If Smart Contracts Are Getting Safer, Why Is Crypto Still Losing $450M to Hacks?

The numbers from Q1 2026 are alarming on their face – $450 million gone across 145 incidents, twelve in the two weeks following the Drift exploit alone. But the headline figures obscure the more important shift happening underneath them.

Crypto’s security problem has moved.

Code Is Getting Safer. Humans Are Not.

Smart contract exploit losses fell 89% year-over-year in Q1 2026, according to data from DefiLlama. Audits are working, and protocol architecture is improving.

It did not matter. Hackers pulled $450 million anyway, because they stopped attacking the code and started attacking the people who write it.

Phishing and social engineering accounted for $306 million of Q1 losses, nearly two-thirds of the total, per Hacken’s quarterly security report. A single social engineering attack in January drained $282 million without touching a single line of code – just a fake support call and a user who handed over their credentials.

Six audited protocols were breached in the same quarter. One had passed 18 prior audits before it was compromised.

The Drift Hack Was a Six-Month Operation

The year’s largest DeFi exploit makes the case precisely.

On April 1, Drift Protocol lost $285 million. TRM Labs confirmed the attackers were DPRK-linked operatives, tracked as UNC4736, who spent six months systematically targeting contributors before executing. One was compromised via a malicious code repository. Another downloaded a weaponized wallet application through Apple’s TestFlight.

No code vulnerability, but actually six months of human manipulation.

Also Read: Ripple CTO Says Freeze-Proof Stablecoins Can’t Work As Circle Misses $285M Drift Hack

Twelve Protocols, Every Vector

The two weeks following Drift showed the breadth of the problem.

CoW Swap was taken down by a DNS hijack. Hyperbridge lost nearly $237,000 after forged cross-chain state proofs enabled attackers to mint approximately one billion DOT tokens. Zerion was hit by another DPRK social engineering operation, losing $100,000. Silo V2 fell to oracle manipulation.

Dango lost $410,000 through a logic flaw in its insurance fund contract. KuCoin’s deposit infrastructure was used to launder $9.5 million. Kraken was extorted – systems held, funds never at risk, but the attempt was real.

The diversity matters because this is not one technique proliferating. It is every technique running in parallel.

The New Security Question

Sherlock’s Q1 2026 report documented the first known exploit of an AI-authored smart contract. Hacken confirmed DPRK operatives extracted over $40 million through fake venture capital outreach alone.

The industry spent years asking whether protocols had been audited.

The question now is whether every person with access to those protocols has been targeted, and whether anyone would know if they had.

Continue Reading: CLARITY Act Dropped From Senate Schedule: Crypto’s Biggest Bill to Miss Its Last Chance?