New York, June 2, 2025 – CertiK, the world’s largest blockchain security firm, released its May Security Report today, providing an in-depth analysis of on-chain Web3 security incidents over the past month. The report revealed a total of more than $302 million in funds stolen across at least nine major security incidents in May—a 16.94% decrease compared to the $364 million lost in April.

The report’s findings highlight a significant surge in losses due to code vulnerabilities. In May, these vulnerabilities accounted for losses totaling $229,667,183, marking an astonishing 4483.83% increase from the $5,010,396 recorded in April. Senior Blockchain Security Researcher Natalie Newson commented on the anomaly: “Our research revealed an interesting trend in May—losses from code vulnerabilities surged, representing the majority of the exploited funds. Although the overall losses from code vulnerabilities have decreased over recent years—from $1.35 billion in 2021 to $173 million in 2024—the current figures serve as a stark reminder of the pressing need for robust Web3 security measures. Formal verification, continuous monitoring, and comprehensive human and AI audits are essential to safeguarding user assets and ensuring the long-term integrity of the Web3 ecosystem.”

Phishing incidents, another key area of concern, saw a sharp decline in losses. In May, phishing attacks resulted in $47,625,000 in losses, a significant drop compared to the $337,376,967 lost in April. Other notable categories of incident losses include Private Key Compromise, with $11,653,319, and Price Manipulation, which accounted for $1,050,321.

The report further breaks down the losses by incident type. DeFi remained the top type of incident, with losses totaling $241,293,960. Social Engineering followed, accounting for $35,555,220, while Exchange-related incidents and Wallet Drainer attacks resulted in losses of $11,171,840 and $8,582,121, respectively. Additionally, lesser-known categories such as Address Poisoning were not left out, with losses amounting to $3,487,658, and Token Dump incidents resulting in losses of $266,256.

CertiK’s May Security Report also details several major incidents by name. The Cetus incident led with a staggering loss of $225,680,719, followed by Cork Protocol at $11,961,229, and BittoPro with losses of $11,171,840. Other significant incidents included Mobius DAO with losses of $2,157,126 and Demex Nitron, which saw $950,599 lost.

Today’s report clearly underscores the evolving nature of security threats in the Web3 space. While there has been progress in reducing certain types of losses compared to previous years, the dramatic spike in code vulnerability losses indicates areas in need of enhanced protective measures. As the Web3 ecosystem continues to expand, the insights from CertiK’s report serve as a crucial call to action for stakeholders to invest in advanced security measures and safeguard digital assets more effectively.

You can find the Korean version of this article here. 

Dan Yoo 다른기사 보기