Web3 hacks cost $482M in Q1 as phishing drives majority of losses: Hacken

Hacken’s Q1 2026 report finds $482 million lost across 44 incidents, with phishing, legacy code bugs and key compromises driving losses as regulators tighten security demands.

Update (April 14, 2026, 11 am UTC): This article has been updated to adjust the total number of hacks and scams in the first quarter to $482 million and the total number of incidents to 44.

Web3 projects lost $482 million to hacks and scams in the first quarter of 2026, while multi-billion-dollar “mega hacks” gave way to a larger number of mid-sized incidents, according to blockchain security company Hacken.

According to Hacken’s Q1 2026 report, phishing and social engineering attacks dominated the period, accounting for $306 million in losses in a quarter that saw 44 incidents overall. A single $282 million hardware wallet scam in January was responsible for more than half of the quarter’s damage.

Smart contract exploits totaled $86.2 million, with access control failures, including compromised keys and cloud services, driving an additional $71.9 million in losses.

The losses place this quarter as the second-lowest first quarter since 2023, with the absence of a single mega hack on the scale of Bybit, which lost $1.46 billion in Q1 2025, the primary driver of the year-over-year decline.

Hacken’s incident mapping shows the largest failures increasingly occurring outside onchain code, in operational and infrastructure layers that traditional audits rarely touch. Yev Broshevan, chief executive and co-founder at Hacken, told Cointelegraph the most expensive failures “happen outside the code layer.”

Related: Aethir halts bridge exploit, promises compensation after $90K loss

According to Hacken, that shift is drawing greater scrutiny from regulators and institutional counterparties, with frameworks such as the Markets in Crypto-Assets Regulation (MiCA) and Digital Operational Resilience Act (DORA) in the European Union moving further into enforcement and raising expectations around continuous security monitoring and incident response.

Broshevan pointed to $306 million in phishing, a $40 million North Korea-linked fake venture capitalist (VC) call against Step Finance, and a $25 million AWS key management service compromise at Resolv Labs. Even where smart contracts were at fault, the costliest bugs often sat in legacy deployments and known vulnerability classes. Truebit lost $26.4 million to a bug in a Solidity contract deployed around five years ago, while Venus Protocol was hit by a donation attack pattern documented since 2022.

Six audited projects, including Resolv with 18 audits and Venus with five separate firms, still accounted for $37.7 million in losses. On average, that was more than their unaudited peers because higher total value locked (TVL) protocols attract more sophisticated attackers and exploits.

In Q1, MiCA and DORA in the EU shifted further into active enforcement, Dubai’s regulator, the Virtual Assets Regulatory Authority, tightened expectations around its Technology and Information Rulebook, Singapore enforced Basel-aligned capital and one-hour incident notification rules, and the United Arab Emirates’ new Capital Market Authority took over federal digital asset oversight with broader powers and higher penalties.

Related: Crypto hackers steal $169M from 34 DeFi protocols in Q1: DefiLlama

Hacken ties those regimes to a new benchmark for “regulator-ready” stacks that includes proof-of-reserves attestations backed by daily internal reconciliation, 24/7 onchain monitoring across treasury wallets and privileged roles, automated circuit-breakers on minting and governance functions and incident notification clocks calibrated to the strictest applicable standard. 

The report highlights “realistic” targets of awareness within 24 hours, labeling within four hours, and blocking in 30 seconds, with “aspirational” goals as low as 10 minutes for detection and 1 second to block, based on guidance from Global Ledger’s 2025 Laundering Race data.

At the human layer, Hacken flags North Korean clusters as the most consistent operational threat, with Step Finance’s $40 million loss and Bitrefill’s infrastructure breach extending a playbook of fake VC outreach, malicious video call tooling and compromised employee endpoints that extracted roughly $2.04 billion from the sector in 2025.

Magazine: XRP yet to ‘price in’ 3 bullish catalysts, Bitcoin to $80K? Trade Secrets

Source: CoinTelegraph