CertiK Says $302M Lost to Web3 Scams, Hacks, and Exploits in May

Blockchain security firm CertiK has released its May 2025 Security Report, revealing that over $302 million was lost across Web3 through scams, hacks, and exploits.

While the overall losses marked a 16.94% decrease from April’s $364 million, one attack vector—code vulnerability—saw a dramatic surge.

In May alone, $229.6 million was lost due to flawed code, a 4,483% increase from April’s $5 million. This vulnerability category became the top incident loss contributor, accounting for the majority of stolen funds.

#CertiKStatsAlert

Combining all the incidents in May we’ve confirmed ~$140.1M lost to exploits, hacks and scams after ~$162m was frozen.

~$8.5M of the total is attributed to phishing.

More details below pic.twitter.com/LTE6axKeGi

CertiK Senior Blockchain Security Researcher Natalie Newson emphasized the gravity of this spike, noting that although losses from code vulnerabilities had been declining in recent years, from $1.35 billion in 2021 to $173 million in 2024, May’s figure shows an urgent need for heightened code auditing and formal verification processes.

Newson stresses that the rise shows how even mature areas of the space must remain vigilant, employing both human and AI-driven security protocols.

Phishing scams, which had accounted for a large portion of April’s losses, saw a steep drop. In May, phishing-related incidents totaled $47.6 million—an 85% decrease from April’s $337 million.

Despite the decline, phishing remained the second-most costly attack vector after code vulnerabilities, followed by private key compromises ($11.6 million) and price manipulation attacks ($1 million).

DeFi platforms remained the most-targeted sector, experiencing losses of over $241 million in May. This reflects a broader trend of DeFi being a prime target for hackers due to its open-source nature and large pools of capital.

Social engineering scams accounted for $35.5 million in losses, while exchanges and wallet drainers lost $11.1 million and $8.5 million, respectively.

Among the nine major incidents identified in May, the most devastating was the attack on Cetus, which resulted in $225.6 million in stolen assets.

Other breaches included Cork Protocol ($11.9 million), BittoPro ($11.1 million), Mobius DAO ($2.1 million), and Demex Nitron ($950,599).

CertiK’s latest report is a stark reminder of the persistent and evolving threats within the Web3 ecosystem. As attackers refine their strategies, so too must the security measures designed to defend against them.

Phishing accounted for the lion’s share of April’s losses, approximately $337 million. The standout case was the theft from an elderly U.S. investor, where the attacker used highly advanced social engineering tactics to deceive the victim and gain access to their Bitcoin wallet.

According to CertiK, this event marks a new wave of cybercrime, where criminals bypass code and blockchain infrastructure entirely, opting instead to exploit human behavior.

Social engineering, a tactic that manipulates people into revealing confidential information, has become one of the most effective strategies for crypto criminals.

These attacks are particularly insidious because they often appear legitimate, tricking even experienced investors.

The post CertiK Says $302M Lost to Web3 Scams, Hacks, and Exploits in May appeared first on Cryptonews.