CertiK Annual Security Report: Web3 Losses Increase 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Emerge as Major Threats

marsbitОпубликовано 2025-12-25Обновлено 2025-12-25

Введение

CertiK's 2025 Skynet Hack3D Security Report reveals that the Web3 industry suffered approximately $3.35 billion in losses across 630 security incidents, a 37% increase from 2024. While the number of incidents decreased by 137, the average loss per attack surged by 66.6% to $5.32 million, indicating a trend toward targeting high-value assets. The most significant losses resulted from supply chain attacks, which accounted for nearly half of the total losses ($1.45 billion) despite only two recorded incidents. The largest was the February Bybit breach, where attackers compromised a third-party multi-signature wallet service to bypass security protocols. Phishing remained the most frequent threat, with 248 incidents causing $723 million in losses. The report warns that AI is amplifying these attacks by generating highly convincing fake websites and targeted scam messages, making traditional defenses less effective. Amid growing risks, regulatory clarity is improving globally, with advancements in U.S. stablecoin legislation and frameworks like MiCA in the EU. Security is shifting from a reactive cost to a core infrastructure element. The report concludes that projects embedding security into their design and development will be better positioned for the future.

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," systematically outlining the major security incidents and risk trends in the Web3 space over the past year. The report indicates that while the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, security risks have not eased and continue to pose systemic security threats.

The report shows that in 2025, the Web3 space experienced 630 security incidents, resulting in total losses of approximately $3.35 billion, a 37% year-on-year increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached $5.322 million, a sharp increase of 66.6%, highlighting the trend of attackers targeting high-value objectives.

Supply Chain Attacks Drive Annual Losses Higher

In terms of attack types, supply chain attacks became the largest source of losses in 2025. Despite only two recorded incidents throughout the year, the cumulative losses amounted to $1.45 billion, accounting for nearly half of the total annual losses. The majority of these losses stemmed from the Bybit incident in February.

According to the report, the security incident experienced by Bybit in February 2025 resulted in approximately $1.4 billion in losses, making it one of the largest cryptocurrency thefts to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, embedding malicious code in the signing process to bypass multiple approval mechanisms.

CertiK noted in the report that such incidents reflect attackers increasingly focusing their resources on critical service providers and underlying tools rather than individual protocols, underscoring that supply chain security has become an unavoidable systemic risk.

High Frequency of Phishing Attacks, AI Acts as an "Amplifier"

In terms of attack frequency, phishing remained the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than the number of code vulnerability attacks (240 incidents).

Notably, CertiK believes this figure may still be an underestimate. A significant number of phishing and scam incidents targeting individual users were not formally disclosed, especially those involving smaller losses or off-chain social engineering attacks.

The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers to phishing attacks. Attackers are increasingly using AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, combined with on-chain data and social media content for "precision targeting." Traditional defense methods relying on grammatical errors or template features for identification are gradually becoming ineffective.

Regulatory Clarity Increases, Security Shifts from "Cost Item" to "Infrastructure"

Amid rising risks, the report also notes positive changes in the global regulatory environment. Legislative progress in the U.S. around stablecoins and digital asset transparency has sent clearer policy signals to the industry. Regulatory frameworks such as the EU's MiCA, Singapore's regulatory sandbox, and Hong Kong's initiatives are also pushing Web3 toward a more standardized development phase.

CertiK pointed out in the report that as institutional and compliant funds continue to enter the space, security capabilities are transitioning from "post-incident remediation" to an infrastructure element in project design and operations. For both project teams and individual users, security is no longer optional but a critical factor affecting long-term viability.

The report concludes by projecting that in the coming year, AI-driven impersonation attacks, increasingly complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architectural design, development processes, and user experience are more likely to stand out in the next wave of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

Связанные с этим вопросы

QAccording to CertiK's 2025 report, what was the total financial loss in the Web3 sector and what was the year-over-year percentage increase?

AThe total financial loss in the Web3 sector was approximately $3.35 billion, representing a 37% year-over-year increase compared to 2024.

QWhich type of attack was identified as the largest source of loss in 2025, and what was a key characteristic of the Bybit incident?

ASupply chain attacks were the largest source of loss. A key characteristic of the Bybit incident was that attackers did not directly breach the exchange's system but instead compromised a third-party multi-signature wallet service provider's developer environment to inject malicious code.

QWhat was the most frequent type of attack in 2025, and how is AI impacting this threat?

APhishing attacks were the most frequent, with 248 recorded incidents. AI is acting as an 'amplifier' by lowering the technical barrier, enabling attackers to create highly realistic phishing sites, wallet pop-ups, and multi-language scam messages for 'precision targeting'.

QHow did the average loss per attack change in 2025, and what does this trend indicate?

AThe average loss per attack reached $5.322 million, a sharp increase of 66.6% year-over-year. This trend highlights that attackers are concentrating their efforts on higher-value targets.

QHow is the role of security changing for Web3 projects according to the report's view on the evolving regulatory landscape?

AWith clearer regulations and more institutional capital entering the space, security is shifting from being a 'cost item' and 'remedial measure' to a fundamental 'infrastructure' element that is integrated into project design and operations, crucial for long-term viability.

Похожее

Exploring Bitcoin Valuation in 2026 from Macro and On-Chain Structural Perspectives

Tiger Research analyzes Bitcoin's valuation outlook for 2026 from macro and on-chain perspectives. Despite a 27% price drop in Q1, the macro environment remains supportive. Global M2 hit a record $13.44 trillion, but Chinese liquidity, which contributed over 60% of M2 growth, has limited access to Bitcoin markets. The Iran conflict pushed oil prices higher, raising March CPI to 3.3% and narrowing the Fed's rate cut path. However, the easing direction remains intact. Bitcoin ETF flows turned positive in March after five months of outflows, and corporate accumulation continues. On-chain metrics show a shift from undervaluation to early equilibrium. Key indicators like MVRV-Z and NUPL have exited panic zones. The critical resistance is at $78k, the long-term holder cost basis, while the key support is at $54k. Although transaction counts increased, active addresses and average transfer size declined, indicating superficial growth rather than real network expansion. BTCFi ecosystem growth has weakened, leading to a -10% adjustment in fundamental metrics. The 12-month price target is set at $143k, based on a $132.5k neutral benchmark adjusted by -10% (fundamentals) and +20% (macro). This represents a 103% upside from current levels. Short-term catalysts include a break above $78k, sustained ETF inflows, and a Fed policy shift post-geopolitical de-escalation.

marsbit19 мин. назад

Exploring Bitcoin Valuation in 2026 from Macro and On-Chain Structural Perspectives

marsbit19 мин. назад

Anthropic Starts Poaching Scientists? $27K Weekly Onsite Stipend to Fix Claude's Expert-Level Errors

Anthropic has launched a new STEM Fellow program, offering $3,800 per week for a three-month, in-person residency in San Francisco. The role targets experts from science, technology, engineering, and mathematics (STEM) fields—machine learning experience is helpful but not required. Instead, Anthropic values scientific judgment and a willingness to learn quickly. Fellows will work with Claude models and internal tools under the guidance of an Anthropic researcher. Example projects include a materials scientist identifying errors in Claude’s reasoning or a climate scientist integrating atmospheric modeling software with Claude. The goal is to have experts "tell Claude where it's wrong" and improve its scientific capabilities. This initiative is part of Anthropic’s broader strategy to strengthen its scientific ecosystem, following earlier programs like the AI Safety Fellows and AI for Science programs. The company acknowledges that current AI models, while powerful, still produce high-confidence errors and lack end-to-end research autonomy. The program aims to embed domain expertise directly into model development, turning scientists into "high-level reviewers" for AI. Anthropic CEO Dario Amodei has previously emphasized AI’s potential to accelerate scientific breakthroughs, particularly in biology and healthcare. The company believes that the next phase of AI competition will depend not on scaling parameters, but on integrating human expertise to refine model accuracy and reliability.

marsbit50 мин. назад

Anthropic Starts Poaching Scientists? $27K Weekly Onsite Stipend to Fix Claude's Expert-Level Errors

marsbit50 мин. назад

VCs Sticking to the Primary Market: How Much Money Do They Still Have?

The article discusses the current state of the cryptocurrency venture capital (VC) market, based on a debate among investors from firms like Pantera Capital, Crucible Capital, and others. Key insights reveal that while VC funds are not short on capital, there is a scarcity of high-quality investment opportunities. The discussion highlights a structural shift: early-stage funding is more dispersed and competitive, with many smaller funds active, but later-stage growth capital is highly concentrated among a few large players like Paradigm and Pantera. Data indicates that over 80% of funding in 2026 went to later rounds, but this includes "graduated" fintech projects that have entered traditional VC realms. The core issue is not the availability of money, but its distribution and accessibility—early-stage founders face intense competition for funding, while later-stage funding is gatekept by a handful of major firms. This reflects a broader trend where VCs are being more selective, prioritizing long-term, proven projects over narrative-driven investments, and founders must demonstrate substantial progress and resilience to secure capital.

Odaily星球日报52 мин. назад

VCs Sticking to the Primary Market: How Much Money Do They Still Have?

Odaily星球日报52 мин. назад

Little Pepe ($LILPEPE) Builds Strong Investment Case With Potential 50x–100x Returns for Early Buyers

Little Pepe ($LILPEPE) is gaining significant attention as a promising crypto project, having raised nearly $28 million in its ongoing presale. The token price is currently $0.0022 and will increase to $0.0023 in the next stage, incentivizing early investment. The project highlights a potential 50x to 100x return for early buyers, targeting prices of $0.11 to $0.22 from the current near $0.01 value, though returns depend on market conditions. Beyond being a meme coin, Little Pepe offers utility through its Ethereum-based Layer 2 blockchain, featuring zero tax trades, bot protection, staking, a meme launchpad, and DAO governance. Additional incentives include a $77,000 token giveaway for ten participants and rewards for top contributors. While high-risk, the project's strong presale performance and functional ecosystem make it an attractive opportunity for investors seeking substantial returns.

TheNewsCrypto58 мин. назад

Little Pepe ($LILPEPE) Builds Strong Investment Case With Potential 50x–100x Returns for Early Buyers

TheNewsCrypto58 мин. назад

On the Eve of X Money's Launch, Musk Dismantles the Referee First

"X Money Launches After Dismantling Regulator: Musk's 9-Day Power Play" In February 2025, a team from the "Department of Government Efficiency" (DOGE), led by Elon Musk, entered the Consumer Financial Protection Bureau (CFPB) headquarters. Shortly after, the CFPB was effectively dismantled—its funding frozen, activities suspended, and nearly 90% of staff laid off. This move came just nine days after X announced a partnership with Visa and as X Money prepared to launch. The article contrasts this with the decade-long regulatory battles faced by companies like Coinbase and PayPal. Coinbase spent over $75 million in political contributions and endured a major SEC lawsuit to operate legally. PayPal complied with strict state and federal rules for its stablecoin PYUSD, including 100% reserve requirements and monthly audits. However, Musk’s approach was different. After the CFPB introduced a rule placing large digital payment apps under federal oversight, Musk tweeted "Delete CFPB." Within months, the rule was revoked by Congress. Meanwhile, DOGE operatives gained "god-tier" access to CFPB databases, potentially obtaining sensitive competitive information from rivals like Apple, Google, and PayPal. The article also highlights a "suspicious exemption clause" in the GENIUS Act, which allows private companies like X to issue stablecoins with fewer restrictions. Senator Elizabeth Warren questioned whether Musk, who was a senior presidential advisor during the Act’s drafting, influenced this clause. X Money offers a 6% APY on deposits, despite FDIC warnings that stablecoin users are not insured. As X Money launches to 600 million monthly users, the article questions the fairness of a system where Musk can bypass regulations that others spent years and millions to comply with. The dismantling of the CFPB and the alleged regulatory advantages raise concerns about the future of equitable rule-making in the U.S. financial system.

marsbit59 мин. назад

On the Eve of X Money's Launch, Musk Dismantles the Referee First