NEW YORK, Dec. 24, 2025 (GLOBE NEWSWIRE) -- CertiK, the world’s largest Web3 security services provider, released its 2025 Skynet Hack3D Web3 Security Report, providing a comprehensive review of major security incidents and risk trends across the Web3 ecosystem over the past year. The report finds that, while the industry accelerated its recovery amid improving market conditions and clearer regulatory expectations, security risks remained elevated and therefore continue to pose systemic challenges.
According to the report, the Web3 sector experienced 630 security incidents in 2025, resulting in total losses of approximately $3.35 billion, representing a 37% year-over-year increase. While the number of incidents declined by 137 compared to 2024, the average loss per incident surged to $5.32 million, up 66.6% from the previous year, highlighting a clear shift by attackers toward higher-value targets.
By attack vector, supply chain attacks emerged as the most financially damaging threat in 2025. Although only two such incidents were recorded throughout the year, they accounted for a combined $1.45 billion in losses, nearly half of the total annual damage. The majority of these losses stemmed from the Bybit incident in February.
As detailed in the report, Bybit suffered an estimated $1.4 billion loss following a security incident in February 2025, and is widely regarded as one of the largest cryptocurrency thefts to date. Rather than directly breaching the exchange’s core systems, attackers compromised the development environment of a third-party multi-signature wallet service provider, inserting malicious code into the signing workflow and effectively bypassing multi-approval safeguards. CertiK notes that incidents of this nature reflect a broader strategic shift among attackers toward targeting critical service providers and foundational tooling, rather than individual protocols alone.
In terms of frequency, phishing attacks remained the most common security threat in 2025. The report recorded 248 phishing-related incidents, which led to approximately $723 million in losses. The number of phishing incidents slightly exceeded those caused by code vulnerabilities (240 cases).
CertiK cautions that these figures are likely understated. A significant number of phishing and scam incidents targeting individual users go unreported, particularly those involving smaller losses or off-chain social engineering attacks.
The report further emphasizes that the widespread adoption of artificial intelligence is dramatically lowering the barrier to entry for phishing attacks. Threat actors are increasingly leveraging AI to generate highly convincing phishing websites, wallet pop-ups, and multi-lingual scam messages, often combining on-chain data with social media intelligence for more targeted campaigns. As a result, traditional detection methods that rely on grammatical errors or recognizable templates are becoming progressively less effective.
Amid rising security risks, the report also highlights positive developments in the global regulatory landscape. Legislative progress in the United States around stablecoins and digital asset transparency has provided clearer policy signals, while frameworks such as the EU’s MiCA, along with regulatory sandboxes in Singapore and Hong Kong, are helping guide the Web3 industry toward more standardized and compliant growth.
CertiK observes that, as institutional and compliance-driven capital continues to enter the market, security is evolving from a reactive, post-incident expense into a foundational component of system design and operations. For both projects and individual users, security has become a decisive factor in long-term resilience and viability.
Looking ahead, the report concludes that AI-driven impersonation attacks, increasingly sophisticated supply chain compromises, and social engineering schemes targeting individual users are likely to continue evolving in the coming year. In this environment, projects that embed security directly into their architecture, development workflows, and user experience will be best positioned to stand out in the next phase of Web3 competition.
Full report: https://indd.adobe.com/view/d21da0b0-06c4-4f38-a82b-c7757971064b
CONTACT: Media Contact Elisa Yiting Xu yiting.xu@certik.com
