CertiK Annual Security Report: Web3 Losses Increase 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Emerge as Major Threats

marsbitОпубліковано о 2025-12-25Востаннє оновлено о 2025-12-25

Анотація

CertiK's 2025 Skynet Hack3D Security Report reveals that the Web3 industry suffered approximately $3.35 billion in losses across 630 security incidents, a 37% increase from 2024. While the number of incidents decreased by 137, the average loss per attack surged by 66.6% to $5.32 million, indicating a trend toward targeting high-value assets. The most significant losses resulted from supply chain attacks, which accounted for nearly half of the total losses ($1.45 billion) despite only two recorded incidents. The largest was the February Bybit breach, where attackers compromised a third-party multi-signature wallet service to bypass security protocols. Phishing remained the most frequent threat, with 248 incidents causing $723 million in losses. The report warns that AI is amplifying these attacks by generating highly convincing fake websites and targeted scam messages, making traditional defenses less effective. Amid growing risks, regulatory clarity is improving globally, with advancements in U.S. stablecoin legislation and frameworks like MiCA in the EU. Security is shifting from a reactive cost to a core infrastructure element. The report concludes that projects embedding security into their design and development will be better positioned for the future.

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," systematically outlining the major security incidents and risk trends in the Web3 space over the past year. The report indicates that while the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, security risks have not eased and continue to pose systemic security threats.

The report shows that in 2025, the Web3 space experienced 630 security incidents, resulting in total losses of approximately $3.35 billion, a 37% year-on-year increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached $5.322 million, a sharp increase of 66.6%, highlighting the trend of attackers targeting high-value objectives.

Supply Chain Attacks Drive Annual Losses Higher

In terms of attack types, supply chain attacks became the largest source of losses in 2025. Despite only two recorded incidents throughout the year, the cumulative losses amounted to $1.45 billion, accounting for nearly half of the total annual losses. The majority of these losses stemmed from the Bybit incident in February.

According to the report, the security incident experienced by Bybit in February 2025 resulted in approximately $1.4 billion in losses, making it one of the largest cryptocurrency thefts to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, embedding malicious code in the signing process to bypass multiple approval mechanisms.

CertiK noted in the report that such incidents reflect attackers increasingly focusing their resources on critical service providers and underlying tools rather than individual protocols, underscoring that supply chain security has become an unavoidable systemic risk.

High Frequency of Phishing Attacks, AI Acts as an "Amplifier"

In terms of attack frequency, phishing remained the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than the number of code vulnerability attacks (240 incidents).

Notably, CertiK believes this figure may still be an underestimate. A significant number of phishing and scam incidents targeting individual users were not formally disclosed, especially those involving smaller losses or off-chain social engineering attacks.

The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers to phishing attacks. Attackers are increasingly using AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, combined with on-chain data and social media content for "precision targeting." Traditional defense methods relying on grammatical errors or template features for identification are gradually becoming ineffective.

Regulatory Clarity Increases, Security Shifts from "Cost Item" to "Infrastructure"

Amid rising risks, the report also notes positive changes in the global regulatory environment. Legislative progress in the U.S. around stablecoins and digital asset transparency has sent clearer policy signals to the industry. Regulatory frameworks such as the EU's MiCA, Singapore's regulatory sandbox, and Hong Kong's initiatives are also pushing Web3 toward a more standardized development phase.

CertiK pointed out in the report that as institutional and compliant funds continue to enter the space, security capabilities are transitioning from "post-incident remediation" to an infrastructure element in project design and operations. For both project teams and individual users, security is no longer optional but a critical factor affecting long-term viability.

The report concludes by projecting that in the coming year, AI-driven impersonation attacks, increasingly complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architectural design, development processes, and user experience are more likely to stand out in the next wave of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

Пов'язані питання

QAccording to CertiK's 2025 report, what was the total financial loss in the Web3 sector and what was the year-over-year percentage increase?

AThe total financial loss in the Web3 sector was approximately $3.35 billion, representing a 37% year-over-year increase compared to 2024.

QWhich type of attack was identified as the largest source of loss in 2025, and what was a key characteristic of the Bybit incident?

ASupply chain attacks were the largest source of loss. A key characteristic of the Bybit incident was that attackers did not directly breach the exchange's system but instead compromised a third-party multi-signature wallet service provider's developer environment to inject malicious code.

QWhat was the most frequent type of attack in 2025, and how is AI impacting this threat?

APhishing attacks were the most frequent, with 248 recorded incidents. AI is acting as an 'amplifier' by lowering the technical barrier, enabling attackers to create highly realistic phishing sites, wallet pop-ups, and multi-language scam messages for 'precision targeting'.

QHow did the average loss per attack change in 2025, and what does this trend indicate?

AThe average loss per attack reached $5.322 million, a sharp increase of 66.6% year-over-year. This trend highlights that attackers are concentrating their efforts on higher-value targets.

QHow is the role of security changing for Web3 projects according to the report's view on the evolving regulatory landscape?

AWith clearer regulations and more institutional capital entering the space, security is shifting from being a 'cost item' and 'remedial measure' to a fundamental 'infrastructure' element that is integrated into project design and operations, crucial for long-term viability.

Пов'язані матеріали

When AI Traffic Surpasses Humans, How Do You Prove You're Human?

As AI-generated web traffic now surpasses human activity, the internet's foundational business models—built on human attention, browsing, and advertising—face severe disruption. AI agents crawl websites at immense scale without generating ad revenue, while AI summaries divert traffic from original content sites. In response, over 2.5 million sites are blocking AI crawlers, and protections like Cloudflare's "honeypot" traps have emerged, though advanced AI can bypass these. The collapse of traditional CAPTCHAs, which assumed machines were weaker than humans, has led to a shift toward behavioral biometrics for human verification. Companies like IBM and BioCatch now analyze unique human patterns—cursor movements, typing rhythms, keystroke dynamics, and even cognitive delays like the Stroop effect—to distinguish real users from bots. These biometric signatures are difficult to fake or alter, offering a new layer of security but raising significant privacy concerns. Two competing visions for a reliable human verification system are emerging. One, exemplified by Sam Altman’s World (formerly Worldcoin), uses centralized iris scanning to generate unique credentials, though it faces bans and criticism over unauthorized data collection. The other employs cryptographic zero-knowledge proofs, allowing users to prove they are human without revealing identity or biometric data, as advocated by Vitalik Buterin. However, decentralized approaches risk exploitation through identity renting in economically unequal regions. The central dilemma is between a scalable but privacy-invasive centralized system that permanently controls users' biometric data, and a privacy-preserving cryptographic system vulnerable to real-world economic manipulation. The author expresses a preference for the cryptographic path, arguing that despite its flaws, it avoids the irreversible biometric surveillance inherent in centralized alternatives.

Foresight News5 хв тому

When AI Traffic Surpasses Humans, How Do You Prove You're Human?

Foresight News5 хв тому

Crypto Primary Market Investment and Financing Forward-Looking Weekly Report | Stablecoin Regulation Nears Implementation, ETF Funds Continue to Withdraw, Capital Begins Betting on Payment and Cash Flow

Crypto Market Weekly Report (Jun 1-7, 2026): Capital Shifts Focus to Payments & Cash Flow Market data indicates a significant divergence: while traditional institutional funds continue exiting via BTC and ETH ETFs (recording net outflows of $1.72B and $168M this week, respectively), stablecoin supply continues growing. This suggests capital is shifting from speculative asset allocation toward defensive positioning within on-chain liquidity, awaiting new, concrete opportunities. This trend is reflected in venture capital focus. Weekly fundraising fell 27% to $302M, with investments concentrating on infrastructure with tangible revenue potential: 1. **Stablecoin Infrastructure (28% of funding):** Projects like M0 Protocol ($35M raise) are gaining attention as regulatory clarity (e.g., the GENIUS Act) nears, shifting the focus from legitimacy to building payment and settlement networks. 2. **AI Agent Infrastructure (26%):** Investments are moving from conceptual AI Agents towards the execution and economic layers required for a functional "Agent economy." Key raises include OpenRouter ($40M) and Halliday ($20M). 3. **Real World Assets (RWA) (18%):** The search for on-chain yield and cash flow drives continued interest in RWA platforms like Ondo Finance. Security threats are evolving from smart contract exploits toward key management failures, permission control issues, and regulatory execution risks (e.g., court-ordered asset freezes). **Key Takeaways:** The investment thesis is shifting from narrative-driven bets to revenue and cash-flow-generating protocols. Future attention should be on the progression of stablecoin regulations, the commercial validation of AI Agent economies, and the performance of high-revenue protocols like derivatives platforms.

marsbit13 хв тому

Crypto Primary Market Investment and Financing Forward-Looking Weekly Report | Stablecoin Regulation Nears Implementation, ETF Funds Continue to Withdraw, Capital Begins Betting on Payment and Cash Flow

marsbit13 хв тому

The Bitcoin Vector #59

Executive Summary The content provided is the beginning of an article titled "The Bitcoin Vector #59." The main body consists only of a subscription prompt, directing existing subscribers to log in. No substantive article content, analysis, or information is available in the provided text to summarize.

insights.glassnode15 хв тому

Helius CEO Says Crypto’s ‘Straw Houses’ Face Collapse As AI Raises The Stakes

Helius Labs CEO Mert Mumtaz warns that cryptocurrency is entering a critical security phase, demanding spaceflight-level rigor. He argues crypto's promise of irreversible execution can no longer tolerate the "sloppy" software standards of traditional web apps, where bugs can be patched. Instead, immutable financial code must be provably correct, akin to launching a spaceship. Mumtaz connects this to the historical "software crisis" and the need for formal verification. He criticizes the industry's "facade of decentralization"—reliance on admin keys and emergency interventions—which masks underlying fragility. AI is a dual catalyst: while it empowers attackers to find exploits faster, it also makes rigorous practices like formal verification, audits, and invariant checking more accessible at scale. This will trigger a "trial by fire" and "aggressive natural selection," separating robust "serious infrastructure teams" from fragile "straw house" protocols that may collapse. The ultimate goal is a crypto industry where demonstrable correctness and security are paramount, making it safer and more robust than centralized finance. Mumtaz's warning comes as AI models like Claude advance, compressing the time for both offensive and defensive security research in DeFi.

bitcoinist18 хв тому

Helius CEO Says Crypto’s ‘Straw Houses’ Face Collapse As AI Raises The Stakes

bitcoinist18 хв тому

Buy an NFT First to Get a Ticket? The Largest World Cup Ticket Slump in History

"Ticketing Woes for 2026 World Cup: NFT 'Right-to-Buy' and High Prices Dampen Sales" Despite anticipation for the 2026 FIFA World Cup, with 48 teams and 104 matches across North America, the tournament faces significant unsold tickets, with approximately 180,000 group-stage tickets still available for resale just before kick-off. This unexpected shortfall is attributed to FIFA's controversial new ticketing strategy, which includes an NFT-based "Right-to-Buy" (RTB) system and opaque, dynamic pricing. FIFA introduced RTBs as digital collectibles (NFTs) sold on its FIFA Collect platform. An RTB grants the holder only the right to purchase a ticket for a specific match later, not the ticket itself. This two-step process, criticized for selling "scarcity" first, saw RTBs priced from tens to hundreds of dollars, generating millions in revenue for FIFA. With many tickets remaining available on official channels, the value of these prepaid purchase rights is now being questioned. Compounding the issue are ticket prices, reported to be 2 to 4 times higher than the 2022 Qatar World Cup, and up to 7 times more for marquee matches. FIFA employed dynamic pricing, common in U.S. sports, but lacked transparency on seat availability and exact locations during sales, frustrating global fans facing high travel costs. This has drawn scrutiny from regulators in New York and New Jersey. FIFA's official resale platform also drew criticism for imposing high fees—roughly 10% on sellers and 17% on buyers, allowing FIFA to profit further from secondary market transactions. While FIFA President Gianni Infantino states over 6 million tickets have been sold, the situation highlights a potential disconnect between fan enthusiasm and willingness to pay under an aggressive commercial model.

marsbit20 хв тому

Buy an NFT First to Get a Ticket? The Largest World Cup Ticket Slump in History

marsbit20 хв тому

Торгівля

Спот

Ф'ючерси