On December 23, the world's largest Web3 security company CertiK released the "2025 Skynet Hack3D Web3 Security Report," systematically reviewing the major security incidents and risk trends in the Web3 field over the past year. The report points out that the Web3 industry is accelerating its development in a recovering market environment and with clearer regulatory expectations, but security risks have not eased and still face systemic security challenges.
The report shows that in 2025, there were a total of 630 security incidents in the Web3 field, resulting in approximately $3.35 billion in losses, a year-on-year increase of 37% compared to 2024; although the number of incidents decreased by 137 from the previous year, the average loss per attack reached $5.322 million, a staggering increase of 66.6%, highlighting the trend of attackers focusing on high-value targets.
Supply Chain Attacks Drive Up Annual Losses
In terms of attack types, supply chain attacks became the largest source of losses in 2025. Although only two related incidents were recorded throughout the year, the cumulative loss reached $1.45 billion, accounting for nearly half of the total annual losses. Among them, the Bybit incident that occurred in February accounted for the vast majority of the losses.
According to the report, the security incident that Bybit experienced in February 2025 caused approximately $1.4 billion in losses and is considered one of the largest cryptocurrency theft incidents to date. The attackers did not directly breach the exchange's system but instead infiltrated the developer environment of a third-party multi-signature wallet service provider, implanting malicious code in the signing process to bypass the multi-approval mechanism.
CertiK pointed out in the report that similar incidents reflect that attackers are concentrating resources on key service providers and underlying tools rather than on a single protocol itself, making supply chain security an undeniable systemic risk.
Phishing Attacks Surge, AI Becomes an "Amplifier"
In terms of attack frequency, phishing remains the most common security threat in 2025. The report shows that a total of 248 phishing attack incidents were recorded throughout the year, resulting in approximately $723 million in losses, slightly higher than code vulnerability attacks (240 incidents).
It is worth noting that CertiK believes this number may still be underestimated. A large number of phishing and scam incidents targeting individual users have not been formally disclosed, especially those with smaller loss amounts or social engineering attacks that occurred off-chain.
The report emphasizes that the proliferation of artificial intelligence is significantly lowering the technical barriers for phishing attacks. Attackers are beginning to use AI to generate highly realistic phishing websites, wallet pop-ups, and multilingual scam messages, and are combining on-chain data and social media content for "precision targeting." Traditional defense methods that rely on grammatical errors or template features for identification are gradually becoming ineffective.
Regulatory Clarity, Security Transitioning from "Cost Item" to "Infrastructure"
While risks are rising, the report also notes that the global regulatory environment is undergoing positive changes. Legislative progress in the U.S. regarding stablecoins and digital asset transparency is releasing clearer policy signals for the industry; the EU's MiCA framework, as well as regulatory sandboxes in Singapore and Hong Kong, are also pushing Web3 towards a more regulated development phase.
CertiK pointed out in the report that as institutional and compliant funds continue to enter the market, security capabilities are transitioning from "post-event remediation" to being a fundamental infrastructure element in project design and operations. For both project parties and individual users, security is no longer optional but a key variable affecting long-term survival capabilities.
The report concludes with a forecast that in the coming year, AI-driven impersonation attacks, complex supply chain intrusions, and social engineering attacks targeting individual users will continue to evolve. In this context, projects that embed security into architecture design, development processes, and user experiences are likely to stand out in the new round of Web3 competition.
Full report: https://indd.adobe.com/view/6935ac85-c644-4048-9e27-1d310549aa0a
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
