Month in Review: Top DeFi Hacks of January 2026

In January 2026, seven DeFi protocols suffered hacks that resulted in losses of over $1 million. In total, approximately $86 million was lost across the protocols.

However, these major losses were dwarfed by the most expensive DeFi social engineering attack to date. An IT support scam targeting a Trezor user resulted in approximately $282 million in BTC and LTC being stolen from accounts secured by a compromised root key.

January 2026 saw seven major DeFi hacks with losses of over $1 million. These include:

• TMX: In January 2026, TMX suffered an estimated $1.4 million hack on Arbitrum. The attacker used USDT to mint TMX LP, swapped the USDC for USDG, unstaked, and sold additional USDG in a loop.

  
  

• Truebit: Truebit, a blockchain verification protocol, was the target of an estimated $26.4 million exploit in January 2026. An error in an old contract allowed attackers to mint the TRU tokens essentially for free and burn them to drain value from the protocol.

  
  

• MakinaFi: MakinaFi suffered an approximately $4.1 million hack. The attackers targeted its DUSD/USDC CurveStable pool, exploiting flaws in its execution logic to drain value from the protocol.

  
  

• SagaEVM: Saga EVM suffered a supply chain hack, resulting in an estimated $7 million in losses. The attacker took advantage of vulnerabilities in EVM precompile bridge logic from Ethermint that the protocol inherited.

  
  

• SwapNet: SwapNet suffered an estimated $13.4 million hack due to a smart contract vulnerability. Since the code is closed-source, the exact issue is unknown but believed to be an arbitrary call vulnerability with insufficient input validation.

  
  

• Aperture Finance: Aperture Finance was impacted by a similar incident to SwapNet. In this case, its V3/V4 contracts were vulnerable and lost an estimated $4 million. 

  
  

• Step Finance: Step Finance suffered an estimated $30 million in losses due to the compromise of several of its treasury and fee wallets. On-chain activity on Solana points to compromised private keys as the likely root cause of the incident.

In January 2026, the majority of major hacks involved smart contract vulnerabilities. Root causes varied from inherited vulnerabilities (SagaEVM) to old code (Truebit) to logical and implementation errors in the projects’ contracts. However, the two most significant incidents of the month — Step Finance and a major social engineering hack — involved compromised keys.

This combination of attack vectors shows the importance of both smart contract audits and robust off-chain security practices. For help in enhancing your project’s security against these threats, get in touch.