February crypto losses $49M; phishing tops hacks: report data

Crypto Twitter spent years speedrunning the same storyline: some smart contract gets poked in the wrong place, a protocol bleeds, and everyone posts the "this is why we can't have nice things" meme. February's numbers suggest a quieter plot twist. The biggest risk is less "elite hacker," more "someone in your DMs asking you to sign something."

Total crypto losses tied to exploits and scams fell to $49 million in February, according to a monthly report from security firm Nominis, a sharp cooldown after January's higher damage. ^[1] The catch: attackers appear to be shifting away from technical protocol breaks and leaning harder into phishing campaigns and malicious wallet approvals, a strategy that targets people, not code. ^[2]

UK Fraud Strategy Puts Crypto in the Crosshairs as a 'Growing Risk'

Enjoy articles without ads?

Losses cooled, but the threat model changed

On paper, $49 million looks like a breather month. Fewer ugly screenshots. Less onchain chaos. Slightly fewer "funds are SAFU" jokes.

Nominis' February readout points to a more important signal than the headline number: the method of theft is changing. Instead of hunting for exploitable smart contract logic, criminals are increasingly trying to convince users to hand over access themselves, typically through:

Phishing: fake sites, fake support, fake token claims, and impersonated accounts that nudge users to connect a wallet or reveal sensitive info.
Malicious wallet approvals: tricking users into signing transactions that grant a third party permission to move tokens later. In plain English, you think you are clicking "connect" or "verify," but you are actually giving a stranger ongoing access to your bag.

That pivot matters because it scales. A contract exploit often requires deep technical work and a specific target. Social engineering can be cloned, localized, and blasted across Discords, Telegram groups, X replies, and even paid search ads. ^[3]

Phishing is winning because it meets users where they are

Security veterans have been repeating the same line for years: the weakest link is the human. February's data makes that feel less like a slogan and more like a business model. ^[4]

A few reasons phishing and approval scams are thriving even when protocol exploits slow down:

1) "Sign" is the new "password"

Self custody culture taught people not to share seed phrases, which is good. But it also trained users to treat wallet popups as routine friction. Attackers exploit that muscle memory.

Wallet "approvals" are especially dangerous because they can look harmless. Many users do not read the permission scope, token allowances, or the spender address. Once approved, a drainer can sweep assets later without another dramatic prompt.

2) The UX of Web3 still leaks trust

Crypto is allergic to centralized gatekeepers, but that also means most communities rely on the same soft signals: a Discord announcement, a "team member" DM, a link that looks close enough to the real one.

On CT (Crypto Twitter, meaning the loose crowd of traders, builders, and posters on X), you can see the defensive posture evolving in real time. The vibe in replies has shifted from "which chain is safer?" to "is that link real?" and "revoke approvals now," especially whenever a popular collection, exchange, or tool has an account impersonated.

3) Attackers follow liquidity and attention, not ideology

When markets heat up, users click faster. When airdrop season is in the air, users connect wallets more casually. When meme coins are flying, people chase "claim" links like they are free money. Social engineering thrives on urgency.

The February slowdown in total losses does not necessarily mean criminals are retreating. It can also mean they are choosing lower noise, higher conversion tactics, and spreading attempts across many small victims instead of one giant protocol hit.

Fake Police Raid in France Forces Couple to Hand Over $1M in Bitcoin

Community behavior: fewer "hacks," more quiet wallet drains

One cultural tell: victims of phishing do not always announce it. A protocol exploit becomes a public incident by default. A wallet drain often feels personal, embarrassing, or confusing, especially when the user "signed it themselves."

That changes how communities respond:

Discord moderators are increasingly focused on link hygiene, bot permissions, and announcement channel lockdowns, not just "audit talk."
Collectors and traders are treating approvals like a routine chore, using tools and checklists to review allowances after mints, farms, and airdrop claims.
Teams are leaning harder into "never DM first" messaging and pushing users toward official link hubs.

The irony is that better contract security can make the ecosystem look "safer" in dashboards, while the lived experience for users stays risky because the attack surface moved to the wallet layer.

What to watch next: catalysts and risks

February's $49 million figure is not a victory lap. It is a reminder that crypto crime is adaptive.

Here are the near term catalysts that can push phishing higher again:

Airdrops and points programs: anything that trains users to click "claim" creates ideal conditions for spoof sites and fake eligibility checkers.
Account takeovers and impersonation waves: when a major project account is compromised, phishing spreads faster than any contract exploit because it borrows trust instantly.
"Approval fatigue" UX: the more often people sign, the less attention they pay, and the higher the success rate for malicious permissions.

Crypto News Summary March 11

Practical takeaway: defend your wallet like it is a public API

If February showed anything, it is that attackers do not need to beat the protocol. They just need you to click.

A few habits worth treating as baseline ops:

Assume every link is hostile, especially in DMs and replies, even if the account looks legit.
Read what you sign, and be extra skeptical of approvals that grant broad token access.
Revisit wallet permissions regularly (revoking old allowances is boring, which is why it works).
Use separate wallets: one for daily minting and experimentation, one for long term holdings.

The number dropped to $49 million, but the story did not end. It just moved from the smart contract battlefield to the browser tab where you were about to click "GM, claim now."

February Crypto Losses Drop to $49M as Phishing Replaces Hacks as Top Threat