Update (April 14, 2026, 11:00 UTC): Totals in this report have been revised — Q1 losses now stand at $482 million across 44 incidents.
Web3 projects suffered $482 million in thefts and scams during Q1 2026, according to Hacken’s quarterly security report. While the era of single, multibillion-dollar mega hacks eased, the period saw a larger number of mid-sized incidents and a shift toward attacks that exploit people, processes and infrastructure rather than purely onchain code.
Phishing and social engineering dominated the quarter, accounting for $306 million of losses. A single January hardware wallet scam, which siphoned $282 million, made up more than half of the quarter’s total damage. Smart contract exploits were responsible for $86.2 million, and access control failures — including stolen keys and compromised cloud services — added $71.9 million in reported losses.
Hacken mapped 44 incidents for the quarter and ranked Q1 2026 as the second-lowest first quarter since 2023, helped by the absence of a Bybit-scale mega hack (Bybit lost $1.46 billion in Q1 2025). Yev Broshevan, Hacken’s CEO and co-founder, emphasized that the costliest breaches increasingly occur outside smart contract code, in operational and infrastructure layers that traditional audits do not always cover.
Notable cases illustrate these trends. Step Finance lost $40 million after a fake venture-capital outreach effort tied to North Korea, while Resolv Labs reported a $25 million loss from a compromise of AWS key management. Even when smart contracts were implicated, many losses derived from older deployments and known vulnerability classes: Truebit lost $26.4 million to a Solidity bug in a contract deployed about five years ago, and Venus Protocol was hit by a donation-attack pattern documented since 2022. Six audited projects, including Resolv (18 audits) and Venus (audited by five firms), together accounted for $37.7 million in losses, underscoring that audited, high-TVL protocols often attract more sophisticated attackers.
Regulatory and institutional scrutiny intensified during the quarter. Hacken highlighted enforcement linked to the EU’s Markets in Crypto‑Assets Regulation (MiCA) and the Digital Operational Resilience Act (DORA). Regional developments included Dubai’s Virtual Assets Regulatory Authority tightening its Technology and Information Rulebook; Singapore moving to Basel-aligned capital requirements and enforcing one-hour incident notification rules; and the UAE’s new Capital Market Authority assuming broader federal oversight with higher penalties.
Hacken recommends a “regulator-ready” operational benchmark: proof-of-reserves backed by daily internal reconciliation; 24/7 onchain monitoring of treasury wallets and privileged roles; automated circuit breakers for minting and governance functions; and incident notification timelines aligned to the strictest applicable rule. The report sets realistic operational targets of detecting incidents within 24 hours, labeling them within four hours, and blocking malicious actions within 30 seconds. It also cites aspirational goals — such as 10-minute detection and one-second blocking — drawn from industry guidance like Global Ledger’s 2025 Laundering Race recommendations.
At the human and operational level, Hacken flagged North Korean-linked threat clusters as the most consistent risk. Tactics that repeatedly figured in losses included fake VC outreach, malicious video-call tooling, and compromised employee endpoints. The report notes that Lazarus group activity and related operations collectively extracted roughly $2.04 billion from the sector in 2025.
Readers are encouraged to verify details independently. This article is produced in line with Cointelegraph’s editorial standards and commitment to transparent, independent reporting.