CertiK Annual Security Report: Web3 Losses Increase 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Emerge as Major Threats

marsbitPublished on 2025-12-25Last updated on 2025-12-25

Abstract

CertiK's 2025 Skynet Hack3D Security Report reveals that the Web3 industry suffered approximately $3.35 billion in losses across 630 security incidents, a 37% increase from 2024. While the number of incidents decreased by 137, the average loss per attack surged by 66.6% to $5.32 million, indicating a trend toward targeting high-value assets. The most significant losses resulted from supply chain attacks, which accounted for nearly half of the total losses ($1.45 billion) despite only two recorded incidents. The largest was the February Bybit breach, where attackers compromised a third-party multi-signature wallet service to bypass security protocols. Phishing remained the most frequent threat, with 248 incidents causing $723 million in losses. The report warns that AI is amplifying these attacks by generating highly convincing fake websites and targeted scam messages, making traditional defenses less effective. Amid growing risks, regulatory clarity is improving globally, with advancements in U.S. stablecoin legislation and frameworks like MiCA in the EU. Security is shifting from a reactive cost to a core infrastructure element. The report concludes that projects embedding security into their design and development will be better positioned for the future.

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," systematically outlining the major security incidents and risk trends in the Web3 space over the past year. The report indicates that while the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, security risks have not eased and continue to pose systemic security threats.

The report shows that in 2025, the Web3 space experienced 630 security incidents, resulting in total losses of approximately $3.35 billion, a 37% year-on-year increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached $5.322 million, a sharp increase of 66.6%, highlighting the trend of attackers targeting high-value objectives.

Supply Chain Attacks Drive Annual Losses Higher

In terms of attack types, supply chain attacks became the largest source of losses in 2025. Despite only two recorded incidents throughout the year, the cumulative losses amounted to $1.45 billion, accounting for nearly half of the total annual losses. The majority of these losses stemmed from the Bybit incident in February.

According to the report, the security incident experienced by Bybit in February 2025 resulted in approximately $1.4 billion in losses, making it one of the largest cryptocurrency thefts to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, embedding malicious code in the signing process to bypass multiple approval mechanisms.

CertiK noted in the report that such incidents reflect attackers increasingly focusing their resources on critical service providers and underlying tools rather than individual protocols, underscoring that supply chain security has become an unavoidable systemic risk.

High Frequency of Phishing Attacks, AI Acts as an "Amplifier"

In terms of attack frequency, phishing remained the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than the number of code vulnerability attacks (240 incidents).

Notably, CertiK believes this figure may still be an underestimate. A significant number of phishing and scam incidents targeting individual users were not formally disclosed, especially those involving smaller losses or off-chain social engineering attacks.

The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers to phishing attacks. Attackers are increasingly using AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, combined with on-chain data and social media content for "precision targeting." Traditional defense methods relying on grammatical errors or template features for identification are gradually becoming ineffective.

Regulatory Clarity Increases, Security Shifts from "Cost Item" to "Infrastructure"

Amid rising risks, the report also notes positive changes in the global regulatory environment. Legislative progress in the U.S. around stablecoins and digital asset transparency has sent clearer policy signals to the industry. Regulatory frameworks such as the EU's MiCA, Singapore's regulatory sandbox, and Hong Kong's initiatives are also pushing Web3 toward a more standardized development phase.

CertiK pointed out in the report that as institutional and compliant funds continue to enter the space, security capabilities are transitioning from "post-incident remediation" to an infrastructure element in project design and operations. For both project teams and individual users, security is no longer optional but a critical factor affecting long-term viability.

The report concludes by projecting that in the coming year, AI-driven impersonation attacks, increasingly complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architectural design, development processes, and user experience are more likely to stand out in the next wave of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

Related Questions

QAccording to CertiK's 2025 report, what was the total financial loss in the Web3 sector and what was the year-over-year percentage increase?

AThe total financial loss in the Web3 sector was approximately $3.35 billion, representing a 37% year-over-year increase compared to 2024.

QWhich type of attack was identified as the largest source of loss in 2025, and what was a key characteristic of the Bybit incident?

ASupply chain attacks were the largest source of loss. A key characteristic of the Bybit incident was that attackers did not directly breach the exchange's system but instead compromised a third-party multi-signature wallet service provider's developer environment to inject malicious code.

QWhat was the most frequent type of attack in 2025, and how is AI impacting this threat?

APhishing attacks were the most frequent, with 248 recorded incidents. AI is acting as an 'amplifier' by lowering the technical barrier, enabling attackers to create highly realistic phishing sites, wallet pop-ups, and multi-language scam messages for 'precision targeting'.

QHow did the average loss per attack change in 2025, and what does this trend indicate?

AThe average loss per attack reached $5.322 million, a sharp increase of 66.6% year-over-year. This trend highlights that attackers are concentrating their efforts on higher-value targets.

QHow is the role of security changing for Web3 projects according to the report's view on the evolving regulatory landscape?

AWith clearer regulations and more institutional capital entering the space, security is shifting from being a 'cost item' and 'remedial measure' to a fundamental 'infrastructure' element that is integrated into project design and operations, crucial for long-term viability.

Related Reads

From Return to Resignation: Chen Hang's 437 Days at DingTalk

The 437-Day Return and Departure of Chen Hang at DingTalk This article chronicles the 437-day period from March 31, 2025, to June 11, 2026, when Chen Hang (also known as "No Move") returned as CEO of DingTalk, the enterprise communication platform he originally founded, only to later step down. Chen Hang, the creator of DingTalk in 2015, was brought back by Alibaba in 2025 after the company acquired his subsequent startup, HHO. His return was driven by Alibaba's renewed focus on AI and DingTalk's strategic role as its key to-B AI application. However, his aggressive management style, marked by strict work policies like mandatory clock-ins and extended hours, quickly caused internal friction and was criticized as being at odds with Alibaba's culture. Despite the internal turmoil, Chen Hang drove significant product launches. In August 2025, he unveiled "AI DingTalk 1.0," featuring new products like the AI-native entry point "DingTalk ONE." By March 2026, he announced "Wukong," touted as the world's first enterprise-grade AI-native work platform, representing a fundamental rebuild of DingTalk's architecture. The turning point came in early June 2026. A detailed internal post criticizing DingTalk's work culture went viral, followed by a public critique from a former executive. This prompted an unprecedented public rebuke from the Alibaba Partners Committee, which stated such management was not aligned with company values. One day later, on June 11, Alibaba announced Chen Hang's departure. He was succeeded by Chen Yusen, a 32-year-old technical expert known for founding cybersecurity firm Changting Technology. While Chen Hang's tenure laid the technical foundation for DingTalk's AI transformation with "Wukong," his leadership style ultimately led to his replacement as the company seeks a new direction under younger leadership.

marsbit9m ago

From Return to Resignation: Chen Hang's 437 Days at DingTalk

marsbit9m ago

‘Crypto Mining Queen’ Lyu Yongshuang: Once Controlled 9% of Global Bitcoin Hashrate, Swindled Out of 60 Million by ‘Middle Eastern Royal Son-in-Law’ in the US

Summary: "Mining Queen" Lyu Yongshuang (Fiona Lyu), an 80s-born Chinese entrepreneur, once controlled approximately 9% of the global Bitcoin mining hashrate through her company Valarhash and its pools, 1THash and Bytepool. Her fortunes shifted dramatically in 2021 following China's crackdown on crypto mining. Relocating to the US, she fell victim to an elaborate fraud by two American brothers, Zubair and Muzammil Al Zubair. Posing as an "Arab royal" and a hedge fund manager, they used bribery and a fake romantic relationship to trick Lyu into signing a mining facility contract in Ohio. The scam resulted in losses exceeding $9.4 million, including the theft and resale of 1,067 mining rigs. In 2026, the brothers received lengthy prison sentences. Concurrently, Lyu faced legal battles in China, where a court invalidated a mining contract with a listed company, ordering a refund of nearly $2.8 million. These events marked a severe downturn for the once-powerful industry figure.

marsbit15m ago

‘Crypto Mining Queen’ Lyu Yongshuang: Once Controlled 9% of Global Bitcoin Hashrate, Swindled Out of 60 Million by ‘Middle Eastern Royal Son-in-Law’ in the US

marsbit15m ago

Roll the Dice, Win BTC! WEEX Launches "World Cup x Monopoly" with Millions in USDT Giveaway

"WEEX, a leading crypto exchange and official partner of LALIGA in Taiwan and Hong Kong, has launched the 'World Cup x Monopoly: Win Millions in USDT' event to celebrate the 2026 World Cup in North America. Running from June 11 to July 20, the activity combines a Monopoly-style 3D board game with football-themed rewards. Users can earn dice by completing tasks like signing up, depositing over 100 USDT, trading contracts or WXT spot, inviting friends, and using dice. Throwing dice moves them across the board to win prizes such as BTC, ETH, USDT airdrops, trial funds, and more dice. Participants also earn points by advancing on the board and completing weekly trading tasks. These points unlock milestone rewards, with top tiers offering up to 1,000 USDT. Additionally, points can be used in a World Cup match prediction game featuring dynamic odds, where supporting underdog teams yields higher potential returns. A live leaderboard ensures transparency. WEEX aims to merge football excitement with Web3 engagement through this major promotional campaign."

marsbit18m ago

Roll the Dice, Win BTC! WEEX Launches "World Cup x Monopoly" with Millions in USDT Giveaway

marsbit18m ago

AI New Money, $5,000-an-Hour Companionship: Silicon Valley in 2026 and Night City in 2077

In 2026, San Francisco's AI boom has reshaped the city. While companies like OpenAI and Anthropic drive a commercial real estate revival and create a new class of tech millionaires, profound inequality deepens. Rental prices soar in AI districts, pricing out many who service the industry. A new, expensive social phenomenon emerges: tech "nouveaux riches," often lonely despite wealth, pay $3,000-$6,000 per hour for "high-end companionship." This service, provided by smart, tech-literate individuals (often women), offers not just beauty but engaged conversation about AI, longevity, and crypto—fulfilling a deep need for validation. This mirrors historic gold rushes, where service industries bloom around new wealth. The narrative draws parallels to Cyberpunk 2077's Night City, depicting a "high-tech, low-life" society where technological advancement exacerbates social divides, creating separate worlds within the same city.

marsbit26m ago

AI New Money, $5,000-an-Hour Companionship: Silicon Valley in 2026 and Night City in 2077

marsbit26m ago

The 2026 Landscape of Decentralized AI: Why Blockchain is the Inevitable 'Antidote' for AI?

Decentralized AI 2026 Landscape: Why Blockchain is AI's Essential "Antidote" Centralized AI faces structural bottlenecks—expensive compute, concentrated control, unverifiable outputs, and difficult data access—that cannot be solved by capital or code alone. Blockchain offers a path to make intelligence open, verifiable, and economically accessible. The decentralized AI stack comprises: * **Infrastructure:** The foundation with compute, verifiable inference, distributed training, data/storage, and privacy/verification layers. Projects like Akash, Render, and Filecoin provide cheaper, decentralized alternatives for raw resources. * **Middleware:** The coordination layer for agent discovery, identity, and commerce. Key players include Bittensor (a network of specialized AI subnets), Virtuals (an agent economy OS), and frameworks providing agent identity and tooling. * **Applications & Services:** Dominated by Agentic Finance (AI agents executing on-chain actions based on natural language) and Agentic Payments (machine-to-machine transactions using blockchain as a settlement layer). Projects like Giza, Infinit Labs, and x402 are enabling these use cases. Key trends for 2026-2027 show AI demand outgrowing infrastructure, compute becoming an asset class, and tokenomics emerging as a structural advantage for coordinating capital, compute, and data. While still early—with adoption uneven and revenue often trailing token incentives—projects like Bittensor, NEAR, and Venice demonstrate decentralized AI is evolving from a narrative into a new model for coordinating intelligence.

Foresight News29m ago

The 2026 Landscape of Decentralized AI: Why Blockchain is the Inevitable 'Antidote' for AI?

Foresight News29m ago

Trading

Spot
Futures
活动图片