CertiK: Crypto Exploits Cost $370M in January as Hacks and ‘Wrench Attacks’ Surge

Crypto spent January doing what it does best: shipping shiny new tech while losing old fashioned money to attackers who mostly just look for the weakest link. CertiK says crypto users lost about $370.3 million to exploits in January, a number that lands with a thud after months of "security is improving" talk. ^[1] Sure.

The more awkward detail is not even the dollar figure. CertiK also flagged a rise in "wrench attacks," the industry's blunt term for theft enabled by physical coercion (think: forcing someone to hand over keys or approve transfers). ^[2] Decentralization does not help much when the threat model includes an actual wrench.

The January snapshot: $370.3 million gone, and not all of it was "on-chain"

CertiK's January tally pegs total exploit-related losses at $370.3 million, spanning the usual mix of hacks, smart contract exploits, and other malicious incidents tracked by the firm's security analytics. ^[3] The headline number matters because it frames a simple reality: even when market structure matures, the attack surface keeps expanding.

Two points are easy to miss behind the big total:

• Not every loss is a smart contract failure. A meaningful share of crypto theft comes from compromised credentials, stolen keys, and social engineering, attacks that bypass audited code entirely.
• Some attacks are not "crypto-native" at all. Wrench attacks are offline crimes with online settlement, and they do not care whether your protocol was formally verified.

CertiK's data adds weight to the argument that "security" in crypto cannot be reduced to audits and bug bounties, even if those remain table stakes.

Wrench attacks: the threat model nobody wants on a slide deck

The term wrench attack exists because the most sophisticated cryptography still fails against simple coercion. Rather than exploiting a protocol, attackers target the person who can sign a transaction.

This trend matters for two reasons:

1. Self-custody is growing, and so is responsibility. Users moving funds into personal wallets reduce exchange risk, but they also become a single point of failure. If one person holds the keys, one person can be pressured.
2. Security controls are uneven outside institutions. Enterprises may use multi-party controls, travel policies, and operational security training. Retail holders and small teams often do not, even when they hold meaningful size.

Wrench attacks also blur the line between "crypto crime" and traditional violent crime. That has downstream implications for how law enforcement prioritizes cases, how insurers price risk, and how teams think about executive and founder security.

Why the losses keep happening: incentives, complexity, and key management

January's $370.3 million figure is less interesting as a single datapoint than as a symptom. Several structural drivers keep showing up in exploit cycles:

Smart contract risk remains, even with audits

Audits reduce risk, they do not eliminate it. Complex protocols introduce edge cases, integrations introduce dependency risk, and upgrades introduce new failure modes. Attackers only need one overlooked path.

Private keys are still the soft underbelly

A large portion of catastrophic losses, across the industry, come down to key compromise: malware, leaked seed phrases, SIM swaps, compromised signers, or social engineering of staff with access. "Decentralized" does not mean "no admins," it often means "admins with keys."

Faster shipping often beats safer shipping

When token incentives reward speed and growth, security becomes a cost center until it becomes a headline. Security firms can publish postmortems all day, but incentive alignment is the part that hurts. ^[4]

Takeaways: what CertiK's January number implies for teams and users

CertiK's January total and the wrench-attack note point to a few practical conclusions that cut through the noise.

Takeaway 1: Security is broader than code

Protocols can invest in audits, formal verification, and continuous monitoring, but they also need to harden operational processes: signer hygiene, access controls, incident response, and vendor risk. If the attacker walks in through a compromised laptop, the solidity audit does not matter.

Takeaway 2: Self-custody needs "ops," not just a wallet

Retail self-custody narratives often stop at "use a hardware wallet." That is necessary, not sufficient. Users need layers: multisig where possible, segregated hot and cold funds, secure backups, and a plan for what happens under duress.

Takeaway 3: Physical risk is now a mainstream crypto risk

The rise of wrench attacks means security planning has to include real-world behavior: privacy discipline, travel discipline, and reducing public signals of holdings. It is boring, and it works.

What to watch next (because the attackers will)

January's $370.3 million is the past. The forward-looking question is whether the industry changes the parts that keep failing.

Here are the concrete signals worth tracking over the next few months:

1. Adoption of stronger signer setups Watch for more projects moving treasury and admin controls to multisig or multi-party computation (MPC) setups, plus tighter policies around who can sign what, and when. One compromised signer should not be an existential event.

2. Security budgets tied to TVL and revenue Teams that scale security staffing and monitoring with total value locked (TVL) and protocol revenue tend to fare better than teams that treat audits as a one-time launch expense.

3. User-side tooling for duress and recovery If wrench attacks are rising, wallets and custody solutions will be pressured to add features like transaction delays, spending limits, duress wallets, and clearer recovery workflows. The best UX in crypto might soon be the one that assumes you are having a very bad day.

4. More explicit accounting of "losses" versus "recoveries" The industry still mixes gross losses, net losses, and recovered funds depending on who is telling the story. Better reporting standards would not stop hacks, but they would stop the narrative games.

CertiK's January figure is not a prophecy, it is a receipt. Crypto can keep pretending every exploit is an isolated incident, or it can treat security like a full-stack problem that includes people, keys, and yes, the occasional wrench.