A comprehensive Web3 security report published on November 16, 2025, has laid bare an uncomfortable truth for the cryptocurrency industry: despite record spending on smart contract audits and monitoring systems, human behavior remains the primary attack vector. The research from Kerberus, presented at Devconnect Buenos Aires, reveals that 44 percent of all crypto thefts stem from private key mismanagement, while broader cybersecurity data shows 60 percent of breaches involve human error. With Bitcoin trading at approximately $94,177 and Ethereum near $3,093 on the same day, the stakes for improving user-side security have never been higher.
The Threat Landscape
The numbers paint a stark picture. In the first half of 2025 alone, investors lost more than $3.1 billion to hacks and scams, a figure that exceeds all of 2024 combined. This total includes the Bybit exchange compromise worth $1.46 billion, the single largest crypto heist in history. Even excluding that outlier, phishing and social engineering attacks accounted for $600 million in losses, representing 37 percent of the remaining total. These human-targeted attacks scale with user growth, bypass technical controls entirely, and consistently produce losses that preventative security models cannot prevent.
Perhaps most damning is the finding that 90 percent of hacked smart contracts had previously passed security audits. Over $17 billion has been drained from audited protocols to date. The message is clear: protocol-level security, while necessary, is insufficient to protect users from attacks that target them directly at the transaction level.
Core Principles
The report identifies several fundamental security principles that the industry has been overlooking. First, training alone does not work. Phishing click rates remain between 7 and 15 percent even after rigorous security training programs, and rates among everyday users are likely much higher. Users face constant decision-making pressure: verifying URLs, checking contract addresses, reviewing transaction details, approving token permissions, and interpreting technical warnings. This repeated decision-making creates cognitive overload, and the brain responds by defaulting to the easiest option, which in security contexts means clicking approve or ignoring warnings.
Second, the industry has fundamentally misallocated its security investments. Billions have been spent on code integrity tools like smart contract audits, bug bounties, and blockchain monitoring. These verify well-known vulnerability patterns in code and overall technical quality, but they operate outside the window where users actually lose funds. Traditional finance provides a useful contrast: banks detect fraud automatically and protect consumers by default. Credit card companies do not educate users about how to spot fraudulent charges; they block suspicious transactions in real time.
Tooling and Setup
The report highlights a critical gap in the security tooling landscape: only 13 percent of Web3 security providers offer real-time transaction-level protection that can block malicious transactions before they execute. The vast majority focus on preventative measures like audits and post-transaction monitoring. Real-time solutions that actively scan transactions at the wallet level, interpreting behavioral signals and analyzing transaction intent, represent the minority approach. Yet the data suggests these tools show strong effectiveness, with high-quality real-time protection solutions demonstrating 99.9 percent detection rates and zero user losses since 2023.
For individual users, the report recommends a layered security approach. Hardware wallets remain essential for large holdings. Multi-signature setups add an additional approval layer. But critically, users should also deploy browser extensions or wallet integrations that provide real-time transaction scanning. The goal is to reduce the cognitive burden on users by automating threat detection at the moment of transaction approval.
Ongoing Vigilance
The case of the April 2025 Bitcoin theft, where an elderly US investor lost $330 million through pure social engineering with no breach of wallet or code, illustrates how even technically sound setups can be defeated by human manipulation. The attacker gained access through direct manipulation of the victim, exploiting predictable behavioral patterns rather than any technical vulnerability.
Each successful attack discourages multiple potential users from entering the ecosystem. Someone loses funds and tells friends, family, and social media followers to avoid crypto entirely. These warnings compound over time, creating barriers to adoption that grow with each incident. Retail investors hesitate when one mistake can erase their savings, and institutions avoid markets where basic fraud prevention does not exist.
Final Takeaway
The Web3 industry cannot reach mainstream adoption while it treats preventable losses as acceptable user errors. The Kerberus report makes clear that the current model, which places the burden of security on users while providing inadequate real-time protection, is fundamentally broken. The solution is not more education or more audits. It is security that protects people during transactions, not just protocols before deployment. As the industry continues to grow with 820 million active wallets in 2025 and 59 percent now in self-custody, the urgency of this shift cannot be overstated.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
90% of hacked contracts were audited. $17B drained from audited protocols. let that sink in next time someone says ‘audited by CertiK’ like it means anything
audit_skeptic CertiK is basically a rubber stamp at this point. pay 50k, get a badge, get exploited 2 weeks later. the incentive structure rewards volume over actual security analysis
44% from private key mismanagement. 90% of hacked contracts were audited. we keep spending billions on code audits while the real attack vector is the person clicking the phishing link
the industry spends more on audits than actual user-side security tooling. wallet drainers outspend security teams 10:1 and it shows
keysmash $17B drained from audited protocols. when CertiK stamps something as safe and it gets exploited weeks later the audit industry has a credibility crisis
the audit industry shifted from is this code safe to heres a certificate for your investors. incentives are completely misaligned with actual security
The $600M phishing number is probably low. so many people dont even report because theyre embarrassed
7-15% phishing click rate even AFTER training. you literally cannot train humans out of being human. hardware wallets and transaction simulation are the only real defenses
Nia 7-15% phishing click rate after training. you literally cannot train humans out of being human. hardware wallets plus transaction simulation are the only real defenses
Nia hardware wallets help but phishing now tricks people into signing malicious transactions on the hardware device itself. the attack surface keeps evolving
Chen Wei the unreported number is probably 3x. so many small losses under 10k that people just write off
Bybit at $1.46B was a single Safe{Wallet} UI compromise. one infrastructure dependency drained more than all phishing attacks combined
the Bybit hack proved that a single UI compromise can outdamage thousands of phishing campaigns. infrastructure dependencies are the real systemic risk and nobody is talking about it