A new industry report released this week shows that human-targeted attacks – rather than technical vulnerabilities – are responsible for the majority of Web3 losses, despite record levels of security spending across the sector.
The report, The Human Factor: Why Real-Time Protection Is the Missing Layer in Web3 Security, published by security firm Kerberus, estimates that more than $3.1 billion was stolen through hacks and scams between January and June 2025. Of that, over $600 million came from phishing, wallet compromise and social engineering incidents that targeted users directly rather than exploiting blockchain code.
The figures include the $1.46 billion Bybit exchange breach, the largest crypto heist to date. Kerberus notes that even when excluding the Bybit incident as an outlier, human-targeted attacks remain a significant source of losses across the ecosystem.
The report highlights what Kerberus describes as a fundamental resource-allocation failure across the Web3 security sector. According to the company’s analysis, most security spending still flows into tools that operate either before an attack occurs – such as audits and vulnerability testing – or after funds have already been stolen, including forensics and incident response. Kerberus argues that this leaves a critical gap during the short window in which users approve transactions, a moment attackers increasingly exploit because it remains largely undefended. Despite rising losses tied to phishing, wallet drainers, and social engineering, real-time protection still accounts for only a small share of available solutions.
Key findings from the report
According to the research:
44% of crypto thefts stem from private key mismanagement.
60% of wider cybersecurity breaches involve human error.
90% of exploited smart contracts had passed security audits before being attacked.
Phishing click-through rates remain between 7–15%, even after security training.
The report suggests that these patterns continue because most Web3 security spending is directed toward code auditing and post-incident analysis, while attackers increasingly focus on manipulating users during wallet interactions.
Kerberus’ leadership team notes that the majority of existing tools function entirely outside the transaction window. These systems play an important role in keeping code safe and analysing breaches, but they don’t interpret user intent or scan live transactions at the wallet level. Kerberus points out that delivering this type of protection requires sophisticated real-time detection infrastructure capable of running deep scans in under a second without disrupting the user experience — a technically demanding challenge that explains why only a small minority of providers currently offer true real-time defences.
Real-time protection remains limited
Kerberus reviewed 61 active Web3 security providers and found that:
87% operate preventatively focusing on audits or post-incident forensics
Only 13% provide real-time, transaction-level defences that can block malicious actions before approval.
The report states that this distribution helps explain why losses remain high even as the number of “real-time” solutions increases: many providers market real-time features, but few deliver transaction blocking at the wallet level.
Examples cited in the report
One case highlighted involves an American investor who lost $330 million in Bitcoin after being manipulated in a phone-based social engineering attack, despite keeping funds secure for years. Another section points to compromised websites, hacked social media accounts, and manipulated Discord servers as growing channels for wallet-draining schemes.
Implications for the sector
The authors argue that the current model – where users are expected to independently evaluate risks, verify links, and recognise phishing attempts- creates predictable failure points. Frequent security prompts, they note, can lead to “alert fatigue,” making users more likely to approve malicious transactions.
The report concludes that wider adoption of real-time, automated transaction screening is crucial to reduce losses and support mainstream use of Web3 platforms.
