Crypto security losses climbed again in the first quarter of 2026, but the bigger story is where the damage came from. According to Hacken’s new Q1 2026 Security & Compliance Report, the industry lost $482.6 million across 44 incidents, up 20.9% from Q4 2025, with phishing and social engineering accounting for $306 million, or 63.4% of total losses.
That makes the strongest news angle clear: crypto’s biggest risk is no longer just buggy code. The report argues that failures are now happening across code, infrastructure, operations and human processes at the same time, which is why point-in-time audits alone are no longer enough.
Phishing, not smart contracts, caused most of the damage
Hacken says phishing losses reached $306 million in Q1, driven largely by a single $282 million social-engineering theft involving a hardware wallet user. The report says that one incident alone accounted for more than half of the quarter’s total losses.
That matters because it shifts the usual crypto security narrative. Smart contract exploits still mattered, but the biggest losses came from attackers targeting people, credentials and signing flows rather than protocol logic alone. This is the clearest sign in the report that crypto’s threat model is moving beyond “bad code” into a much broader operational security problem.
Smart contract losses still surged 213% year over year
Even with phishing dominating the quarter, smart contract exploits remained severe. Hacken says losses from smart contract vulnerabilities reached $86.2 million across 28 incidents, a 213% increase compared with Q1 2025. It calls this the highest smart contract loss quarter since Q2 2025.
The report says the biggest smart contract loss was Truebit’s $26.4 million exploit, caused by an integer overflow in older Solidity 0.5.x code. Oracle manipulation and misconfiguration were another major source of losses, driving $20.7 million across five incidents, including attacks on projects such as Venus Protocol.
Audited protocols were still exploited
One of the report’s most uncomfortable findings is that audits did not prevent several of the quarter’s major incidents. Hacken says six of the 28 smart contract-exploited projects had prior audits, including Resolv Labs, which had 18 audits, and Venus Protocol, which had five audit firms involved. Those six audited projects accounted for $37.7 million in losses.
That is one of the report’s sharpest conclusions. The problem is not that audits are useless. It is that they review code at a moment in time, while many of the biggest failures now happen in live operations, key management, oracle logic, cloud infrastructure and other areas outside the traditional audit scope. This is an analytical conclusion directly supported by the report’s framing.
DPRK-linked tactics are still a major operational threat
Hacken says North Korea-linked actors remained active in Q1, highlighting Step Finance’s $40 million loss and a Bitrefill breach as examples of attack patterns associated with Lazarus/BlueNoroff-style playbooks. The report describes methods such as fake VC calls, malware deployment and compromised employee devices.
That finding matters because it reinforces a broader pattern already visible in 2025: some of the most damaging crypto attacks now begin with social engineering and endpoint compromise, not with a direct exploit against a smart contract. In other words, operational discipline is becoming just as important as code quality.
Stablecoin security is becoming a full-stack problem
The report also goes beyond incident tracking and argues that stablecoin security should be understood as a six-layer architecture, spanning reserve custody, compliance, proof of reserves, operational security, smart contract logic and cross-chain infrastructure. It explicitly says stablecoin security “does not begin on-chain.”
That section is especially relevant now because the report says the stablecoin market has evolved structurally heading into 2026, with 5+ MiCA-licensed euro stablecoins now live, more bank-issued tokens emerging, and synthetic or yield-bearing stablecoins blurring the line between stablecoin and DeFi product.
The practical takeaway is that a smart contract audit may cover only a fraction of the actual attack surface. For stablecoins, the report says the most distinctive vulnerability pattern is not logic errors alone, but compliance enforcement gaps such as blacklist, pause or sanctions checks that exist in code but are not enforced consistently across all execution paths.
AI is opening a new security gap
Hacken also frames AI as a fast-growing risk layer. The report says 80.65% of development teams now use AI in development, but far fewer have adopted the security practices needed to harden AI-assisted workflows. It calls the gap between AI adoption and AI security hardening “the defining vulnerability of 2026.”
The report points to new risks including prompt injection, goal drift, tool misuse, model supply-chain attacks and wallet/signer abuse in Web3 environments. It also cites the Moonwell exploit as a real-world example of AI-assisted code risk, describing it as a possible first major exploit of “vibe-coded” smart contracts.
Regulators are now treating security as an ongoing obligation
On compliance, the report says Q1 2026 was an inflection point because regulators moved from writing rules to enforcing them. It highlights active enforcement across MiCA and DORA in the EU, federal stablecoin law and new taxonomy work in the U.S., structural changes in the UAE, and tougher operational standards in Singapore.
Hacken’s main argument here is that regulators increasingly care less about whether a firm has security policies on paper and more about whether it can prove continuous control, incident response, third-party oversight and operational resilience in practice. That is especially relevant for crypto firms pitching themselves as mature financial infrastructure rather than experimental software.
Why it matters for crypto
The report’s central message is simple: crypto’s security problem is no longer concentrated in one place. The industry still has smart contract bugs, but the most expensive failures now increasingly sit in wallets, signing devices, cloud infrastructure, DNS layers, internal processes and human behavior.
That changes what “good security” means. A one-time audit, certification or penetration test may still be necessary, but the report argues it is no longer sufficient on its own. The market is moving toward continuous monitoring, layered controls, operational discipline and faster incident detection as the real differentiators.
What to watch next
The first thing to watch is whether Q2 confirms the same pattern: fewer giant protocol failures, but more losses driven by phishing, access control and infrastructure compromise. Hacken’s own recommendations point in that direction.
The second is whether stablecoin issuers, exchanges and RWA platforms start treating proof of reserves, key management, compliance logic and bridge security as one integrated control stack instead of separate workstreams. The report argues that this is where the market is heading.
The third is AI. If development teams keep accelerating AI adoption without equivalent hardening, the gap Hacken highlights could become one of the biggest security stories of the year.