CertiK Reports $3.35B Lost Across 630 Web3 Hacks In 2025, With Average Loss Soaring 66%
In Brief
In 2025, CertiK’s Skynet Web3 Security Report highlighted accelerated Web3 activity, increasing regulatory clarity, rising losses from major exploits and phishing, and the growing role of AI in both attacks and defenses.
Firm specializing in blockchain security CertiK, published a 2025 edition of its Skynet Web3 Security Report, presenting an analytical overview of security developments, weaknesses, and threat patterns across the Web3 sector. The report provides detailed examination of exploits and vulnerabilities affecting blockchain and smart contract environments, intended to support informed risk assessment for participants within the ecosystem.
The report indicates that Web3 activity accelerated in 2025 due to improving economic conditions, stronger market confidence, and a more supportive political environment for digital assets in the United States. The US government signaled a strategic approach toward crypto innovation, encouraging renewed participation from developers and investors. At the same time, decentralized applications expanded into areas such as payments, gaming, digital identity, and tokenized assets, reinforcing the technology’s role in everyday use. This expansion coincided with increased malicious activity, as threat actors advanced both technical attacks and social manipulation methods.
A comparison between 2024 and 2025 shows that total reported losses rose from approximately $2.45 billion to $3.35 billion, reflecting a growth of about 37 percent. However, a single major incident involving Bybit accounted for roughly $1.45 billion of those losses, and excluding that event would have resulted in an overall decline in stolen funds. This shift suggests that while minor attacks remain frequent, attackers are focusing more resources on fewer but substantially larger operations, indicating the growing presence of highly organized and well-funded adversaries.
When the Bybit event is excluded and categorized as a supply-chain incident, phishing emerges as the most damaging attack type, with over $722 million lost across 248 cases, followed closely by exploitation of software vulnerabilities, which resulted in approximately $555 million across 240 incidents. Notably, nearly half of the funds lost through code vulnerabilities were later frozen or recovered, including in the Cetus case discussed within the report.
AI became a central factor in Web3 security during 2025, influencing both defensive and offensive strategies. Developers increasingly applied AI tools to improve testing, identify weaknesses, and streamline auditing processes. Meanwhile, attackers used AI to create highly convincing phishing platforms, launch automated multilingual scams, perform advanced target analysis using on-chain and social data, conduct realistic impersonation campaigns including deepfake usage, and quickly reproduce successful exploits at scale.
Global Regulatory Progress And Emerging Security Challenges
Throughout 2025, regulatory conditions for digital assets became increasingly defined across major jurisdictions. In the United States, the introduction of the GENIUS Act established preliminary standards for transparency in digital assets and oversight of stablecoins, reflecting a more collaborative regulatory posture. Additional guidance on taxation and asset custody further improved consistency and predictability for both developers and institutional participants.
Internationally, policy developments advanced in parallel. The European Union continued progress toward full implementation of the MiCA framework, raising requirements for disclosures, asset issuance, and consumer safeguards. Financial hubs such as Singapore and Hong Kong broadened their regulatory sandboxes to support experimentation with tokenized securities and cross-border settlement initiatives. In Latin America, Brazil and Colombia introduced clearer regulatory structures for the tokenization of commodities, particularly in agricultural and mineral sectors, strengthening accountability for on-chain representations of physical assets. Collectively, these shifts encouraged a more coordinated and structured governance environment, shaping how projects approached compliance, system design, and security practices.
Looking ahead to 2026, emerging patterns suggest that malicious actors will increasingly rely on AI-enabled impersonation and large-scale social engineering campaigns, while attacks on supply chains and development infrastructure are expected to grow more complex. In parallel, improved regulatory maturity, expanded real-time surveillance capabilities, and wider deployment of AI-supported defensive technologies are likely to reduce certain categories of avoidable risk. The rapidly changing environment underscores the importance of embedding security considerations into all stages of development and operations.
CertiK operates as a major provider of Web3 security services, focused on strengthening the broader blockchain ecosystem through advanced formal verification and continuous monitoring of blockchain systems and smart contracts. The organization applies research-driven technologies to enterprise applications, supporting safe and reliable system scaling. Its operational history includes engagements with thousands of enterprise customers, protection of digital assets valued in the hundreds of billions of dollars, and identification of a large volume of software vulnerabilities. Its portfolio includes collaborations with leading blockchain projects, and it has received backing from prominent investment firms, achieving a multi-billion-dollar valuation.
Phishing Was 2025’s Most Common Attack Vector
According to the study, during 2025, phishing was responsible for the highest number of security incidents, with 248 documented cases, exceeding the counts for supply chain compromises and software flaws. While it was not the most financially damaging category overall, phishing still resulted in losses of approximately $723 million. This pattern reflects a continuing trend in Web3 security where threat actors favor inexpensive, scalable methods that exploit user behavior rather than complex technical weaknesses.
The reported phishing figures are likely understated, as many events remain undisclosed, particularly when individual losses are small, distributed across numerous victims, or associated with scams that do not meet conventional definitions of hacking. The data set used for this analysis excludes various widespread fraud schemes, including long-term confidence scams, coercion-based theft, and off-chain social manipulation, suggesting that actual losses tied to phishing are substantially higher. As transparency improves and disclosure frameworks mature, future reporting is expected to provide a more complete picture of phishing-related damage.
Compared with infrastructure-focused attacks, phishing demands little technical investment and has an exceptionally low barrier to entry. Proven attack methods can be quickly replicated, modified, and deployed to reach large populations within short timeframes. In 2025, the use of artificial intelligence significantly accelerated these operations. Attackers increasingly relied on AI systems to generate highly realistic fraudulent applications, wallets, and support platforms, craft tailored messages using harvested blockchain and social data, conduct large-scale multilingual campaigns, and expand social engineering efforts at unprecedented speed. These developments are expected to continue increasing both the volume and effectiveness of phishing activity while reducing the reliability of traditional warning signs such as poor language quality or generic messaging.
Several major incidents illustrated these trends. In April 2025, a large Bitcoin holder was deceived through social manipulation, leading to the loss of roughly $330 million, with part of the stolen funds later frozen and multiple suspects identified. In May, Cetus Protocol, a leading decentralized exchange on the Sui network, experienced a major breach involving its smart contract structure, resulting in approximately $225 million in stolen assets, of which $162 million was eventually recovered through validator intervention and governance actions. Later in the year, Balancer and associated platforms Beets and Bex were exploited through a flaw in transaction processing logic, initially causing losses near $130 million; subsequent asset recoveries reduced the net impact to about $96 million. These cases collectively demonstrate the evolving scale, sophistication, and financial impact of modern Web3 security threats.
Individual User Risks And Mitigation
In 2025, threat actors increasingly targeted individual users, whose defenses are often weaker and whose losses are frequently unreported. Many scams, including confidence-based investment schemes and long-term frauds, remain largely undocumented. The growing use of AI has made phishing more sophisticated, incorporating deepfakes and voice spoofing, while physical coercion attacks, or wrench attacks, rose alongside the widespread exposure of user identities from exchange data combined with location information.
Effective mitigation begins with awareness: understanding common attack methods and staying informed through reliable sources. Users are advised to diversify assets across multiple wallets with varying risk exposure, ensuring that the compromise of a single key or account does not endanger all holdings. Strong access controls, including unique passwords, password managers, and two-factor authentication, are critical, as is minimizing public exposure and verifying all URLs, addresses, and permissions before approving any transaction.
Protection against phishing requires heightened caution. Every wallet interaction should be treated as high-risk, verifying domains, contracts, and requested actions to prevent fraudulent signature approvals. Multi-signature setups, hardware wallets, or transaction simulation tools can introduce safeguards before funds are moved. Private messages should not be relied upon for support, as legitimate projects do not provide unsolicited assistance. Users should confirm announcements through official channels and maintain ongoing oversight of token allowances, revoking permissions when necessary to limit potential loss. For teams, training on social engineering tactics and standardized communication protocols can significantly reduce internal risks during critical operations or updates. Additionally, conventional cybersecurity measures, such as endpoint protection, safe browsing practices, and anti-phishing tools, remain essential, as many attacks originate outside the Web3 environment.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
