CertiK Reports $302 Million Lost to Web3 Fraud, Cyberattacks, and Exploits in May

Blockchain security company CertiK has published its Security Report for May 2025, indicating that more than $302 million was lost in the Web3 space due to scams, hacks, and exploits.

Although the total losses represented a 16.94% decline from April’s $364 million, one attack vector—code vulnerability—experienced a significant increase.

In May, $229.6 million was lost as a result of coding flaws, marking a staggering 4,483% rise from April’s $5 million. This category of vulnerability emerged as the leading contributor to incident losses, representing the bulk of the stolen assets.

#CertiKStatsAlert
After consolidating all incidents in May, we’ve confirmed approximately $140.1M lost to exploits, hacks, and scams following around $162m being frozen.
Approximately $8.5M of the total is linked to phishing.
Further details below pic.twitter.com/LTE6axKeGi

— CertiK Alert (@CertiKAlert) June 2, 2025

CertiK Senior Blockchain Security Researcher Natalie Newson highlighted the seriousness of this increase, pointing out that while losses from code vulnerabilities had been on a downward trend in recent years, decreasing from $1.35 billion in 2021 to $173 million in 2024, the figure for May underscores an urgent requirement for enhanced code auditing and formal verification processes.

Newson emphasizes that this rise indicates that even well-established areas of the industry must stay alert, utilizing both human and AI-driven security measures.

Phishing and DeFi-Related Incidents Lead in Web3

Phishing scams, which constituted a significant portion of April’s losses, experienced a sharp decline. In May, phishing-related incidents amounted to $47.6 million—an 85% reduction from April’s $337 million.

Despite the decrease, phishing remained the second-most expensive attack vector following code vulnerabilities, with private key compromises ($11.6 million) and price manipulation attacks ($1 million) trailing behind.

DeFi platforms continued to be the most targeted sector, suffering losses exceeding $241 million in May. This trend reflects the ongoing vulnerability of DeFi to hackers, attributed to its open-source nature and substantial capital reserves.

Social engineering scams resulted in $35.5 million in losses, while exchanges and wallet drainers incurred losses of $11.1 million and $8.5 million, respectively.

Cetus Hack Among the Month’s Significant Incidents

Among the nine major incidents recorded in May, the most severe was the attack on Cetus, which led to $225.6 million in stolen assets.

Other breaches included Cork Protocol ($11.9 million), BittoPro ($11.1 million), Mobius DAO ($2.1 million), and Demex Nitron ($950,599).

CertiK’s recent report serves as a stark reminder of the ongoing and evolving threats within the Web3 ecosystem. As attackers refine their methods, security measures must also adapt to counter these challenges.

Hacks and Scams in April Driven by Phishing and Social Engineering

Phishing was responsible for the majority of April’s losses, totaling approximately $337 million. A notable case involved the theft from an elderly U.S. investor, where the perpetrator employed sophisticated social engineering techniques to mislead the victim and gain access to their Bitcoin wallet.

According to CertiK, this incident signifies a new phase of cybercrime, where criminals circumvent code and blockchain infrastructure entirely, opting instead to manipulate human behavior.

Social engineering, a method that coerces individuals into disclosing confidential information, has emerged as one of the most effective tactics for crypto criminals.

These attacks are particularly deceptive as they often seem legitimate, misleading even seasoned investors.

The post CertiK Says $302M Lost to Web3 Scams, Hacks, and Exploits in May appeared first on Cryptonews.