CertiK Annual Security Report: Web3 Losses Increase 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Emerge as Major Threats

marsbitОпубликовано 2025-12-25Обновлено 2025-12-25

Введение

CertiK's 2025 Skynet Hack3D Security Report reveals that the Web3 industry suffered approximately $3.35 billion in losses across 630 security incidents, a 37% increase from 2024. While the number of incidents decreased by 137, the average loss per attack surged by 66.6% to $5.32 million, indicating a trend toward targeting high-value assets. The most significant losses resulted from supply chain attacks, which accounted for nearly half of the total losses ($1.45 billion) despite only two recorded incidents. The largest was the February Bybit breach, where attackers compromised a third-party multi-signature wallet service to bypass security protocols. Phishing remained the most frequent threat, with 248 incidents causing $723 million in losses. The report warns that AI is amplifying these attacks by generating highly convincing fake websites and targeted scam messages, making traditional defenses less effective. Amid growing risks, regulatory clarity is improving globally, with advancements in U.S. stablecoin legislation and frameworks like MiCA in the EU. Security is shifting from a reactive cost to a core infrastructure element. The report concludes that projects embedding security into their design and development will be better positioned for the future.

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," systematically outlining the major security incidents and risk trends in the Web3 space over the past year. The report indicates that while the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, security risks have not eased and continue to pose systemic security threats.

The report shows that in 2025, the Web3 space experienced 630 security incidents, resulting in total losses of approximately $3.35 billion, a 37% year-on-year increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached $5.322 million, a sharp increase of 66.6%, highlighting the trend of attackers targeting high-value objectives.

Supply Chain Attacks Drive Annual Losses Higher

In terms of attack types, supply chain attacks became the largest source of losses in 2025. Despite only two recorded incidents throughout the year, the cumulative losses amounted to $1.45 billion, accounting for nearly half of the total annual losses. The majority of these losses stemmed from the Bybit incident in February.

According to the report, the security incident experienced by Bybit in February 2025 resulted in approximately $1.4 billion in losses, making it one of the largest cryptocurrency thefts to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, embedding malicious code in the signing process to bypass multiple approval mechanisms.

CertiK noted in the report that such incidents reflect attackers increasingly focusing their resources on critical service providers and underlying tools rather than individual protocols, underscoring that supply chain security has become an unavoidable systemic risk.

High Frequency of Phishing Attacks, AI Acts as an "Amplifier"

In terms of attack frequency, phishing remained the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than the number of code vulnerability attacks (240 incidents).

Notably, CertiK believes this figure may still be an underestimate. A significant number of phishing and scam incidents targeting individual users were not formally disclosed, especially those involving smaller losses or off-chain social engineering attacks.

The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers to phishing attacks. Attackers are increasingly using AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, combined with on-chain data and social media content for "precision targeting." Traditional defense methods relying on grammatical errors or template features for identification are gradually becoming ineffective.

Regulatory Clarity Increases, Security Shifts from "Cost Item" to "Infrastructure"

Amid rising risks, the report also notes positive changes in the global regulatory environment. Legislative progress in the U.S. around stablecoins and digital asset transparency has sent clearer policy signals to the industry. Regulatory frameworks such as the EU's MiCA, Singapore's regulatory sandbox, and Hong Kong's initiatives are also pushing Web3 toward a more standardized development phase.

CertiK pointed out in the report that as institutional and compliant funds continue to enter the space, security capabilities are transitioning from "post-incident remediation" to an infrastructure element in project design and operations. For both project teams and individual users, security is no longer optional but a critical factor affecting long-term viability.

The report concludes by projecting that in the coming year, AI-driven impersonation attacks, increasingly complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architectural design, development processes, and user experience are more likely to stand out in the next wave of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

Связанные с этим вопросы

QAccording to CertiK's 2025 report, what was the total financial loss in the Web3 sector and what was the year-over-year percentage increase?

AThe total financial loss in the Web3 sector was approximately $3.35 billion, representing a 37% year-over-year increase compared to 2024.

QWhich type of attack was identified as the largest source of loss in 2025, and what was a key characteristic of the Bybit incident?

ASupply chain attacks were the largest source of loss. A key characteristic of the Bybit incident was that attackers did not directly breach the exchange's system but instead compromised a third-party multi-signature wallet service provider's developer environment to inject malicious code.

QWhat was the most frequent type of attack in 2025, and how is AI impacting this threat?

APhishing attacks were the most frequent, with 248 recorded incidents. AI is acting as an 'amplifier' by lowering the technical barrier, enabling attackers to create highly realistic phishing sites, wallet pop-ups, and multi-language scam messages for 'precision targeting'.

QHow did the average loss per attack change in 2025, and what does this trend indicate?

AThe average loss per attack reached $5.322 million, a sharp increase of 66.6% year-over-year. This trend highlights that attackers are concentrating their efforts on higher-value targets.

QHow is the role of security changing for Web3 projects according to the report's view on the evolving regulatory landscape?

AWith clearer regulations and more institutional capital entering the space, security is shifting from being a 'cost item' and 'remedial measure' to a fundamental 'infrastructure' element that is integrated into project design and operations, crucial for long-term viability.

Похожее

Liberland Fires Tech Secretary After Alleged Blockchain And Website Takeover Attempt

Liberland's congress has voted to remove Technology Secretary Dorian Stern Vukotić, following a resolution accusing him of attempting to hijack the Liberland.org domain, removing administrative multisig protections, blocking the president from voting, and launching unauthorized tokens. The incident serves as a case study in blockchain governance, highlighting risks that go beyond smart contracts to include control over domains, admin keys, and off-chain authority. For the crypto industry, it underscores the need to scrutinize decentralization claims against operational realities, where a small group can still compromise governance. The story reflects a broader market shift where infrastructure security and governance are becoming as critical as price action. Editorial framing should treat the development as a verified information signal about governance risks, avoiding overstatement of Liberland's legal status and leaving room for follow-up evidence.

bitcoinist5 мин. назад

Liberland Fires Tech Secretary After Alleged Blockchain And Website Takeover Attempt

bitcoinist5 мин. назад

How to Do Research Well: Deliberately Practice the Real Skills That Matter

No one truly teaches you how to do research. You're often given a desk, a pre-selected problem, and vague instructions to "create something new." Consequently, many people reverse-engineer the job based on visible outputs—papers, posts, announcements—learning only how to *appear* like a researcher rather than how to *become* one. True research capability is built from stacking small, trainable skills, nearly all of which can be developed through deliberate practice. **Pick Your Own Problem:** Most researchers absorb problems from advisors or trends, lacking the underlying reasoning. Choosing a problem you genuinely care about, as John Schulman advises, leads to original work. Develop "taste" like a muscle: predict experiment outcomes, guess paper results from methods, and track which findings remain important over time. **Upgrade Your Inputs:** Relying on shared reading lists (arXiv hot lists, filtered group chats) leads to unoriginal conclusions. Undervalued old literature often holds crucial insights (e.g., MoE, LSTM, backpropagation). Richard Sutton's "The Bitter Lesson" or Claude Shannon's 1952 talk on creative thinking are more predictive than lengthy modern surveys. Breadth matters as much as depth: draw from neuroscience, mechanism design, hardware knowledge, and honest statistics. Read papers directly, especially appendices and limitations sections. **Write Everything Down:** As Paul Graham noted, writing exposes flaws in seemingly mature ideas. Writing is the cheapest defense against self-deception. Following Feynman's principle, Darwin programmatically wrote down facts contradicting his theory to combat memory bias. Maintain a detailed log of hypotheses, setups, predictions, results, and updated understandings. Reviewing past logs fosters essential humility.

marsbit1 ч. назад

How to Do Research Well: Deliberately Practice the Real Skills That Matter

marsbit1 ч. назад

Backpack Surges Over 150% in Half a Month

BP, the token of the Backpack exchange, has surged over 150% since early June, driven by the platform's expansion into regulated US stock brokerage and asset tokenization services. On June 2nd, Backpack announced Backpack Securities, offering traditional stock trading and tokenization, causing BP's price to jump over 80%. Momentum continued on June 12th with the launch of SPCX, a tokenized product for SpaceX stock on Solana, facilitating seamless conversion between traditional securities and on-chain assets. This aligns with the RWA (Real World Assets) narrative, creating a bridge between traditional finance and Solana DeFi. The token's unique economics also support its growth. All 2.5 billion initially circulating tokens were airdropped to the community, with zero allocation to the team or investors at launch. A key feature allows users who stake BP for at least one year to gain the right to convert tokens into company equity upon an IPO or acquisition. Despite some initial community controversy over airdrop distribution, focus is shifting to BP's long-term utility and value alignment as real products launch.

marsbit1 ч. назад

Backpack Surges Over 150% in Half a Month

marsbit1 ч. назад

Following US Ban on Fable 5, Zhipu AI's Stock Soars 47%

On June 15th, shares of Zhipu AI surged dramatically on the Hong Kong stock market, peaking at a 47.6% gain before closing 32.82% higher. This sharp increase was directly triggered by two recent industry events. On June 12th, Anthropic announced it was suspending global access to its latest flagship models, Claude Fable 5 and Claude Mythos 5, to comply with a U.S. government export control order. The next day, Zhipu AI announced it would open access to its latest open-source flagship model, GLM-5.2, under the permissive MIT license. The Anthropic incident highlighted a critical issue beyond raw model capability: the risk of sudden, unpredictable loss of access to advanced AI models, especially for developers and enterprises deeply integrated with them. This has shifted industry and market focus toward factors like stability, sustainable access, and controllability. Zhipu's move, promoting "frontier intelligence for all," positions its openly available model as a reliable and accessible alternative. The GLM-5.2 model emphasizes "Long Horizon Task" capabilities with a 1M context window, targeting complex, multi-step coding and engineering workflows where maintaining context is crucial. Analysts note this event exposes the risk of dependency on closed-source models subject to single jurisdictional controls, potentially accelerating a shift toward domestic base models and localized deployments. The market's reaction signals a new valuation dimension in AI: providers who can offer stable, long-term, and sustainably accessible AI capabilities are gaining strategic importance.

marsbit1 ч. назад

Following US Ban on Fable 5, Zhipu AI's Stock Soars 47%

marsbit1 ч. назад

Fully Entering the AI Era: Alipay Bets on Conversation, WeChat Holds Fast to Social

In May 2026, Alipay announced over 300 million AI payment transactions. Shortly after, WeChat opened its mini-programs for AI integration, sparking controversy by requiring developer source code access. This highlights their diverging approaches to AI integration. Alipay is testing "Project Treasure," an optional AI-native interface replacing traditional app grids with a conversational window. Users can command complex tasks (e.g., "book a ride and order coffee") handled end-to-end by AI. This shift follows an abandoned standalone AI app, focusing instead on enhancing its existing user base. For unmodified mini-programs, Alipay's AI uses "screen-reading" to simulate user interactions, bypassing the need for developer overhaul. It also introduced "Token Pay" for micro-transactions and "AI Wallets" for autonomous agent spending. WeChat, prioritizing its core social function, is taking an embedded approach. Its AI agent will operate within existing contexts like group chats and official accounts, assisting without a separate interface. To enable this, WeChat offers developers two paths: granting source code access for direct AI control ("Automatic Mode") or manually encapsulating services into standardized "Skills." Both place significant burden on developers. Key differences emerge in handling legacy services: WeChat demands developer cooperation (code or labor), while Alipay's screen-reading offers immediate, if potentially less stable, compatibility. Alipay's 3 billion AI transactions demonstrate user acceptance of AI-driven commercial actions. The divergent strategies may reshape mini-program ecosystems—Alipay passively "AI-fying" services, WeChat potentially favoring resource-rich developers—and set competing technical standards. Ultimately, the competition centers on where users entrust the command to "help me get things done."

marsbit1 ч. назад

Fully Entering the AI Era: Alipay Bets on Conversation, WeChat Holds Fast to Social

marsbit1 ч. назад

Торговля

Спот
Фьючерсы
活动图片

Популярные категорииright-arrow

Популярные тегиright-arrow