attackers increasingly concentrate resources into fewer, higher-impact operations, while phishing remains one of the most common incident categories – an uncomfortable combination when a single mistake can be final on public ledgers like Ethereum.