Share article

Follow-up story to:

A cracked black hourglass pours glowing coins into a rippling pool that resembles a glitching circuit board on dark background.

Crypto News Summary February 23

Feb 23 crypto: Extreme Fear as $61M BTC liquidation hits; BTC $66.3K, ETH $1,920, regulators tighten, AI agent flubs $442K on Solana; wallet, stablecoin plans.

Rowan K. DelgadoFeb 24 00:03$BTC
February printed a rare "risk-off" signal for crypto security: total exploit losses collapsed to $35.7 million, down more than 90% month over month. [1] That is the quietest month since March 2025, and it matters because hacks and drains often act like a shadow liquidity event, forcing teams and users to dump tokens to cover holes. [2] The level to watch is simple: whether this stays a one month breather, or snaps back the moment markets heat up.
CertiK-compiled figures show attackers were unusually contained, but not gone. A couple of clean, targeted hits still did real damage, led by a $10 million oracle manipulation on YieldBlox and a $9 million breach at IoTeX$0.00509. [3] Meanwhile, phishing losses hit $8.5 million, powered by "drainer-as-a-service" kits that keep the scam pipeline open even when headline hacks slow down. [3]
Crypto News Summary February 28

Enjoy articles without ads?

Register for free and get unlimited access to all articles.

February was quiet, but the threat model did not improve overnight

A 90% drawdown in stolen value reads like a structural win, but the more likely explanation is a mix of timing, attacker preference, and fewer "easy-mode" openings. Security incident totals tend to cluster: one major exploit can dominate a month, while a slow month can still hide a lot of probing and failed attempts behind the scenes.

Two context points help frame February's print:

  • January posted "staggering losses" by comparison, according to the same CertiK reporting referenced in the source coverage. February's number is as notable for what did not happen as for what did.
  • Year over year comparisons are distorted by outliers. February last year was dominated by the $1.5 billion Bybit exploit, an anomaly big enough to warp annual charts on its own. [2] When one event that large sits in the base period, the next year's "improvement" can look cleaner than reality.

Bottom line: $35.7 million is low, but it is not a victory lap. It is a reminder that risk is episodic, and attackers pick their spots.

Bitcoin Falls Below $63K as US-Israel Strike on Iran Sparks Risk-Off Crypto Selloff

The big hit: YieldBlox oracle manipulation ($10M)

The most expensive single incident cited for February was a $10 million oracle manipulation affecting YieldBlox. Oracle attacks are a DeFi classic because they target a protocol's assumptions rather than its code paths alone. If a system trusts a price feed that can be skewed, even briefly, an attacker can borrow against inflated collateral, drain liquidity, or unwind positions at artificial prices.

What traders should take from this:

  • Oracle design is still a first-order risk. "Audited" does not mean "oracle-hard." Protocols can be perfectly coded and still crumble if pricing inputs can be pushed around during low liquidity windows.
  • Liquidity conditions matter. Manipulation risk tends to rise when on-chain liquidity is thin, volatility is spiky, or the protocol relies on a narrow set of venues for pricing.
  • The invalidation line is mitigation. If teams add robust safeguards like time-weighted pricing, circuit breakers, and multi-source feeds, oracle manipulation becomes harder to scale. If they do not, it stays a repeatable playbook.

The other headline: IoTeX breach ($9M)

CertiK's February incident list also flagged a $9 million breach at IoTeX$0.00509. Without needing to speculate on exact mechanics beyond what was reported, the market takeaway is straightforward: infrastructure and ecosystem-layer security issues can be just as painful as DeFi smart contract bugs. [4]
For participants, this reinforces a boring but profitable habit: do not treat "chain brand" as a security guarantee. Whether you are bridging, staking, or interacting with ecosystem dApps, your risk surface expands quickly, and a single compromised component can ripple across users who did everything "right."
DOJ D.C. Scam Center Strike Force Seizes and Freezes $580M in Crypto Linked to Chinese Fraud Ring

Phishing stayed active: $8.5M lost, drainer kits keep scaling

While the hack total dropped, phishing remained persistent at $8.5 million for the month, driven by drainer-as-a-service tooling. That detail matters because it explains why user-side losses keep showing up even when protocol security improves.

Drainers lower the skill threshold. Instead of building bespoke malware or exploit chains, attackers can rent or buy plug-and-play kits, then focus on distribution: fake sites, malicious ads, spoofed social accounts, and wallet approval traps.
This is also why "quiet month" headlines can be misleading. Even if fewer contracts get exploited, retail wallets remain a soft target, and drainers do not need a bull market to work.

Practical implications:

  • Wallet approval hygiene matters more than ever: revoke permissions, use separate wallets for "clicking" vs holding, and treat signature requests like cash wires.
  • Teams cannot outsource trust to users. If your project UX pushes blind signing, you are effectively subsidizing the drainer economy.
Xaman Founder and XRP Ledger Dev Warn of Fake NFT 'Passes' Scam Designed to Drain XRP Wallets

Why the drop happened, and why it can reverse fast

A 90% decline usually comes from some combination of:

  1. No mega-exploit landing that month. One $200 million incident can erase "good behavior" instantly.
  2. Attackers rotating tactics. When defenses harden on one vector, attackers pivot to phishing, social engineering, and oracle or economic attacks.
  3. Market regime shifts. Lower volatility and reduced on-chain activity can mean fewer opportunities to extract value at scale, but that can change quickly.

The skeptical read is that February looks like a pause, not a trend. If on-chain volumes and risk appetite accelerate, the incentives return immediately, and so does the pressure on every weak integration.

What would invalidate the "security is improving" narrative?

If March and April snap back with one or two large protocol drains, February will look like a statistical valley. The "improvement" thesis needs follow-through: multiple low-loss months, plus evidence of better controls across common failure points.

Key invalidation signals to watch:

  • A resurgence of oracle-based drains across mid-cap DeFi apps.
  • A large bridge or cross-chain messaging incident (historically the fastest way to rack up nine-figure losses).
  • Accelerating drainer campaigns tied to new token launches, airdrops, or meme cycles, where urgency becomes exit liquidity.
Minnesota Lawmakers Propose Statewide Crypto ATM Ban After Surge in Digital Asset Scams

Watchlist takeaway

February's $35.7 million total is the calmest security tape in nearly a year, but the market should treat it like a weather report, not a climate shift.

Watchlist:

  • Oracle risk: any protocol with thin-liquidity pricing inputs or single-source feeds.
  • Ecosystem-layer breaches: chain tooling, wallets, and integrations that can fail outside smart contracts.
  • Phishing and drainers: spikes around airdrops, token launches, and "connect wallet" campaigns.
  • Trend confirmation: another low-loss month would be meaningful, one mega-hack would erase the signal.

Quiet months happen. Attackers do not retire.

Tags

#Phishing scams#Blockchain Security#crypto hacks#Exploit losses#Oracle manipulation#Drainer-as-a-service#CertiK report#IoTeX breach#YieldBlox exploit