Crypto attacks shift beyond smart contracts

Losses from hacks, phishing and other Web3 security incidents climbed to about $482.6 million in the first quarter of 2026, even as projects expanded audits, compliance work and other defensive controls. The biggest change was not simply the amount lost, but where attackers found success: away from pure code exploits and deeper into off-chain operations, user manipulation and privileged access.

Data published by security firm Hacken shows 44 incidents in the quarter, with phishing and social-engineering attacks accounting for $306 million, or nearly two-thirds of the total. Smart-contract exploits produced $86.2 million in losses, while access-control failures, including compromised keys and cloud-related breaches, added another $71.9 million. Hacken also revised its headline number upward from about $464 million after adding a social-engineering case confirmed on March 31, taking the quarter’s total to $482.6 million.

That revision matters because it strengthens the report’s central point: Web3’s threat landscape is moving further beyond buggy contracts and into the broader operating environment around them. Hacken said one attacker extracted $282 million without exploiting a single line of code. The incident, tied to a hardware-wallet holder who was deceived into giving up recovery credentials through a fake support approach, became the defining case of the quarter and the clearest sign that human trust remains a major attack surface.

The January theft also undercut a long-held assumption in the market that hardware wallets, by themselves, offer an almost complete defence against catastrophic loss. MetaMask’s January security review noted that hardware wallets keep private keys off internet-connected devices, but that safeguard becomes irrelevant when victims are tricked into handing over access. That distinction is now central to the wider security debate, because it shifts responsibility from contract developers alone to exchanges, wallet providers, infrastructure teams and users themselves.

A more balanced reading of the quarter suggests the sector is not facing a simple collapse in code security. Smart-contract losses did rise sharply from a year earlier, up 213% by Hacken’s count, yet the absolute level remained far below the damage caused by phishing and operational failures. At the same time, Hacken said six audited protocols were still exploited, including one that had undergone 18 prior audits. That does not make audits irrelevant; it shows that audits are only one layer of defence in a system where signing workflows, access permissions, cloud configurations and staff behaviour can be just as critical.

The pattern fits a broader trend already visible in other blockchain-intelligence research. Chainalysis said private-key compromises made up the largest share of stolen crypto in 2024, accounting for 43.8% of the total, while TRM Labs found infrastructure attacks, mainly involving private keys and seed phrases, represented nearly 70% of stolen funds in that year. By late 2025, Chainalysis said personal-wallet compromises had grown markedly as a share of stolen value, indicating that attackers were increasingly targeting credentials, devices and people rather than relying solely on flaws in decentralised protocols.

Another pressure point is the industrialisation of fraud. Chainalysis reported in January that AI-enabled crypto scams were 4.5 times more profitable than traditional ones on average, while impersonation scams had risen 1,400% year on year. Those figures relate to the wider crypto-crime economy rather than Hacken’s quarterly hack tally, but they help explain why off-chain attacks are becoming harder to stop: criminals are using better targeting, more convincing impersonation and faster automation to reach victims at scale.

For projects and investors, the quarter’s lesson is uncomfortable but straightforward. More regulation, more audits and bigger security budgets have not eliminated losses, partly because the weakest link is often outside the contract itself. Support desks, employee laptops, admin dashboards, signer environments and user recovery processes now sit on the same frontline as code repositories. Hacken’s own report frames security less as a milestone than as an operational discipline, and that view is gaining weight as infrastructure-layer breaches continue to outpace expectations.