The Web3 ecosystem, built on the promise of decentralized technologies, continues to face significant security challenges as it grows into a cornerstone of global finance, according to CertiK, a blockchain security firm, which has released its Hack3d report.
The Web3 Security Quarterly Report for Q2 + H1 2025 aims to shed light on the escalating threats in the space. CertiK’s co-founder, Professor Ronghui Gu, delivered a keynote speech at the HKU Business School, emphasizing the balance between innovation and security in Web3.
According to CertiK’s Hack3d report, the first half of 2025 was marked by staggering financial losses, with $2.47 billion stolen across Web3 platforms, $801 million of which occurred in Q2 alone. The hacks represent a significant increase in the scale of attacks compared to previous periods, with Q1 2025 already reporting $1.67 billion lost across 197 incidents, largely driven by the historic Bybit exploit.
The report highlights phishing and wallet compromises as the dominant attack vectors, underscoring the persistent vulnerabilities in user-facing systems.
Ethereum remains the primary target, with 83 incidents in Q2 2024 alone causing $170 million in losses, a trend that has continued into 2025.
Despite some recoveries—$99 million in Q2 2024—the rising sophistication of attacks, including social engineering tactics by groups like the North Korean Lazarus Group, demands urgent attention.
The report also highlights certain developments deemed to be postivie for regulation.
The US government’s establishment of a Strategic Cryptocurrency Reserve and the SEC’s Crypto Task Force signal a shift toward clearer, innovation-friendly regulations.
These initiatives aim to strike a balance between security and growth, addressing the lack of universal standards in Web3 software development, which CertiK identifies as a root cause of many exploits.
According to the report, copy-paste forks of code without proper audits continue to result in consistent losses. CertiK’s analysis suggests that adopting standardized security frameworks could significantly reduce vulnerabilities, particularly as major financial institutions integrate blockchain technologies.
Gu’s speech reinforced these findings, emphasizing the symbiotic relationship between innovation and security.
He highlighted CertiK’s role in setting industry benchmarks through services like smart contract audits, Skynet on-chain monitoring, and anti-money laundering (AML) solutions.
Gu stressed that compliance is not merely a regulatory hurdle but a cornerstone for Web3’s mainstream adoption.
Gu’s speech also reflected on CertiK’s journey since its founding in 2018, from a Manhattan apartment to a global leader holding over 60% of the Web3 security market share by 2021.
He cited the 2023 Merlin exploit, where $2 million was lost shortly after launch, as a pivotal moment that underscored the need for robust security measures.
CertiK’s response—enhancing audit processes and developing tools like Skynet Quest for user education—demonstrates its commitment to proactive defense.
With the first half of 2025 now behind us, both the Hack3d report and Gu’s keynote offer a roadmap for Web3’s sustainable growth.
Collaboration between developers, regulators, and security firms is essential to address the 303% quarter-over-quarter increase in losses seen in Q1 2025.
CertiK’s tools, such as real-time threat monitoring and compliance consulting, are designed to fortify projects against phishing and private key compromises, which accounted for $433 million and $170 million in Q2 2024 losses, respectively.
As blockchain’s market value approaches $2.95 trillion, the industry must prioritize security to maintain trust and stability.
By combining technology with policy advocacy, CertiK and other stakeholders aim to create an ecosystem where innovation thrives without compromising safety, thereby ensuring that Web3’s potential is realized responsibly.