CertiK's Annual Security Report: Web3 Losses to Increase by 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Become Major Threats

On December 23, CertiK, the world's largest Web3 security company, released the "2025 Skynet Hack3D Web3 Security Report," which systematically reviewed the major security incidents and risk trends in the Web3 field over the past year. The report points out that the Web3 industry is accelerating its development amid a recovering market environment and clearer regulatory expectations, but security risks have not been alleviated accordingly, and it still faces systemic security challenges.

The report shows that 630 security incidents occurred in the Web3 domain in 2025, resulting in a total loss of approximately US$3.35 billion, a 37% increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached US$5.322 million, a surge of 66.6% year-on-year, highlighting the trend of attackers focusing on high-value targets.

Supply chain attacks drive up annual losses

In terms of attack type, supply chain attacks emerged as the biggest source of loss in 2025. Although only two related incidents were recorded throughout the year, the cumulative losses reached $1.45 billion, accounting for nearly half of the total losses for the year. The Bybit incident in February accounted for the vast majority of these losses.

According to reports, Bybit suffered a security incident in February 2025 that resulted in approximately $1.4 billion in losses, considered one of the largest crypto asset thefts to date. The attackers did not directly breach the exchange's system; instead, they compromised the developer environment of a third-party multi-signature wallet service provider, implanting malicious code into the signature process to bypass multiple approval mechanisms.

In its report, CertiK points out that similar incidents reflect that attackers are focusing their resources on critical service providers and underlying tools, rather than the single protocol itself, and that supply chain security has become a systemic risk that cannot be ignored.

Phishing attacks are rampant, and AI is acting as an "amplifier."

In terms of attack frequency, phishing remains the most common security threat in 2025. The report shows that a total of 248 phishing attacks were recorded throughout the year, causing approximately $723 million in losses, slightly more than the number of code vulnerability attacks (240 incidents).

It's worth noting that CertiK believes this number may still be underestimated. A large number of phishing and scams targeting individual users go unreported, especially social engineering attacks with smaller losses or those occurring off-chain.

The report emphasizes that the widespread adoption of artificial intelligence is significantly lowering the technical barrier to phishing attacks. Attackers are beginning to leverage AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual fraudulent messages, combining them with on-chain data and social media content for "precision targeting." Traditional defenses relying on grammatical errors or template features for identification are gradually becoming ineffective.

With clearer regulations, safety is shifting from a "cost item" to an "infrastructure" focus.

While risks are rising, the report also notes positive changes in the global regulatory environment. Legislative progress in the United States regarding the transparency of stablecoins and digital assets is sending clearer policy signals to the industry; the EU's MiCA framework, and the regulatory sandboxes in Singapore and Hong Kong, are also pushing Web3 towards a more standardized development stage.

The CertiK report points out that as institutional and compliant funding continue to enter the market, security capabilities are shifting from "post-incident remediation" to becoming an infrastructure element in project design and operation. For both project owners and individual users, security is no longer an option, but a critical variable affecting long-term viability.

The report concludes by noting that AI-driven spoofing attacks, increasingly sophisticated supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve in the coming year. Against this backdrop, projects that embed security into their architecture, development processes, and user experience will be the ones to succeed in the next round of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a