Cybercriminals extracted an estimated $306m from crypto users through phishing and social engineering in the first quarter of 2026, representing 63 percent of all Web3 security losses, according to a Hacken report. Total losses across the sector reached $482m, a figure that underscores a decisive shift in attack strategy: exploiting human trust rather than breaching system code. Microsoft Threat Intelligence separately recorded a 146 percent surge in QR phishing attacks between January and March, with monthly volumes rising from 7.6m to 18.7m. The data, viewed from Jakarta and Tehran, confirms that the fastest-growing cyber threat now targets individuals directly, using increasingly sophisticated impersonation techniques.

In Indonesia, the exchange Indodax reports that fraudsters routinely pose as customer support staff to extract passwords, PINs and one-time codes, often deploying AI-generated messages that mimic official corporate communications with near-perfect grammar. Iranian cyber police have catalogued a parallel wave of SMS-based scams, where fake judicial summons, fuel-card registrations and government subsidy notices carry links that install malware granting full access to bank accounts and messaging apps. The common mechanism is social engineering: a manufactured sense of urgency that prompts victims to voluntarily surrender credentials. Once a device is compromised, attackers frequently hijack the victim’s social-media accounts to solicit money from contacts, multiplying the financial damage.

This escalation coincides with a regulatory tightening in Europe that reframes cybersecurity as a market-access requirement. The EU Cyber Resilience Act, whose documentation and vulnerability-management obligations take effect in September 2026, mandates security-by-design for more than 90 percent of connected products, five-year update commitments and incident reporting within 72 hours. Non-compliance carries penalties of up to €15m or 2.5 percent of global turnover. Speaking at the MWC IoT Summit in Shanghai, Kigen’s senior vice-president Jean-Louis Carrara described the Act as a structural advantage for manufacturers that move early, noting that the company’s eSIM platform already delivers over-the-air security patches across 250 networks. In Milan, European Commission Vice-President Henna Virkkunen outlined parallel measures: a Chips Act 2.0 to stimulate demand for European semiconductors in defence and automotive sectors, and a risk-based AI Act that requires testing for high-risk applications, with final guidelines open for industry consultation until 23 July.

The convergence of these developments leaves firms facing a compliance clock. The Cyber Resilience Act’s initial requirements are now months away, while the AI Act’s high-risk use-case definitions will be shaped by the feedback collected this summer. An Italian AI company, Domyn, has already begun developing a Frontier open-source model covering all 24 EU languages, signalling that some industry players are treating the regulatory shift as a launchpad rather than a barrier. The next factual milestone is the 23 July deadline for AI Act consultation submissions, after which the Commission will finalise the rules that determine which systems face the strictest oversight.