Update (April 14, 2026, 11 am UTC): This article has been updated to adjust the total number of hacks and scams in the first quarter to $482 million and the total number of incidents to 44.
Web3 projects lost $482 million to hacks and scams in Q1 2026, with multi‑billion‑dollar “mega hacks” giving way to a larger number of mid‑sized incidents, according to blockchain security firm Hacken. The company’s Q1 2026 security report found 44 incidents overall, with phishing and social engineering dominating the period and accounting for $306 million in losses. A single $282 million hardware wallet scam in January represented more than half of the quarter’s total damage.
Smart contract exploits totaled $86.2 million, while access control failures — including compromised keys and cloud services — drove an additional $71.9 million in losses. The quarter ranked as the second‑lowest Q1 since 2023, helped by the absence of a Bybit‑scale mega hack (Bybit lost $1.46 billion in Q1 2025).
Hacken’s incident mapping shows the largest failures increasingly occurring outside onchain code, in operational and infrastructure layers that traditional audits rarely touch. Yev Broshevan, CEO and co‑founder of Hacken, said the most expensive failures “happen outside the code layer.”
Notable incidents and patterns included a $40 million North Korea‑linked fake venture capital (VC) call against Step Finance and a $25 million AWS key management compromise at Resolv Labs. Even when smart contracts were implicated, costly bugs often stemmed from legacy deployments and known vulnerability classes: Truebit lost $26.4 million to a Solidity bug deployed about five years ago, and Venus Protocol was hit by a donation‑attack pattern documented since 2022. Six audited projects, including Resolv (18 audits) and Venus (five firms), still accounted for $37.7 million in losses; audited, high‑TVL protocols tend to attract more sophisticated attackers.
Regulatory and institutional scrutiny rose as well. Hacken highlighted growing enforcement under the EU’s Markets in Crypto‑Assets Regulation (MiCA) and Digital Operational Resilience Act (DORA). Dubai’s Virtual Assets Regulatory Authority tightened its Technology and Information Rulebook, Singapore enforced Basel‑aligned capital rules and one‑hour incident notification requirements, and the UAE’s new Capital Market Authority assumed broader federal digital asset oversight with higher penalties.
Hacken tied these regimes to a new benchmark for “regulator‑ready” stacks: proof‑of‑reserves attestations backed by daily internal reconciliation, 24/7 onchain monitoring of treasury wallets and privileged roles, automated circuit‑breakers on minting and governance functions, and incident notification clocks calibrated to the strictest applicable standard. The report suggests “realistic” operational targets of awareness within 24 hours, labeling within four hours, and blocking in 30 seconds, with “aspirational” goals as low as 10 minutes for detection and 1 second to block, citing Global Ledger’s 2025 Laundering Race guidance.
At the human and operational layer, Hacken flagged North Korean threat clusters as the most consistent operational risk. Tactics including fake VC outreach, malicious video‑call tooling and compromised employee endpoints figured in losses such as Step Finance’s $40 million incident and Bitrefill’s infrastructure breach; Lazarus group activity and related operations extracted roughly $2.04 billion from the sector in 2025.
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy https://cointelegraph.com/editorial-policy
