A recent report from Kerberus, a Web3 security company, shows that human behavior is now the primary cause of risk in Web3.
BeInCrypto spoke with the company's CEO, Alex Katz, and CTO, Danor Cohen, to understand why users continue to fall victim to attacks and what they can do to better protect themselves.
Human Error Causes Huge Losses in Web3, Kerberus Report Says
In its latest report titled “The Human Factor – Real-time Protection is the Forgotten Security Layer of Web3 (2025)”, Kerberus revealed that human-centric attacks are the most dangerous type in Web3.
The report cites data showing that a large portion of industry losses stem from user error. About 44% of cryptocurrency thefts in 2024 were due to improper management of private keys. Another study found that human error accounts for about 60% of security breaches.
With 820 million active wallets by 2025, the threat landscape is expanding rapidly, and everyone is at risk . Katz told BeInCrypto that bad actors are targeting both newbies and veterans, but for very different reasons.
“New users are attracted because they don't yet understand what is normal behavior on Web3,” he says.
Notably, the executive noted that long-time users are increasingly becoming higher-value targets than newcomers. According to him,
“Veteran users interact with more dApps, sign more transactions, and move larger amounts of money. That means a moment of carelessness can cause much larger losses. So the most vulnerable group today is anyone who believes they are not vulnerable to risk.”
Cohen added that one of the biggest misconceptions about Web3 is the belief that security failures stem from users not understanding the technology. His analysis shows the opposite. People get hacked because the system places unrealistic burdens on users.
“Users think, ‘I’m too smart to be hacked, I know how wallets work – I’m safe.’ But the threat landscape changes faster than users. Hackers aren’t trying to outsmart your wallet, they’re trying to outsmart you. And they’re very good at it. What people misunderstand is that Web3 places a huge intellectual burden on the individual. Users shouldn’t have to decipher technical signals to be safe – security should work automatically for them,” he said.
Why Even Smart Web3 Users Are Still Losing Money in 2025
These human risks persist despite security spending hitting record levels in 2025. The Kerberus report said that cryptocurrency-related services and investors lost more than $3.1 billion due to hacks and scams in the first half of the year. This is already more than the total for all of 2024.
This figure includes the historic Bybit breach . Excluding this, human-targeted attacks like phishing and social engineering still accounted for $600 million. This is 37% of the remaining $1.64 billion in losses.
The report notes that these attacks increase with the increase in users and completely bypass technical security systems, making them difficult to prevent with traditional security models.
While companies are investing heavily in auditing, monitoring, and code testing , attackers are increasingly exploiting users directly at the transaction level. But what makes humans vulnerable to these attacks?
“Humans are vulnerable because every scam is designed to exploit natural psychological shortcuts — urgency, power, familiarity, fear of missing out, or the comfort of routine. These are not weaknesses, they are instincts that help us function in our daily lives. Technology can’t change human psychology, but it can seize the moment when psychology is weaponized,” Cohen detailed.
He stressed that the strongest form of protection is not relying on users to avoid mistakes through education, but rather preventing harmful actions in time before damage occurs.
“That's why real-time detection is so important. If you can alert users at the exact moment their trust is being abused, you can prevent most of the damage before it happens,” Cohen added.
The CEO stressed that it is unrealistic to expect the average user to be able to differentiate between a malicious dApp, an Airdrop , or a Mint site. Modern counterfeit platforms often look identical to legitimate ones, making them nearly indistinguishable.
He added that users may click on phishing links multiple times. They do so not out of carelessness, but because the attacks are designed to deceive.
Even real-time alerts can sometimes appear as false alarms, highlighting the sophistication of these scams.
“Users shouldn’t be forced to do the detailed vetting. The burden should be shifted to real-time intent and behavior analytics,” Cohen suggests.
The report also said that these attacks exploit moments when users are unable to assess risk. This could happen when someone checks their wallet while distracted at work, responds to an urgent message saying their account is about to be frozen, or approves a transaction at the end of a long day when they are tired.
The industry’s response has been largely to add more warnings and verification steps, according to the findings. But this approach often backfires because of “security fatigue.” As users become accustomed to receiving constant alerts—many of which are false positives that slow them down—their ability to make careful decisions declines under constant pressure.
3 actions users can take to be more secure in Web3
To minimize losses in practice, Katz revealed three practices that users can adopt. He recommends that users:
- Pause before signing: Most compromises happen in less than ten seconds. Taking a moment to carefully read a request or confirm that the request matches the intended action can prevent the majority of successful attacks.
- Separating high-value assets from daily activities: Using multiple wallets is still one of the most effective ways to protect. He suggests that users keep long-term investments in Cold Storage or less-used wallets and use a separate wallet for exploring, Mint Token and dApps. This Chia helps limit potential losses.
- Rely on real-time transaction protection: Since many threats involve social engineering rather than technical exploitation, users benefit from tools that explain on-chain actions before they are completed. This single layer of defense stops more complex scams.
The intention, he emphasizes, is not to turn users into security experts, but to build barriers that prevent mistakes from turning into financial losses.
