Chainfeeds Summary:
The report shows that 630 security incidents occurred in the Web3 field in 2025, resulting in a total loss of approximately US$3.35 billion, a 37% increase compared to 2024.
Article source:
https://mp.weixin.qq.com/s/nnFPJwTtCC_iJeIULU7R_Q
Article Author:
CertiK
Opinion:
CertiK: In terms of attack type, supply chain attacks were the biggest source of losses in 2025. Although only two such incidents were recorded throughout the year, the cumulative losses reached $1.45 billion, accounting for nearly half of the total losses for the year. The Bybit incident in February accounted for the vast majority of these losses. The security incident that Bybit suffered in February 2025 resulted in approximately $1.4 billion in losses and is considered one of the largest crypto asset thefts to date. The attackers did not directly breach the exchange system but instead bypassed multiple approval mechanisms by infiltrating the developer environment of a third-party multi-signature wallet service provider and implanting malicious code into the signature process. The report points out that similar incidents reflect that attackers are focusing their resources on key service providers and underlying tools, rather than the single protocol itself, making supply chain security a systemic risk that cannot be ignored. Regarding attack frequency, phishing remained the most common security threat in 2025: a total of 248 phishing attacks were recorded throughout the year, causing approximately $720 million in losses. However, this figure may still be underestimated. Numerous phishing and fraud incidents targeting individual users remain undisclosed, especially social engineering attacks involving smaller losses or occurring off-chain. The widespread adoption of AI is significantly lowering the technical barrier to phishing attacks, allowing attackers to leverage AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual fraudulent messages, combining them with on-chain data and social media content for targeted attacks. Traditional defenses relying on grammatical errors or template features are becoming increasingly ineffective. While risks are rising, the global regulatory environment is undergoing positive changes. Legislative progress in the US regarding transparency in stablecoins and digital assets is sending clearer policy signals to the industry; the EU's MiCA framework and regulatory sandboxes in Singapore and Hong Kong are also propelling Web3 towards a more standardized development stage. With the continued entry of institutional and compliant funds, security capabilities are shifting from "post-incident remediation" to becoming an infrastructure element in project design and operation. For both project teams and individual users, security is no longer an option but a critical variable affecting long-term viability. In the coming year, AI-driven spoofing attacks, increasingly sophisticated supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into their architecture design, development processes, and user experience will have a chance to stand out in the new round of Web3 competition.
Content source 
