The report shows that 630 security incidents occurred in the Web3 field in 2025 , resulting in a total loss of approximately US$ 3.35 billion , a year-on-year increase of 37% compared to 2024. Although the number of incidents decreased by 137 compared to the previous year , the average loss per attack reached US$ 5.322 million , a surge of 66.6% year-on-year , highlighting the trend of attackers concentrating on high-value targets.
Article author and source: CertiK
The Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, but security risks have not been alleviated and it still faces systemic security challenges.
Key data
- February was the worst month of the year, with 58 incidents causing approximately $ 1.54 billion in losses, the vast majority of which stemmed from the Bybit incident.
- The first quarter of 2025 saw the most significant losses, with 200 hacking, fraud, and exploitation incidents resulting in the theft of approximately $ 1.67 billion . The amount stolen in the second quarter decreased by approximately 52% compared to the previous quarter .
- Supply chain attacks were the most damaging type of attack in 2025, with just two incidents resulting in approximately $ 1.45 billion in losses, accounting for nearly half of the total amount stolen throughout the year .
- Phishing attacks followed closely behind, with 248 incidents causing approximately $ 720 million in losses, making it the most frequent attack method in 2025, slightly higher than code vulnerability attacks (240 incidents).
- The vulnerabilities, which involved multiple chains, resulted in approximately $ 460 million in losses and were linked to 29 security incidents.
Supply chain attacks drive up annual losses
In terms of attack type, supply chain attacks emerged as the biggest source of loss in 2025. Although only two such incidents were recorded throughout the year, the cumulative losses reached $1.45 billion , accounting for nearly half of the total losses for the year . The Bybit incident in February accounted for the vast majority of these losses.
The security incident that Bybit suffered in February 2025 resulted in a loss of approximately $1.4 billion and is considered one of the largest crypto asset thefts to date. The attackers did not directly breach the exchange's system; instead, they compromised the developer environment of a third-party multi-signature wallet service provider, implanting malicious code into the signature process to bypass multiple approval mechanisms.
The report points out that similar incidents reflect that attackers are focusing their resources on critical service providers and underlying tools , rather than the single protocol itself, and that supply chain security has become a systemic risk that cannot be ignored.
Phishing attacks are rampant, and AI is acting as an "amplifier."
In terms of attack frequency, phishing remains the most common security threat in 2025: a total of 248 phishing attacks were recorded throughout the year, resulting in approximately $720 million in losses.
However, this figure may still be underestimated. A large number of phishing and scams targeting individual users go unreported, especially social engineering attacks that result in smaller losses or occur off-chain.
The widespread adoption of AI is significantly lowering the technical barrier to phishing attacks. Attackers are beginning to use AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual fraudulent messages, combining them with on-chain data and social media content for "precision targeting ." Traditional defenses that rely on grammatical errors or template features for identification are gradually becoming ineffective.
With clearer regulations, safety is shifting from a "cost item" to an "infrastructure" focus.
While risks are rising, the global regulatory environment is undergoing positive changes. Legislative progress in the United States regarding the transparency of stablecoins and digital assets is sending clearer policy signals to the industry; the EU's MiCA framework and the regulatory sandboxes in Singapore and Hong Kong are also pushing Web3 towards a more standardized development stage.
With the continued entry of institutional and compliant funds, security capabilities are shifting from "post-incident remediation" to becoming an infrastructure element in project design and operation. For both project owners and individual users, security is no longer an option, but a key variable affecting long-term viability.
In the coming year, AI-driven spoofing attacks, sophisticated supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. Against this backdrop, projects that embed security into their architectural design, development processes, and user experience will have a chance to stand out in the next round of Web3 competition.
Conclusion
CertiK, the world's largest Web3 security company, has long provided the industry with insights such as security incident analysis, security guidelines, and security reports, delivering critical security information. Its security reports, once published, receive significant attention from the industry and are quickly reported and cited by leading Web3 media outlets such as CoinDesk and Cointelegraph.
We welcome you to click the " Original Link " at the end of this article to read the full "2025 Skynet Hack3D Web3 Security Report" for more comprehensive analysis, insights, and recommendations.
