Today, Hacken releases the Q1 2026 Security & Compliance Report — our most comprehensive piece to date, bringing together incident data, audit portfolio analysis, and perspectives from 11 industry leaders to answer one question: why does the industry keep losing money to problems it already knows how to solve?
Built With the Ecosystem
This report was developed alongside 11 leading teams across exchanges, protocols, analytics, infrastructure security, and compliance — KuCoin, MEXC, WhiteBIT, Bybit, Centrifuge, Global Ledger, Allium, SVRN, M0, C4, and Gray Wolf. Their perspectives shaped every chapter, grounding the analysis in operational reality rather than observation from the outside.
Together, we structured this report around what teams actually need to navigate security today:
- How AI is reshaping both attack surfaces and development workflows?
- What a full-stack stablecoin security architecture looks like from reserves through bridges?
- Where regulatory enforcement is accelerating across MiCA, DORA, and US frameworks?
- Where existing security setups consistently fall short, and what Q1's incidents and audit findings reveal about how vulnerabilities manifest across the stack?
What This Report Covers That Others Don't
This isn't a hack recap. Each chapter introduces original frameworks and first-party audit data:
Chapter I maps every Q1 incident to the security layer where it failed — code, operations, or infrastructure — with the five largest incidents analyzed in detail.
Chapter II opens Hacken's audit book with deep dives into ERC-4337, Uniswap v4 hooks, and DEX plugins that produced 27.8% of all Critical+High findings from 8.8% of audits.
Chapter III introduces a six-layer stablecoin security architecture and maps Q1 findings to each layer. 38.5% of stablecoin audits had compliance mechanisms in code that weren't enforced across all execution paths.
Chapter IV tackles AI security with Web3-specific threat analysis — wallet signer abuse, on-chain irreversibility, MEV exposure — plus the first major exploit of AI-authored smart contract code.
Chapter V tracks regulatory enforcement across MiCA/DORA, VARA, GENIUS Act, and MAS, with a compliance-as-security-management framework and industry perspectives on what certification actually looks like in practice.
Chapter VI closes with Q2 outlook and contributing partner perspectives on what the industry needs to fix before next quarter's report writes itself.
Key Findings
$482 million stolen in a single quarter, +20% increase in losses. 44 incidents. Six audited protocols exploited — including one with 18 prior audits. In one of the attacks, the hacker walked away with $282 million without exploiting a single line of code.
Smart contract losses surged 213% compared to Q1 2025. Phishing dominated at $306M — nearly two-thirds of all losses — driven by a single social engineering attack where a hardware wallet user handed over recovery credentials to a fake IT support call.
Meanwhile, DPRK-linked actors continued operating the same playbook documented in our 2025 report (fake VC calls, malware disguised as software updates, compromised employee laptops) and extracted another $40M+ from Step Finance and Bitrefill. The techniques aren't novel. They're just still working.
The data shows a simple conclusion: security is not a milestone. It is an ongoing operational discipline. The protocols that treat it as one are pulling ahead. The ones that don't are in this report.
Note on total figures: Earlier versions of this report cited $464M in Q1 2026 losses. The updated total of $482.6M reflects the inclusion of a social engineering incident confirmed on March 31, after the initial data cut. All percentages and tables have been revised accordingly.
