Web3 projects lost $482.6 million to hacks and scams in the first quarter of 2026, across 44 separate attacks, according to Hacken’s latest security report.
The biggest shock is that phishing and social engineering alone accounted for $306 million of the damage, showing that attackers are now winning mostly by tricking people, not just breaking code.
The report says smart contract exploits caused another $86.2 million in losses, while access control failures, including stolen private keys and cloud account breaches, added $71.9 million.
One hardware wallet scam in January was responsible for $282 million on its own, after a user was reportedly tricked into handing over recovery details during a fake support call.
Human error took centre stage
Hacken says this quarter was different from the huge “mega hacks” that shocked the industry in early 2025. Instead of one giant breach like the $1.46 billion Bybit attack last year, 2026 has seen more mid-sized attacks spread across many targets. That shift suggests attackers are now focusing more on human weakness, bad habits, and weak operational security.
The report also notes that six audited protocols were still exploited, including one project that had gone through 18 previous audits. That is a reminder that audits help, but they are not enough on their own. If workers, users, or support teams can be fooled, the money can still disappear fast.
Hacken also pointed to activity linked to North Korea, saying state-backed actors pulled in more than $40 million through fake venture capital pitches, malware hidden in software updates, and compromised employee laptops.
Among the cases mentioned were a $40 million attack on Step Finance through a fake VC call, plus infrastructure breaches at Bitrefill and Resolv Labs, where AWS key management systems were compromised.
Similar read: Crypto bridge Hyperbridge hacked, $237K stolen in DOT token attack
These cases show how modern crypto attacks often mix social engineering with technical access. Instead of attacking only the code, hackers go after people, systems, and internal tools. That makes the whole ecosystem harder to defend.
What the numbers mean
The good news is that the industry did avoid a single catastrophic loss on the scale of last year’s biggest breach. But the bad news is that the number of attacks is still high, and the average loss per attack remains painful.
Hacken says phishing, fake support messages, address poisoning, and credential theft are now the biggest threats in the sector.
The report also raised compliance concerns, saying many stablecoin projects have security rules written into code but not properly enforced everywhere. Hacken argues that compliance now needs to be treated like a real security layer, not just a box to tick.
With stricter rules coming in Europe, Singapore, and the US, projects that build security and compliance together are likely to do better.
For users, the advice is simple: never share seed phrases, never trust random support calls, and always verify wallet addresses before sending funds. For crypto projects, the lesson is even clearer: Audits alone are not enough anymore. Continuous monitoring, staff training, and strong incident response now matter just as much as code reviews.
Leave a comment