In a revealing analysis of security threats, CertiK's Hack3d Report highlights that wallet compromises emerged as the most expensive attack method, with losses amounting to $1,450,841,763 across three major incidents. Ethereum topped the list with the highest number of security breaches, totaling 98 attacks and cumulative losses of $1,540,843,886. Notably, less than 0.4% of the stolen funds were ever returned to the affected customers.
On April 1, in New York, CertiK, a key player in blockchain security, unveiled its Q1 2025 Hack3d Report, offering a detailed breakdown of Web3 security breaches for the quarter. The report uncovered that in the first three months of 2025, over $1.67 billion was stolen across 197 incidents — a dramatic rise of 303.38% in value lost compared to the prior quarter, chiefly due to a significant breach at Bybit. Industry-wide, the average loss per event stood at $9,549,339, with a median loss of $66,303. The total amount returned was $6,390,698, leading to adjusted losses of $1,662,600,186—again underscoring that less than 0.4% of stolen amounts were recovered.
"The increasing sophistication of hacker techniques highlights the pressing need for blockchain entities to enhance their security strategies," stated CertiK Co-Founder Ronghui Gu. Referring to the Bybit breach as a crucial wake-up call, he emphasized that security must transition from being seen merely as a competitive advantage to being embraced as a collective duty.
Significantly, the Bybit security breach was the most severe, with a loss of $1,447,063,421 in cryptocurrency, followed by Phemex with $71,714,297.40, 0xInfini at $49,514,632.79, and MIM Spell at $12,906,772.04. Wallet compromise-led losses, followed closely by private key compromises resulting in $142,364,595 of losses over 15 incidents, code vulnerabilities costing $47,094,480 over 68 incidents, and phishing attacks accounting for $15,791,127 in 81 incidents.
Gu further stressed the necessity for a comprehensive security approach, advocating for robust code audits, continuous monitoring, incident response strategies, vulnerability assessments, and employee training as essential components.
Ethereum witnessed the most frequent attacks with 98 incidents leading to $1,540,843,886 in theft, followed by BSC with losses of $6,233,662 over 52 incidents, Arbitrum with $4,534,494 across 8 encounters, and a notable single incident on Tron resulting in $3,188,021 in losses.
Since its inception in Q1 2022, CertiK’s Hack3d Report has become an authoritative source for understanding security-related challenges and vulnerabilities in the Web3 domain.
Top 10 Incidents in Q1
- Bybit: $1,447,063,421.00
- Phemex: $71,714,297.40
- 0xInfini: $49,514,632.79
- MIM Spell: $12,906,772.04
- zklend: $9,572,151.00
- Ionic: $8,618,418.67
- Zoth: $8,450,252.68
- Noones: $7,714,872.62
- Wemix: $5,950,000.00
- 1inch Resolver: $5,300,000.00
Incidents by Attack Vectors
- Wallet Compromise: $1,450,841,763, 3 incidents
- Private Key Compromise: $142,364,595, 15 incidents
- Code Vulnerability: $47,094,480, 68 incidents
- Phishing: $15,791,127, 81 incidents
- Access Control: $6,244,775, 11 incidents
- Exit Scam: $1,313,193, 7 incidents
- Price Manipulation: $548,211, 8 incidents
Incidents by Chain
- Ethereum: $1,540,843,886, 98 incidents
- Multiple Chains: $83,689,150, 7 incidents
- BSC: $6,233,662, 52 incidents
- Arbitrum: $4,534,494, 8 incidents
- Tron: $3,188,021, 1 incident
- Solana: $2,447,246, 6 incidents
- Polygon: $1,134,392, 2 incidents
