Web3 projects lost $464.5 million to hacks and scams in the first quarter of 2026, with a shift away from multi-billion-dollar “mega hacks” toward a higher number of mid-sized incidents, according to a report from Hacken.
The firm’s Q1 2026 analysis found that phishing and social engineering attacks dominated, accounting for $306 million in losses across 43 incidents. A single $282 million hardware wallet scam in January made up 81% of the total damage for the quarter.
Smart contract exploits contributed $86.2 million in losses, while access control failures—such as compromised keys and cloud infrastructure—added another $71.9 million.
Despite the significant losses, the quarter ranks as the second-lowest Q1 since 2023, largely due to the absence of a massive breach like the $1.46 billion exploit suffered by Bybit in Q1 2025.
Hacken’s data shows that the most critical vulnerabilities are increasingly occurring outside of onchain code, instead emerging in operational processes and infrastructure layers that traditional audits often overlook. Yev Broshevan said the costliest failures now “happen outside the code layer entirely.”
This shift is drawing greater attention from regulators and institutional players, particularly as frameworks like Markets in Crypto-Assets Regulation (MiCA) and Digital Operational Resilience Act (DORA) move into enforcement, raising expectations for continuous security monitoring and incident response.
Phishing, key compromises and legacy vulnerabilities
Broshevan highlighted several major incidents, including $306 million in phishing-related losses, a $40 million North Korea-linked fake venture capital call targeting Step Finance, and a $25 million compromise involving AWS key management services at Resolv Labs.
Even when smart contracts were involved, the most costly exploits often stemmed from outdated or known vulnerabilities. Truebit lost $26.4 million due to a flaw in a five-year-old Solidity contract, while Venus Protocol was impacted by a donation attack pattern first identified in 2022.
Even projects that underwent extensive security reviews were not immune. Six audited platforms—including Resolv Labs, which completed 18 audits, and Venus Protocol, reviewed by five separate firms—still accounted for $37.7 million in losses. On average, these audited projects lost more than unaudited ones, largely because protocols with higher total value locked (TVL) tend to attract more sophisticated attackers and complex exploits.
Global watchdogs tighten incident response rules
Regulators worldwide are also raising the bar for security and incident response. In the first quarter, the European Union pushed forward enforcement of frameworks like the Markets in Crypto-Assets Regulation (MiCA) and the Digital Operational Resilience Act (DORA).
Elsewhere, Dubai’s Virtual Assets Regulatory Authority strengthened requirements under its Technology and Information Rulebook, while Singapore introduced Basel-aligned capital standards alongside one-hour incident reporting requirements.
In the United Arab Emirates, a newly established Capital Market Authority assumed federal oversight of digital assets, bringing expanded powers and stricter penalties for noncompliance.
Hacken links these evolving regulations to a new benchmark for “regulator-ready” infrastructure. This includes proof-of-reserves attestations supported by daily internal reconciliation, continuous onchain monitoring of treasury wallets and privileged accounts, automated circuit breakers for minting and governance functions, and incident reporting timelines aligned with the strictest regulatory requirements.
The report outlines “realistic” response targets of identifying threats within 24 hours, labeling them within four hours, and blocking malicious activity in under 30 seconds. More ambitious goals—based on guidance from Global Ledger’s 2025 Laundering Race data—suggest detection in as little as 10 minutes and mitigation within one second.
At the human level, Hacken highlights North Korean-linked groups as the most persistent operational threat. Incidents such as the $40 million attack on Step Finance and an infrastructure breach at Bitrefill reflect a broader playbook involving fake venture capital outreach, malicious video call tools, and compromised employee devices—tactics that helped siphon an estimated $2.04 billion from the sector in 2025.
