According to blockchain security firm Hacken, Web3 projects lost $464.5 million to hacks and fraud in the first quarter of 2026, with multi-billion dollar “mega hacks” giving way to more mid-sized incidents.
According to Hacken’s report for the first quarter of 2026 reportPhishing and social engineering attacks dominated during this period, causing losses of $306 million in a quarter with a total of 43 incidents. A single $282 million hardware wallet fraud in January was responsible for 81% of the damage in the quarter.
The total value of clever contract exploits was $86.2 million, and access control failures, including compromised keys and cloud services, resulted in additional losses of $71.9 million.
The losses rank this quarter as the second-lowest first quarter since 2023, with not a single mega-breach on the scale of Bybit, which lost $1.46 billion in the first quarter of 2025, the main reason for the year-over-year decline.
Hacken’s incident mapping shows that the biggest failures are increasingly occurring outside the onchain code, at operational and infrastructure layers that are rarely touched by time-honored audits. Yev Broshevan, CEO and co-founder of Hacken, told Cointelegraph that the costliest failures “happen entirely outside the code layer.”
Related: Aethir suspends the utilize of the bridge and promises compensation for the loss of PLN 90,000. dollars
According to Hacken, this change is drawing greater scrutiny from regulators and institutional contractors, and frameworks such as the Marketplaces in Cryptocurrency Regulation (MiCA) and the Digital Operational Resilience Act (DORA) in the European Union are moving further towards enforcement and raising expectations for continuous security monitoring and incident response.
Legacy code, spurious VC calls, and key compromises
Broshevan pointed to a $306 million phishing scam, a $40 million bogus phone call to a bogus North Korea-linked venture capital (VC) firm against Step Finance, and a $25 million AWS key management service compromise at Resolv Labs. Even where clever contracts were at fault, the most costly bugs often occurred in older implementations and known classes of vulnerabilities. Truebit lost $26.4 million due to a bug in the Solidity contract implemented about five years ago, while Venus Protocol was hit by a donation attack documented since 2022.
The six projects audited, including Resolv with 18 audits and Venus with five separate companies, still reported losses of $37.7 million. On average, this is higher than untested competitors because higher total value (TVL) protocols attract more sophisticated attacks and exploits.
Global regulators are tightening expectations for incident response
In the first quarter, MiCA and DORA in the EU switched to continued vigorous enforcement, Dubai’s regulator, the Virtual Assets Regulatory Authority, toughened expectations for its technology and information rulebook, Singapore implemented Basel-aligned rules on capital and one-hour incident notification, and the modern Capital Markets Authority in the United Arab Emirates took over federal oversight of digital assets, providing broader powers and higher penalties.
Related: Crypto Hackers Steal $169M from 34 DeFi Protocols in Q1: DefiLlama
Hacken ties these systems to a modern benchmark for “regulator-ready” stacks that includes reserve validations backed by daily internal reconciliation, 24/7 chain-of-interest monitoring of treasury portfolios and senior roles, circuit breakers in minting and management functions, and incident notification timers calibrated to the strictest standards in force.
The report highlights “realistic” targets for awareness within 24 hours, labeling within four hours and blocking within 30 seconds, with “aspirational” targets of just 10 minutes to detect and 1 second to block, based on guidance from Global Ledger data from the 2025 money laundering race.
On a human level, Hacken points to North Korean clusters as the most consistent operational threat, with Step Finance’s $40 million loss and the Bitrefill infrastructure breach expanding the playbook of VC bogus news activities, malicious video calling tools and infected employee endpoints that generated about $2.04 billion from the sector in 2025.
Warehouse: XRP has not yet “priced” 3 bullish catalysts, Bitcoin to 80 thousand. dollars? Trade Secrets
