CertiK’s Annual Security Report: Web3 Losses to Increase by 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Become Major Threats

The report shows that 630 security incidents occurred in the Web3 domain in 2025, resulting in a total loss of approximately US$3.35 billion, a 37% increase compared to 2024. Although the number of incidents decreased by 137 compared to the previous year, the average loss per attack reached US$5.322 million, a surge of 66.6% year-on-year, highlighting the trend of attackers focusing on high-value targets.

Supply chain attacks drive up annual losses

In terms of attack type, supply chain attacks emerged as the biggest source of loss in 2025. Although only two related incidents were recorded throughout the year, the cumulative losses reached $1.45 billion, accounting for nearly half of the total losses for the year. The Bybit incident in February accounted for the vast majority of these losses.

According to reports, Bybit suffered a security incident in February 2025 that resulted in approximately $1.4 billion in losses, considered one of the largest 暗号 asset thefts to date. The attackers did not directly breach the exchange’s system; instead, they compromised the developer environment of a third-party multi-signature wallet service provider, implanting malicious code into the signature process to bypass multiple approval mechanisms.

In its report, CertiK points out that similar incidents reflect that attackers are focusing their resources on critical service providers and underlying tools, rather than the single protocol itself, and that supply chain security has become a systemic risk that cannot be ignored.

Phishing attacks are rampant, and AI is acting as an “amplifier.”

In terms of attack frequency, phishing remains the most common security threat in 2025. The report shows that a total of 248 phishing attacks were recorded throughout the year, causing approximately $723 million in losses, slightly more than the number of code vulnerability attacks (240 incidents).

It’s worth noting that CertiK believes this number may still be underestimated. A large number of phishing and scams targeting individual users go unreported, especially social engineering attacks with smaller losses or those occurring off-chain.

The report emphasizes that the widespread adoption of artificial intelligence is significantly lowering the technical barrier to phishing attacks. Attackers are beginning to leverage AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual fraudulent messages, combining them with on-chain data and social media content for “precision targeting.” Traditional defenses relying on grammatical errors or template features for identification are gradually becoming ineffective.

With clearer regulations, safety is shifting from a “cost item” to an “infrastructure” focus.

While risks are rising, the report also notes positive changes in the global regulatory environment. Legislative progress in the United States regarding the transparency of stablecoins and digital assets is sending clearer policy signals to the industry; the EU’s MiCA framework, and the regulatory sandboxes in Singapore and Hong Kong, are also pushing Web3 towards a more standardized development stage.

The CertiK report points out that as institutional and compliant funding continue to enter the market, security capabilities are shifting from “post-incident remediation” to becoming an infrastructure element in project design and operation. For both project owners and individual users, security is no longer an option, but a critical variable affecting long-term viability.

The report concludes by noting that AI-driven spoofing attacks, increasingly sophisticated supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve in the coming year. Against this backdrop, projects that embed security into their architecture, development processes, and user experience will be the ones to succeed in the next round of Web3 competition.

Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a

この記事はインターネットから得たものです。 CertiK’s Annual Security Report: Web3 Losses to Increase by 37% Year-on-Year in 2025, Phishing Attacks and Supply Chain Incidents Become Major Threats

Related: The Crossroads of DeFi 2.0: When Buyback Waves Collide with “Centralization” Criticism

Original translation by: Saoirse, Foresight News On November 10, when Uniswap administrators submitted the “UNIFication” proposal, the document read more like a corporate restructuring than an agreement update. The proposal plans to activate previously unused protocol fees, channeling funds through a new on-chain treasury engine and using the proceeds to purchase and burn UNI tokens. This model is strikingly similar to stock buyback programs in traditional finance. A day later, Lido launched a similar mechanism. Its Decentralized Autonomous Organization (DAO) proposed an automatic buyback system: when the price of Ethereum exceeds $3,000 and the annualized revenue exceeds $40 million, the excess staking proceeds will be used to buy back its governance token, LDO. This mechanism deliberately employs a “counter-cyclical” strategy—it is more powerful during bull markets and becomes more conservative…