CertiK has released the Hack3D: The Skynet Web3 Security Report for 2025, a data-driven examination of Web3 security trends, key vulnerabilities, as well as threat intelligence across the Web3 space. CertiK’s Skynet Hack3D reports offer deep dives into the different exploits and major trends that shape blockchain and smart contract security. They’re said to be purpose-built for professional security teams, dapp developers, and investors who require clear visibility into various security risks, active hacks, as well as other challenges impacting Web3 technologies.
As noted in the CertiK report, the Web3 ecosystem in 2025 entered a period of renewed activity, driven by a “combination of favorable macroeconomic conditions, improving market sentiment, and a markedly more crypto-friendly political climate in the United States.”
The new U.S. Administration signaled early that digital assets “would be treated as a strategic innovation sector rather than a regulatory outlier, restoring confidence among builders and investors.”
As liquidity returned to decentralized finance and tokenization pilots expanded for real-world assets (RWAs) like “real estate,, decentralized applications broadened their reach into payments, gaming, tokenized assets, and identity, demonstrating crypto’s utility in everyday activities.”
This resurgence in growth, however, was matched by an “equally active threat landscape as adversaries refined both technical and social engineering tactics, targeting private key management, authentication flows, and access control in high-value targets across Ethereum and other chains.”
Year-over-year comparisons between 2025 and 2024 illustrate “the shifting nature of risk.”
Total losses in 2025 amounted to “$3,352,850,816, versus $2,446,285,251 in 2024, representing an approximate 37.06% increase.”
However, when isolating the impact of the Bybit incident, which accounted for a disproportionately “large share of annual losses at $1,447,063,421, the industry would have actually recorded a net decrease in funds stolen compared to 2024.”
This underscores a dominant Web3 security trend: attackers “are concentrating resources into fewer, larger-scale operations that often involve cross-chain infrastructure, automation, and sophisticated algorithms.”
The Bybit exploit signals that well-capitalized, “well-coordinated threat actors are becoming more active across the ecosystem.”
The average amount lost per hack in 2025 was “$5,321,935 (a 66.64% increase from the previous year), and the median amount stolen was $103,996 (a 35.75% year-over-year decrease).”
This widening gap reflects the scalability of “attacker operations and uneven user experience and security measures across projects.”
Some other keg highlights:
- February was the most costly month of the year, with $1,537,106,876 lost across 58 incidents, the majority of which was due to the Bybit incident.
- Heightened cybersecurity posture and on-chain monitoring in subsequent months helped reduce blast radius.
- Q1 of 2025 saw the most losses, with $1,671,644,949 stolen in 200 hacks, scams, and exploits. The subsequent quarter saw an approximate 52% decline in the amount stolen, suggesting adaptive defenses and improved frameworks for incident response.
- Supply Chain was the most costly attack vector in 2025, with $1,450,914,902 lost across 2 incidents.
- This represents almost half of the total amount stolen during the year. Compromises often touched blockchain-based dependencies, CI/CD, and wallet integrations.
- Phishing compromises followed, with $722,885,398 stolen across 248 incidents. Phishing was the attack vector with the highest number of incidents in 2025, slightly above Code Vulnerabilities at 240 incidents.
- Authentication hardening and access control remain critical, especially for dapps with real-time permissions.
- Ethereum experienced the highest number of security incidents, with a total of 310 hacks, scams, and exploits leading to $1,697,833,313 in losses.
- This resulted in an average of $5,785,179 stolen per incident. As the largest Web3 ecosystem, Ethereum continues to be a prime target for hackers.
- Hackers also heavily targeted Bitcoin with $528,221,350 stolen across 22 incidents.
Although not smart-contract-centric, “price manipulation and infrastructure compromises also affected cryptocurrency services in 2025.”
The report concluded that security breaches affecting multiple chains have now reportedly accounted for “$460,769,793 in losses across 29 incidents.”