CertiK Annual Security Report: Web3 Losses Increase 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Emerge as Major Threats

marsbitPublicado a 2025-12-25Actualizado a 2025-12-25

Resumen

CertiK's 2025 Skynet Hack3D Security Report reveals that the Web3 industry suffered approximately $3.35 billion in losses across 630 security incidents, a 37% increase from 2024. While the number of incidents decreased by 137, the average loss per attack surged by 66.6% to $5.32 million, indicating a trend toward targeting high-value assets. The most significant losses resulted from supply chain attacks, which accounted for nearly half of the total losses ($1.45 billion) despite only two recorded incidents. The largest was the February Bybit breach, where attackers compromised a third-party multi-signature wallet service to bypass security protocols. Phishing remained the most frequent threat, with 248 incidents causing $723 million in losses. The report warns that AI is amplifying these attacks by generating highly convincing fake websites and targeted scam messages, making traditional defenses less effective. Amid growing risks, regulatory clarity is improving globally, with advancements in U.S. stablecoin legislation and frameworks like MiCA in the EU. Security is shifting from a reactive cost to a core infrastructure element. The report concludes that projects embedding security into their design and development will be better positioned for the future.

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," systematically outlining the major security incidents and risk trends in the Web3 space over the past year. The report indicates that while the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, security risks have not eased and continue to pose systemic security threats.

The report shows that in 2025, the Web3 space experienced 630 security incidents, resulting in total losses of approximately $3.35 billion, a 37% year-on-year increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached $5.322 million, a sharp increase of 66.6%, highlighting the trend of attackers targeting high-value objectives.

Supply Chain Attacks Drive Annual Losses Higher

In terms of attack types, supply chain attacks became the largest source of losses in 2025. Despite only two recorded incidents throughout the year, the cumulative losses amounted to $1.45 billion, accounting for nearly half of the total annual losses. The majority of these losses stemmed from the Bybit incident in February.

According to the report, the security incident experienced by Bybit in February 2025 resulted in approximately $1.4 billion in losses, making it one of the largest cryptocurrency thefts to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, embedding malicious code in the signing process to bypass multiple approval mechanisms.

CertiK noted in the report that such incidents reflect attackers increasingly focusing their resources on critical service providers and underlying tools rather than individual protocols, underscoring that supply chain security has become an unavoidable systemic risk.

High Frequency of Phishing Attacks, AI Acts as an "Amplifier"

In terms of attack frequency, phishing remained the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than the number of code vulnerability attacks (240 incidents).

Notably, CertiK believes this figure may still be an underestimate. A significant number of phishing and scam incidents targeting individual users were not formally disclosed, especially those involving smaller losses or off-chain social engineering attacks.

The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers to phishing attacks. Attackers are increasingly using AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, combined with on-chain data and social media content for "precision targeting." Traditional defense methods relying on grammatical errors or template features for identification are gradually becoming ineffective.

Regulatory Clarity Increases, Security Shifts from "Cost Item" to "Infrastructure"

Amid rising risks, the report also notes positive changes in the global regulatory environment. Legislative progress in the U.S. around stablecoins and digital asset transparency has sent clearer policy signals to the industry. Regulatory frameworks such as the EU's MiCA, Singapore's regulatory sandbox, and Hong Kong's initiatives are also pushing Web3 toward a more standardized development phase.

CertiK pointed out in the report that as institutional and compliant funds continue to enter the space, security capabilities are transitioning from "post-incident remediation" to an infrastructure element in project design and operations. For both project teams and individual users, security is no longer optional but a critical factor affecting long-term viability.

The report concludes by projecting that in the coming year, AI-driven impersonation attacks, increasingly complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architectural design, development processes, and user experience are more likely to stand out in the next wave of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

Preguntas relacionadas

QAccording to CertiK's 2025 report, what was the total financial loss in the Web3 sector and what was the year-over-year percentage increase?

AThe total financial loss in the Web3 sector was approximately $3.35 billion, representing a 37% year-over-year increase compared to 2024.

QWhich type of attack was identified as the largest source of loss in 2025, and what was a key characteristic of the Bybit incident?

ASupply chain attacks were the largest source of loss. A key characteristic of the Bybit incident was that attackers did not directly breach the exchange's system but instead compromised a third-party multi-signature wallet service provider's developer environment to inject malicious code.

QWhat was the most frequent type of attack in 2025, and how is AI impacting this threat?

APhishing attacks were the most frequent, with 248 recorded incidents. AI is acting as an 'amplifier' by lowering the technical barrier, enabling attackers to create highly realistic phishing sites, wallet pop-ups, and multi-language scam messages for 'precision targeting'.

QHow did the average loss per attack change in 2025, and what does this trend indicate?

AThe average loss per attack reached $5.322 million, a sharp increase of 66.6% year-over-year. This trend highlights that attackers are concentrating their efforts on higher-value targets.

QHow is the role of security changing for Web3 projects according to the report's view on the evolving regulatory landscape?

AWith clearer regulations and more institutional capital entering the space, security is shifting from being a 'cost item' and 'remedial measure' to a fundamental 'infrastructure' element that is integrated into project design and operations, crucial for long-term viability.

Lecturas Relacionadas

Japan’s Largest Banks Eye FY2026 Stablecoin Rollout Amid Regulatory Push

Japan's three largest banks—MUFG Bank, Sumitomo Mitsui Banking Corp., and Mizuho Bank—are advancing plans to launch a jointly-issued yen-pegged stablecoin by the end of fiscal year 2026 (March 31, 2027). They have established a voluntary council to develop the operational framework, governance, and issuance infrastructure for the token, which will be issued under a trust agreement. The move aligns with Japan's regulatory push to expand its yen-based digital asset market, following 2022 amendments to the Payment Services Act that restrict stablecoin issuance to licensed entities like banks and trust companies. The banks, which began exploring this initiative in late 2025, aim to support a wide range of use cases and are considering future collaborations with other financial institutions. This development occurs alongside other yen-stablecoin launches and recent political proposals to promote such tokens for settlement in Asia.

bitcoinistHace 7 min(s)

Japan’s Largest Banks Eye FY2026 Stablecoin Rollout Amid Regulatory Push

bitcoinistHace 7 min(s)

After the Passage of the GENIUS Act and the CLARITY Act, What Is the Correct Architecture for On-Chain Yield?

The article discusses the evolution of on-chain credit, distinguishing three markets: overcollateralized crypto lending, unsecured lending (largely unsuccessful), and asset-backed credit (ABC). ABC, backed by identifiable real-world collateral with legal recourse, is identified as the fastest-growing category and the only one credibly addressing adverse selection—the core problem in credit where the riskiest borrowers self-select. Current growth in on-chain Real World Assets (RWAs), particularly tokenized private credit funds (e.g., Maple Finance, Centrifuge), is substantial but often merely "wraps" existing fund structures, inheriting their risks rather than solving adverse selection at the protocol level. The regulatory landscape is a key driver, with the US GENIUS Act (prohibiting stablecoin issuers from paying yield) and the proposed CLARITY Act (closing loopholes on indirect yield) set to redefine permissible yield-bearing products. This makes vaults (like ERC-4626) the critical architecture—they become the primary compliant vehicle for delivering yield, functioning as issuance, disclosure, distribution, and recovery mechanisms. The author's thesis is that the correct post-GENIUS/CLARITY architecture involves building ABC solutions where credit assessment, structure, and recovery are encoded directly into the smart contract vault layer, moving beyond mere tokenized fund wrappers to solve adverse selection fundamentally and ensure regulatory compliance.

Foresight NewsHace 25 min(s)

After the Passage of the GENIUS Act and the CLARITY Act, What Is the Correct Architecture for On-Chain Yield?

Foresight NewsHace 25 min(s)

TechFlow Intelligence Bureau: Anthropic's New Model Fable Sparks Controversy by Restricting Biosafety Research, US CPI Soars to 4.2%, a Three-Year High

**Summary of TechFlow Intelligence Report:** The newsletter covers several key tech and finance developments. In AI, Anthropic's new Fable model faced backlash for secretly limiting biomedical research capabilities and enforcing a 30-day data retention policy, prompting the company to promise more transparent adjustments. In a related story, Anthropic's founder revealed his departure from OpenAI was due to dishonesty from Sam Altman, not safety concerns. Meanwhile, OpenAI is considering significant price cuts to compete with Anthropic, potentially sparking a price war. In crypto/Web3, BlackRock filed a new amendment for a yield-generating Bitcoin ETF, while Bank of America's CEO warned that stablecoin yields could drain trillions from traditional banks. U.S. Senator Cynthia Lummis advocated for the U.S. to officially accumulate Bitcoin reserves. In hardware, Nvidia released the DiffusionGemma-2-6B image model optimized for efficient inference, and AMD promoted its unified memory architecture to challenge Nvidia's dominance. TSMC's CFO hinted at possible price increases due to soaring AI chip demand. A major legal ruling in Germany held Google legally responsible for inaccurate information generated by its AI Overviews feature. Google Chrome also moved to fully block ad-blocker workarounds like uBlock Origin. Macroeconomic headlines included U.S. CPI rising to 4.2% (a 3-year high) and Iran's complete closure of the Strait of Hormuz, raising oil price and inflation fears. South Korean markets saw continued volatility with massive foreign capital outflow. Other notable stories: Microsoft expanded its Copilot AI assistant "Mico" globally; a study found r/wallstreetbets users' stock picks outperformed Wall Street; a fully autonomous drone killed a human soldier for the first time, raising AI ethics concerns; and a Chinese hospital used brain-computer interface technology to help a blind person "see." The overarching theme connects debates over AI boundaries and responsibility (Anthropic's restrictions, Google's liability, lethal autonomous drones) with real-world economic and geopolitical turmoil (inflation, Strait of Hormuz closure, market instability), highlighting the tense interplay between technological advancement and global chaos.

marsbitHace 38 min(s)

TechFlow Intelligence Bureau: Anthropic's New Model Fable Sparks Controversy by Restricting Biosafety Research, US CPI Soars to 4.2%, a Three-Year High

marsbitHace 38 min(s)

Alibaba's Yet Another New Business Division: What Signal Does It Send?

Alibaba has established a new "Token Foundry" business unit, merging its Tongyi large model division and Future Life Lab. Led directly by Group CEO Wu Yongming, this marks the company's third significant AI organizational reshuffle in 2026, following the creation of the Alibaba Token Hub (ATH) and a Group Technology Committee. The move signals a strategic shift from consolidating AI resources to accelerating productization and commercialization. The "Token Foundry" name reflects Alibaba's ambition to become a foundational supplier in the AI era, focusing on model development and commercial application. Key teams, including those behind the high-performing HappyHorse video generation model, have been integrated into the new unit. Concurrently, Zhou Jingren, architect of the Qwen model series, has been appointed Group Chief Scientist to lead a new AI Future Research Institute, focusing on long-term technological breakthroughs like Agent capabilities. This restructuring creates a clear four-layer AI architecture within Alibaba: the research institute for frontier exploration, Token Foundry for core models and commercialization, MaaS for platform services, and business units like Qianwen (C端) and Wukong (B端) for end-user applications. The adjustments align with a global trend among tech giants like Google and Microsoft to centralize AI leadership under the CEO and deeply integrate research with business units. The urgency is driven by a narrowing competitive window. Alibaba has announced its AI business is now entering a commercialization phase, with AI-related revenue seeing triple-digit growth for eleven consecutive quarters. The company faces intense competition in the MaaS (Model-as-a-Service) sector from rivals like ByteDance and Tencent. The Token Foundry initiative represents Alibaba's effort to streamline execution and enhance competitiveness in this critical, fast-evolving landscape.

marsbitHace 1 hora(s)

Alibaba's Yet Another New Business Division: What Signal Does It Send?

marsbitHace 1 hora(s)

From Return to Resignation: Chen Hang's 437 Days at DingTalk

The 437-Day Return and Departure of Chen Hang at DingTalk This article chronicles the 437-day period from March 31, 2025, to June 11, 2026, when Chen Hang (also known as "No Move") returned as CEO of DingTalk, the enterprise communication platform he originally founded, only to later step down. Chen Hang, the creator of DingTalk in 2015, was brought back by Alibaba in 2025 after the company acquired his subsequent startup, HHO. His return was driven by Alibaba's renewed focus on AI and DingTalk's strategic role as its key to-B AI application. However, his aggressive management style, marked by strict work policies like mandatory clock-ins and extended hours, quickly caused internal friction and was criticized as being at odds with Alibaba's culture. Despite the internal turmoil, Chen Hang drove significant product launches. In August 2025, he unveiled "AI DingTalk 1.0," featuring new products like the AI-native entry point "DingTalk ONE." By March 2026, he announced "Wukong," touted as the world's first enterprise-grade AI-native work platform, representing a fundamental rebuild of DingTalk's architecture. The turning point came in early June 2026. A detailed internal post criticizing DingTalk's work culture went viral, followed by a public critique from a former executive. This prompted an unprecedented public rebuke from the Alibaba Partners Committee, which stated such management was not aligned with company values. One day later, on June 11, Alibaba announced Chen Hang's departure. He was succeeded by Chen Yusen, a 32-year-old technical expert known for founding cybersecurity firm Changting Technology. While Chen Hang's tenure laid the technical foundation for DingTalk's AI transformation with "Wukong," his leadership style ultimately led to his replacement as the company seeks a new direction under younger leadership.

marsbitHace 1 hora(s)

From Return to Resignation: Chen Hang's 437 Days at DingTalk

marsbitHace 1 hora(s)

Trading

Spot

Futuros