Attacking “people” is easier than attacking code; the fund recovery rate in Web3 has fallen below 10%.
TechFlow Selected TechFlow Selected
Attacking “people” is easier than attacking code; the fund recovery rate in Web3 has fallen below 10%.
Recurring hacker attacks and a recovery rate of less than 10% remain key barriers preventing institutional investors from entering the market thus far.
Navigating Web3 tides with focused insightsAuthor: Tiger Researcher
Translated by: AididiaoJP, Foresight News
Key Takeaways
- Web3 hacking incidents continue to occur frequently, with 12 reported attacks in April 2026 alone—bringing the total to date in 2026 to a string of consecutive breaches.
- Social engineering attacks have grown steadily as a share of total losses, accounting for 74.7% of all Web3 hack-related losses in Q1 2026. It is easier to compromise a person than to exploit code.
- Since 2020, the average recovery rate of stolen funds has consistently remained below 10%. Unlike traditional finance, Web3 cannot prevent on-chain theft; funds are irreversibly drained the moment an attack occurs.
- After suffering a $1.5 billion hack, Bybit continued operations without imposing losses on investors—a result of inter-exchange coordination and reserve funds. In contrast, DeFi protocols lack such buffer time once assets leave the protocol.
- Recurring hacks and sub-10% recovery rates remain critical barriers preventing institutional investors from entering the space. What Web3 needs is not ideology—but structured, accountable operational mechanisms.
Hacks Continue Unabated
@hyperbridge—a cross-chain bridge protocol connecting Polkadot and Ethereum—was attacked.
Attackers exploited a vulnerability in the proof verification logic to forge cross-chain messages, resulting in the unauthorized minting of approximately 1 billion bridged DOT tokens on Ethereum. Confirmed losses across Ethereum, Arbitrum, Base, and BNB Chain totaled $2.5 million.
Prior to the Polkadot bridge attack, the DeFi protocol @DriftProtocol suffered a severe $295.7 million breach. A North Korea–linked hacker group spent six months building trust with team members before seizing governance control—an operation of highly sophisticated social engineering. Tether subsequently proposed a $127.5 million support package, but the total aid of $147.5 million still fell far short of covering the full $295.7 million loss.
Hacking did not stop there. Including smaller incidents following Drift, a total of 12 attacks occurred in April alone. In this programmable finance–based industry, accumulating security vulnerabilities are increasingly alarming investors and institutions alike.
Hackers Target People
The Drift Protocol hack originated from the compromise of a team member’s computer. The target was not a smart contract vulnerability or system flaw—it was a person.
A larger concern is that social engineering attacks are growing as a share of all Web3 breaches.
In 2021, social engineering accounted for 28.7% of total hack-related losses; this rose to 64.3% in 2025 and further climbed to 74.7% in Q1 2026. Attacks targeting people continue expanding, while exploitation of code-level vulnerabilities declines relatively.
Given blockchain’s open-source nature, many assumed code vulnerabilities would dominate. Yet in practice, social engineering has become the primary attack vector. The reason is simple: compromising a person who already holds privileges is far easier than discovering a bug in code.
Traditional industries follow the same pattern: in 2025, 70% of enterprise cyberattacks involved social engineering—a tactic directly transplanted into Web3.
However, Web3 differs critically from traditional finance: in traditional finance, successful attacks rarely result in irreversible fund loss—accounts can be frozen, transfers reversed, and institutional intervention deployed. In Web3, protocol funds can be directly drained on-chain; once confirmed, transactions are irreversible.
That is precisely why Web3 is such an attractive target.
Recovery Rates Decline, Losses Are Irreversible
DeFi protocol hacks cause billions of dollars in annual losses, yet the actual recovery rate of stolen funds continues falling. With state-backed attackers like North Korea’s Lazarus Group and increasingly sophisticated money laundering via mixers and cross-chain bridges, fund recovery grows ever more difficult.
If stolen funds could be recovered, at least a minimum safety threshold could be maintained—but DeFi recovery rates remain persistently low.
Since 2020, the annual average recovery rate has stayed below 10%. The sole exception was the 2021 Poly Network hack ($611 million), where the attacker voluntarily returned all funds—artificially inflating that year’s recovery figure. Excluding that incident, recovery rates have remained low every year.
Survivors Are Those With Response Capacity
Not all Web3 projects collapse after being hacked. Unlike DeFi protocols—which often fail catastrophically after a single attack—some players successfully weathered the storm.
In 2025, Bybit survived a $1.5 billion hack. Cross-exchange coordination and reserve funds sufficient to cover losses played a decisive role. While not all stolen funds were recovered, the exchange continued operating without passing losses onto investors—that is what matters. Exchanges commonly maintain independent SAFU funds specifically to respond to hacks and other emergencies.
DeFi protocols have no such buffer. Once a transaction executes, protocol assets vanish instantly—no room for maneuver. The most realistic recovery path is negotiating with attackers—but attackers rarely have any incentive to negotiate. For state-backed groups like Lazarus, negotiation is virtually impossible.
Traditional finance responds post-attack with institutional mechanisms: account freezes, investigations, insurance claims, and legal action. No authoritative entity in Web3 can reverse a confirmed transaction. Protocols occasionally request chain-level interventions to freeze assets—but freezing does not equal recovery.
The core constraint remains: in Web3, once something goes wrong, it cannot be undone.
How to Convince Institutions in the Institutional Era
We are now in the institutional era. Whether welcomed or not, institutions are steering market direction—and this trend is irreversible.
If hacks persist and projects keep collapsing, Web3 will have nothing to offer institutions. Institutional interest in blockchain and DeFi is already high. Operational efficiencies in asset management, novel yield structures, and 24/7 markets are all highly compelling features.
But if projects continue getting hacked and failing, even the most enticing efficiency gains and yield designs become meaningless. No matter how strong the technical advantages, underlying assets must be secure. A sub-10% recovery rate remains one of the top reasons institutional investors stay on the sidelines.
Once institutional capital truly enters, market size will vastly exceed current levels. What opens that door is not technical superiority—but a trustworthy response framework. Whether the industry can successfully convince institutions while preserving decentralization will determine whether Web3 advances to its next stage.
What Web3 needs today is not philosophy—but structures designed for failure, and operational mechanisms built on accountability.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@tiger_research
