According to data from the blockchain security firm Hacken’s Q1 2026 Blockchain Security & Compliance Report, Web3 projects lost a total of $482.6 million to crypto hacks and scams across 44 incidents in the first three months of the year. The standout statistic is the $306 million stolen through phishing and social engineering attacks alone, nearly two-thirds of all losses.
This phishing haul dwarfs other categories. Smart contract exploits contributed $86.2 million, while access control failures, including compromised private keys and cloud services, added another $71.9 million. Hacken noted that a single hardware wallet social engineering incident in January accounted for $282 million, more than half the quarter’s total damage. In that attack, a user reportedly handed over recovery credentials during a fake IT support call, allowing the hacker to drain funds without touching a single line of code.
The report highlights a clear shift in attacker tactics. Gone are the billion-dollar “mega hacks” that defined Q1 2025, such as the $1.46 billion Bybit breach. Instead, 2026 saw a proliferation of mid-sized incidents targeting human and operational weaknesses rather than pure code vulnerabilities. Six audited protocols were exploited, including one project that had undergone 18 prior audits. Smart contract losses still surged 213% year-over-year, but phishing and social engineering dominated the narrative.
State-linked actors, particularly those tied to North Korea (DPRK), continued their well-documented playbook. Hacken documented over $40 million extracted through fake venture capital outreach, malware disguised as software updates, and compromised employee laptops. Notable cases included a $40 million hit on Step Finance via a fake VC call and infrastructure breaches at Bitrefill and Resolv Labs, where AWS key management services were compromised. These incidents show how attackers combine social engineering with technical access to bypass even well-audited systems.
Looking beyond the crypto hacks in Q1
Hacken’s analysis maps losses across three security layers: code, operations, and infrastructure. The $306 million phishing total underscores that users and employees remain the weakest link. Address poisoning, fake support calls, and credential theft proved far more lucrative than traditional smart contract bugs in many cases. One $24 million address attack, theft, and the massive hardware wallet scam exemplified how low-tech social engineering can deliver outsized returns.
The report also dives into compliance and stablecoin security. An audit of stablecoin projects found that 38.5% had compliance mechanisms written into code that were not enforced across all execution paths, creating hidden vulnerabilities. With new regulations like Europe’s MiCA and DORA taking effect, Hacken urges projects to treat compliance as an active security layer rather than a checkbox exercise. Partners, including KuCoin, MEXC, Bybit, and Centrifuge, contributed data, emphasising a collaborative push for full-stack protection.
Industry experts view the Q1 numbers as a mixed signal. On one hand, the absence of catastrophic single-event losses (down dramatically from Q1 2025’s multi-billion haul) suggests improved protocol-level defences. On the other hand, the 44 incidents, up slightly from prior periods, indicate attackers are simply spreading their efforts across more targets. Average loss per incident dropped, but the human factor remains stubbornly expensive.
“Phishing and social engineering are no longer side shows; they are the main event,” one analysis in the report implies through its data. Hacken stresses that layered security, combining audits, employee training, hardware wallet best practices, and real-time monitoring, is now non-negotiable. The firm also flags emerging AI-related threats, including the first major exploit of an AI-authored smart contract, warning that generative tools are expanding the attack surface.
For crypto users, the takeaways are practical. Never share seed phrases or recovery credentials, even with supposed “support”. Verify wallet addresses independently. Enable multi-factor authentication and hardware wallet isolation. Projects must move beyond one-time audits toward continuous security monitoring and incident response readiness.
Overall, Hacken’s Q2 outlook anticipates continued pressure on infrastructure and operations. With regulatory enforcement ramping up globally, including the U.S. GENIUS Act and Singapore’s MAS framework, projects that integrate compliance into their security architecture will likely fare better. Yet the $482.6 million Q1 total serves as a stark reminder: in crypto, the most expensive exploits often start with a convincing phone call or email.
Also read: X might be launching a crypto product to ‘fix rough year’ for digital currencies soon
Technext Newsletter
Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!
