Web3 Security Nightmare: $302M Vaporized in May—CertiK Sounds the Alarm

Another month, another crypto bloodbath. CertiK’s latest report reveals Web3’s gaping security flaws—$302 million siphoned by hacks, scams, and exploits in May alone. Forget ’decentralized finance’—right now, it’s more like ’decentralized theft.’

Attack vectors? Pick your poison: flash loan exploits, rug pulls, or good old-fashioned contract vulnerabilities. The ’code is law’ crowd forgot to mention how often that law gets broken.

Meanwhile, traditional finance cronies are probably sipping champagne—nothing makes bankers happier than crypto’s self-inflicted wounds. The irony? This hemorrhage happens while institutions keep chanting ’blockchain, not Bitcoin.’

Wake-up call: Until Web3 projects start treating security like something other than an afterthought, these numbers will keep climbing. Next stop—half a billion in losses? Place your bets.

CertiK Senior Blockchain Security Researcher Natalie Newson emphasized the gravity of this spike, noting that although losses from code vulnerabilities had been declining in recent years, from $1.35 billion in 2021 to $173 million in 2024, May’s figure shows an urgent need for heightened code auditing and formal verification processes.

Newson stresses that the rise shows how even mature areas of the space must remain vigilant, employing both human and AI-driven security protocols.

Phishing and DeFi-Related Incidents Dominate Web3

Phishing scams, which had accounted for a large portion of April’s losses, saw a steep drop. In May, phishing-related incidents totaled $47.6 million—an 85% decrease from April’s $337 million.

Despite the decline, phishing remained the second-most costly attack vector after code vulnerabilities, followed by private key compromises ($11.6 million) and price manipulation attacks ($1 million).

DeFi platforms remained the most-targeted sector, experiencing losses of over $241 million in May. This reflects a broader trend of DeFi being a prime target for hackers due to its open-source nature and large pools of capital.

Social engineering scams accounted for $35.5 million in losses, while exchanges and wallet drainers lost $11.1 million and $8.5 million, respectively.

Cetus Hack Among the Month’s Major Incidents

Among the nine major incidents identified in May, the most devastating was the attack on Cetus, which resulted in $225.6 million in stolen assets.

Other breaches included Cork Protocol ($11.9 million), BittoPro ($11.1 million), Mobius DAO ($2.1 million), and Demex Nitron ($950,599).

CertiK’s latest report is a stark reminder of the persistent and evolving threats within the Web3 ecosystem. As attackers refine their strategies, so too must the security measures designed to defend against them.

Hacks and Scams in April Due to Phishing and Social Engineering

Phishing accounted for the lion’s share of April’s losses, approximately $337 million. The standout case was the theft from an elderly U.S. investor, where the attacker used highly advanced social engineering tactics to deceive the victim and gain access to their Bitcoin wallet.

According to CertiK, this event marks a new wave of cybercrime, where criminals bypass code and blockchain infrastructure entirely, opting instead to exploit human behavior.

Social engineering, a tactic that manipulates people into revealing confidential information, has become one of the most effective strategies for crypto criminals.

These attacks are particularly insidious because they often appear legitimate, tricking even experienced investors.