Increased risk of phishing attacks, as stated by CertiK
In 2024, phishing attacks emerged as the most significant and costly threat in the Web3 ecosystem, causing over $1 billion in losses across 296 incidents[1]. Notably, at least three phishing incidents resulted in losses exceeding $100 million each[1].
The May attack on Japanese cryptocurrency exchange DMM Bitcoin was one such incident, resulting in a loss of 4,502 BTC (then worth $320 million)[2]. In December 2024, DMM Bitcoin announced liquidation[2].
Phishing schemes exploited human psychology, such as social engineering and address poisoning, rather than targeting just code vulnerabilities[3][4]. A $71 million wallet poisoning scam in May 2024, where the scammer surprisingly returned the stolen funds following global investigator pressure, is a prime example[3].
Another instance involved a crypto investor losing over $3 million in a single click phishing attack involving a near-identical wallet address exploiting users’ tendency to verify only the first and last characters of addresses[4][5].
Phishing attacks targeted multiple sectors, with wallets and DeFi platforms being the most dominant cause of losses alongside malware and smart contract vulnerabilities in protocols such as CoinDCX (which also suffered a $44.2M malware attack in 2025)[1].
Across sectors, the losses spanned Decentralized Finance (DeFi), crypto exchanges, and individual investors[6]. Recurring smart contract exploits combined with phishing contributed to multi-million-dollar losses in DeFi[6]. Huge malware and phishing attacks like CoinDCX’s $44.2 million hack were common in crypto exchanges[6]. High-value phishing scams like the $3 million single-click attack affected individual investors[6].
Phishing attacks continued into early 2025 with at least $410 million lost in 132 incidents in the first half of 2025 alone, overtaking traditional hacks as the top crypto threat[5].
Experts recommend stronger multi-layered security frameworks, including full address verification, regular transaction review, and multi-factor authentication to mitigate these growing phishing threats, especially with the advancement of AI potentially increasing scam sophistication[2][5].
Following phishing, the second most significant threat identified by CertiK analysts was private key compromise, leading to over $855 million in losses across 65 incidents[7]. Exploits in the Web3 ecosystem continue to be a concern, with critical code vulnerabilities remaining a significant issue[8].
The 2024 Hack3d Report provides insights that shaped the year and offers insights on what's next[1]. The report suggests that phishing tactics are expected to evolve in 2025, potentially incorporating artificial intelligence[1]. The total amount stolen across all incidents in 2024 was $2.36B, marking a 31.61% increase from the previous year[1]. Total Web3-market losses in the past year exceeded $2.9 billion, according to Hacken experts[9].
In summary, phishing dominated Web3 hacks in 2024, causing the largest financial damage predominantly in individual investor wallets, DeFi protocols, and exchanges, amounting to well over $1 billion in stolen value. The trend and losses have persisted into 2025, highlighting crucial ongoing security challenges[2][3][5].
References: [1] The 2024 Hack3d Report [2] CoinDesk [3] Cointelegraph [4] Forbes [5] Chainalysis [6] Decrypt [7] CertiK [8] CoinSpectator [9] Hacken
- Despite advances in technology, Defi platforms, wallets, and crypto exchanges continued to be susceptible to costly phishing attacks in 2025, as demonstrated by the theft of over $410 million in the first half alone.
- The Bitcoin lost in the attack on Japanese exchange DMM Bitcoin in 2024 was a stark reminder of the potential financial impact of phishing, with a single incident resulting in a loss of 4,502 BTC, worth approximately $320 million at the time.
