Web3 projects lost approximately $482 million to hacks, scams, and exploits in the first quarter of 2026, according to a report by blockchain security firm Hacken.
The findings highlight a shift in the threat landscape, with fewer large-scale “mega hacks” but a growing number of mid-sized incidents.
The report shows that phishing and social engineering attacks were the primary drivers of losses, accounting for $306 million across 44 recorded incidents.
A single hardware wallet scam in January resulted in losses of $282 million, making it the most significant event of the quarter and responsible for more than half of the total damage.
Smart contract vulnerabilities contributed $86.2 million in losses, while access control failures, including compromised private keys and cloud infrastructure breaches, accounted for an additional $71.9 million.
Together, these figures underscore the continued risks posed by both on-chain code flaws and off-chain operational weaknesses.
Hacken noted that many of the largest security incidents occurred outside traditional smart contract environments, particularly in infrastructure layers and user-facing systems. These areas are often overlooked by standard auditing processes, leaving critical gaps in security coverage.
Despite the substantial losses, the quarter marked one of the lowest Q1 totals since 2023. The decline is largely attributed to the absence of a major exploit on the scale of the Bybit incident in 2025, which resulted in losses of $1.46 billion.
The report also highlights increasing regulatory pressure, with frameworks such as MiCA and DORA pushing for stronger security monitoring and faster incident response mechanisms.
As Web3 adoption grows, the evolving nature of cyber threats suggests that projects must strengthen both technical defenses and operational security to mitigate risks.
