Phishing Ragers and Grandma's Code Keep Web3's Q1 Bill at a Chill $464M

Web3 projects collectively flushed $464.5 million down the toilet—or into hackers' wallets—in the first quarter of 2026. The era of multi-billion-dollar mega rug events appears to be taking a breather, replaced by a relentless drizzle of mid-sized disasters, according to blockchain security firm Hacken. Think of it as crypto's version of death by a thousand paper cuts, except the paper cuts are actually sophisticated phishing campaigns and the paper is your life savings.

Hacken's Q1 2026 report documented 43 incidents across the period, with phishing and social engineering attacks absolutely dominating the carnage. These schemes accounted for $306 million in losses, including a single $282 million hardware wallet scam in January that was responsible for a jaw-dropping 81% of the quarter's total damage. Yes, you read that right—one dude fell for a convincing email and basically funded a small country's GDP in crypto losses. The degens at r/CryptoCurrency are probably already writing the next "I got rekt" post.

Smart contract exploits tallied up to $86.2 million, while access control failures—including compromised keys and cloud services—drove an additional $71.9 million in losses. So basically, whether it was code written by an intern during a hackathon or keys stored in a Google Doc by someone who definitely should have known better, hackers found their way in. The buffet is truly open.

This quarter marks the second-lowest Q1 since 2023. The conspicuous absence of a mega hack on the scale of Bybit—which spectacularly lost $1.46 billion in Q1 2025—was the primary driver of the year-over-year decline. Everyone's basically holding their breath waiting for the next billion-dollar disaster, but for now it's just vibes and moderate financial ruin. The calm before the storm, if you will, or perhaps the storm before the even bigger storm.

Hacken's incident mapping reveals the largest failures increasingly occurring outside onchain code—in operational and infrastructure layers that traditional audits rarely even glance at. Chief executive and co-founder Yev Broshevan told Cointelegraph the most expensive failures "happen outside the code layer entirely." In other words, the real vulnerability isn't the smart contract—it's the guy who stored the private keys in a Notion doc titled "Definitely Don't Hack This."

That shift is drawing greater scrutiny from regulators and institutional counterparties. Frameworks such as the EU's Markets in Crypto-Assets Regulation (MiCA) and Digital Operational Resilience Act (DORA) are moving further into enforcement and raising expectations around continuous security monitoring and incident response. Regulators are finally catching up to the fact that "we got audited" is not the same as "we're actually secure."

Legacy code, fake VC calls and key compromises

Broshevan highlighted $306 million in phishing losses, a $40 million North Korea-linked fake venture capitalist call against Step Finance, and a $25 million AWS key management service compromise at Resolv Labs. North Korea's Lazarus Group apparently decided to pivot from crypto exploits to playing venture capital, and honestly? More power to them for creative career paths. Meanwhile, Resolv Labs apparently forgot that "cloud keys" and "security" should probably appear in the same sentence.

Even where smart contracts were at fault, the costliest bugs often sat in legacy deployments and known vulnerability classes. Truebit lost $26.4 million to a bug in a Solidity contract deployed around five years ago, while Venus Protocol was hit by a donation attack pattern documented since 2022. Apparently, no one told these protocols that "we've always done it this way" is not a security strategy. Ancient code, fresh losses.

Six audited projects—including Resolv with 18 audits and Venus with five separate firms—still accounted for $37.7 million in losses. On average, that was more than their unaudited peers because higher total value locked protocols attract more sophisticated attackers and exploits. It's the crypto equivalent of wearing a "I'm Rich