According to CertiK, the total losses from Web3 security incidents in 2025 reached about $3.35 billion, underscoring a broad risk landscape. The report shows that supply chain attacks accounted for roughly $1.45 billion, nearly half of the annual total and signaling the year’s most destructive risk vector. The data highlights how exposure extends beyond individual protocols to ecosystems of third-party providers and tooling, elevating systemic risk in Web3 security.

One emblematic case is the February Bybit incident, where the adversary did not breach the trading platform directly. Instead, they implanted malicious code through a third-party multi-signature wallet service provider’s developer environment, circumventing approvals and enabling losses near $1.4 billion. The attack pattern shows threat actors shifting toward core service providers and underlying tools, reinforcing the imperative for robust supply chain protections within Web3 security ecosystems.