Blockchain security firm Hacken has released its quarterly report for Q1 2026, revealing that the Web3 ecosystem suffered $482 million in losses across 44 separate incidents. The data highlights a significant strategic shift by attackers, with phishing and social engineering emerging as the dominant threat vector, accounting for $306 million of the total losses.
A single, massive $282 million hardware wallet phishing scam in January constituted more than half of the quarter's total economic damage. In contrast, traditional smart contract exploits resulted in $86.2 million in losses, while access control failures—such as compromised private keys and vulnerable cloud services—contributed an additional $71.9 million.
Despite the substantial figure, this quarter ranks as the second lowest-loss first quarter since 2023. This is primarily attributed to the absence of a catastrophic, billion-dollar mega-hack comparable to the $1.46 billion Bybit hack that occurred in Q1 2025.
"The costliest losses occur outside the code layer," stated Yev Broshevan, CEO and co-founder of Hacken. He emphasized that attackers are increasingly targeting operational infrastructure and human vulnerabilities that traditional smart contract audits do not cover. The report cites several high-profile examples, including a $40 million loss by Step Finance from a fake venture capital call linked to North Korean operators, and a $25 million breach at Resolv Labs due to compromised AWS keys.
Even in cases involving smart contracts, the most costly bugs often stemmed from legacy code. For instance, Truebit lost $26.4 million due to a vulnerability in a Solidity contract deployed five years prior.
The report also notes that six audited projects, including one with 18 separate audits, still accumulated $37.7 million in losses, underscoring that audits alone are insufficient against modern attack vectors. Hacken links the evolving threat landscape to a simultaneous tightening of global regulatory frameworks, such as the EU's MiCA and DORA regulations, which are pushing the industry toward new infrastructure standards involving daily proof-of-reserves and permanent on-chain monitoring.
Persistent threats from North Korean hacker groups were highlighted, with their playbook—combining fake VC calls and malicious tools—reportedly extracting approximately $2.04 billion from the market in 2025.
