Hacken Flags $464.5M Web3 Losses
Hacken Flags $464.5M Web3 Losses
Hacken flags $464.5M in Web3 losses for Q1, highlighting a shift toward mid-sized incidents. The Web3 ecosystem lost $482 million in hacks and scams during the first quarter of 2026.
Web3 Security Threats
The period recorded 44 incidents in total, with phishing and social engineering attacks as the dominant category: $306 million in losses were attributed solely to that vector. A single hardware wallet scam in January, valued at $282 million, concentrated more than half of the economic damage suffered during the quarter.
Exploits and Access Control Failures
Exploits targeting smart contracts caused additional losses of $86.2 million, while access control failures — compromised keys and vulnerable cloud services — contributed another $71.9 million.
Hacken's Report and Findings
According to Hacken's report, the costliest losses “occur outside the code layer”, in operational infrastructure that traditional audits rarely cover. The report cites the case of Step Finance, which lost $40 million in a fake venture capital call linked to North Korean operators, and that of Resolv Labs, whose AWS keys were compromised for $25 million.
North Korean Hacker Groups
North Korean hacker groups are consolidating as the most persistent operational threat, with a playbook that combined fake VC calls, malicious video call tools and compromised endpoints to extract approximately $2.04 billion from the market during 2025.
Key Takeaways
- The Web3 ecosystem lost $482 million in hacks and scams during the first quarter of 2026.
- Phishing and social engineering attacks were the dominant category, with $306 million in losses.
- Exploits targeting smart contracts and access control failures contributed to significant losses.
- North Korean hacker groups pose a significant threat to the Web3 ecosystem.
Frequently Asked Questions
What is the primary cause of Web3 losses?
The primary cause of Web3 losses is phishing and social engineering attacks, which accounted for $306 million in losses.
How can Web3 companies protect themselves from hacks and scams?
Web3 companies can protect themselves from hacks and scams by implementing robust security measures, such as daily proof-of-reserves, permanent on-chain monitoring, and automated circuit-breakers in governance functions.
