Hacking’s Blockchain Security and Compliance in Q1 2026 Reportreleased on April 14, 2026, shows $482.6 million lost from 44 incidents – an update from an initial estimate of $464.5 million after a late-confirmed social engineering case. But the bigger story lies in how predictable and repeatable most of the losses were.
This is not a story about unknown vulnerabilities or new attack techniques. It’s about known weaknesses that are exploited again and again.
Same problems, still working
The central question of Hacken is immediate: why does the industry continue to lose money on problems it already understands?
The numbers provide a clear answer.
Approximately $306 million in total losses came from phishing and social engineering. However, that figure needs context. A single incident– a $282 million hardware wallet scam involving a fake IT support call – was responsible for more than half of the quarter’s total losses and approximately 92% of the phishing category.
That doesn’t make phishing any less important. If anything, it highlights how damaging a single successful attack can be if operational controls fail.
The conclusion is clear: the biggest risks are still associated with human behavior and access management, not just code.
A shift in attack patterns
There is a noticeable change in the way losses are distributed.
There were 44 incidents in the first quarter of 2026, with fewer large-scale, high-profile breaches and more medium-sized, repeatable attacks. This creates a different kind of risk profile: less dramatic, but more persistent.
At the same time, it’s worth noting that total losses were still the second-lowest Q1 since 2023. The lack of an event on the scale of the $1.46 billion Bybit phishing incident in Q1 2025 played a major role in this.
So while the number of incidents increased, the average loss per attack decreased. This suggests that attackers lean more toward consistency than scale.
Splitting up the losses
If we look beyond the headline numbers, a clearer picture emerges:
-
Phishing and social engineering: ~$306 million
-
Smart contract exploits: $86.2 million across 28 incidents (up 213% year over year)
-
Access control errors: ~$71.9 million (including compromised keys and infrastructure)
This division reinforces an important point: most losses do not stem from unknown technical shortcomings. They arise from weaknesses in access, authentication and operational processes.
The weakest layer is still identity
Many of the attack methods described – fake investment calls, malicious software updates, compromised employee devices – are well-known tactics.
Groups linked to North Korea alone were responsible for more than $40 million in losses using this approach.
These are not blockchain-specific exploits. They are extensions of traditional cyber attack methods applied to an environment that often lacks mature layers of defense.
The result is a mismatch: high-quality assets protected through strong cryptography, but accessible through relatively weak human and operational systems.
Audits won’t save you
One of the most revealing findings is that several protocols in use had already undergone audits. A total of six audited projects were compromised, resulting in $37.7 million in losses. One of these had been checked eighteen times, another five times by different companies.
In many cases, the problem was not a missed vulnerability in the checked code. Instead, issues arose in off-chain infrastructure, key management, changes after audits, or outdated code.
Examples include:
This reinforces an important distinction: audits evaluate code at a specific point in time. They do not take into account how systems evolve, integrate, or are managed over time.
Where the risk is concentrated
Hacken’s internal audit data shows that risks are not evenly distributed.
A disproportionate share of the critical and high severity issues arose from a small subset of audits, particularly those involving newer architectures such as account abstraction, DEX plugins and advanced protocol extensions.
There is also a recurring problem with enforcement. In 38.5% of stablecoin audits, compliance mechanisms were present in the code, but were not consistently enforced across execution paths.
That gap between intent and execution creates openings that attackers can exploit.
Security is still treated as a phase
A core structural problem remains unchanged.
Many teams still follow a linear approach:
Build → Audit → Launch → Continue
Attackers operate differently:
Investigate → Adjust → Exploit → Repeat
This difference in approach ensures continued exposure. Security is not something that can be completed before launch. It requires continuous monitoring, validation and response.
Without it, even well-controlled systems can become vulnerable over time.
Regulation and AI are changing the landscape
The report highlights the first quarter of 2026 as an inflection point for both regulation and technology.
Frameworks such as the European MiCA and DORA have moved to active enforcement, alongside new US stablecoin legislation, expanded supervision in Dubai and stricter standards in Singapore. Regulators are increasingly focusing on real-time monitoring, rapid detection of incidents and enforceable controls.
At the same time, AI begins to influence both development and attack strategies. The report documents one of the first known exploits using AI smart contract code, in addition to broader risks such as wallet signer manipulation and MEV-related exposure.
These developments are pushing the industry toward systems that can operate and defend in real time, rather than relying on static controls.
The real problem is not consciousness
None of these problems are new.
The sector is aware of the risks of phishing. It recognizes the limitations of audits. It is aware of the challenges that complex, composable systems pose.
The gap lies in the implementation.
Security is too often seen as a checkpoint rather than an ongoing function. Operational defense lags behind technical security. Rules are defined, but not always enforced.
Until these gaps are addressed, similar patterns will continue to emerge.
What needs to change
If anything is clear from this report, it is that security must function as a continuous system.
That includes:
-
Build monitoring and response capabilities from the start
-
Treat identity and access management as critical infrastructure
-
Extending security practices beyond code to operations and human processes
-
Ensure compliance rules are consistently enforced across all execution paths
-
Design systems with failure scenarios in mind
-
Integrating real-time monitoring and automated response mechanisms as core infrastructure
Teams that take this approach begin to separate themselves from teams that don’t.
Final thought
The losses in the first quarter of 2026 were not random. They followed the patterns of the industry has seen before.
That makes them important.
The challenge ahead is not to discover new risks, but to address those that are already well understood.