A single $282 million hardware wallet phishing scam in January was responsible for 81% of the quarter's total losses.
Crypto News
Web3 projects lost $464.5 million to hacks and scams across 43 incidents in the first quarter of 2026, with phishing and social engineering attacks accounting for the majority of damage, according to blockchain security firm Hacken.
A single $282 million hardware wallet phishing scam in January was responsible for 81% of the quarter's total losses. Phishing and social engineering combined caused $306 million in damage across the period, while SmartContract exploits accounted for $86.2 million, and access control failures, including compromised private keys and cloud services, drove an additional $71.9 million in losses.
The quarter ranks as the second-lowest first quarter for losses since 2023. The primary reason for the year-over-year decline is the absence of a single large-scale incident comparable to the $1.46 billion Bybit hack recorded in Q1 2025. Mid-sized incidents spread across multiple protocols replaced the single catastrophic event pattern seen in prior periods.
Hacken chief executive Yev Broshevan told Cointelegraph that the most expensive failures "happen outside the code layer entirely," pointing to operational and infrastructure vulnerabilities that traditional smart contract audits do not cover. Among the cases cited were a $40 million loss at Step Finance tied to a fake venture capital outreach campaign linked to a state-sponsored threat actor, and a $25 million compromise of AWS key management services at Resolv Labs.
Even audited projects were not immune. Six audited protocols, including Resolv, which had undergone 18 separate audits, and Venus Protocol, audited by five firms, together accounted for $37.7 million in losses. Hacken noted these projects averaged higher losses than their unaudited peers because higher total value locked attracts more sophisticated attacks. Legacy code also remained a significant factor, with Truebit losing $26.4 million to a bug in a Solidity contract deployed roughly five years ago and Venus being hit by a donation-attack pattern documented since 2022.
Regulators in multiple jurisdictions tightened security expectations during the quarter. The EU's Markets in Crypto-Assets Regulation and Digital Operational Resilience Act moved further into active enforcement, Dubai's Virtual Assets Regulatory Authority updated its Technology and Information Rulebook, Singapore enforced Basel-aligned capital requirements alongside a one-hour incident notification rule, and the UAE's Capital Market Authority assumed federal digital asset oversight with expanded powers and higher penalties.
Hacken's report ties these regulatory frameworks to a new standard for security-ready infrastructure, which includes daily proof-of-reserves reconciliation, round-the-clock on-chain monitoring of treasury wallets, automated circuit breakers on minting and governance functions, and incident notification timelines calibrated to the strictest applicable jurisdiction. The report sets awareness within 24 hours, threat labeling within four hours, and blocking within 30 seconds as realistic benchmarks, with aspirational targets as low as 10 minutes for detection and one second to block.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
