Web3 loses billions and still calls fraud ‘user error’

According to Hacken’s 2025 H1 Security Report, the Web3 industry lost more than $3.1 billion to hacks, fraud, and exploits in the first half of 2025 alone. Phishing and social engineering attacks resulted in nearly $600 million (almost $1 in every five) being stolen.

And the problem is not slowing down. In August 2025 alone, over $12.7 million was stolen from Web3 users through phishing scams. This was done through simple deception rather than complex exploitation. Fake links, spoofed sites, and malicious dApps continue to outsmart your defenses.

Nevertheless, the industry is still focusing its attention on other areas. While high-profile protocol hacks dominate the headlines, phishing, which accounts for nearly a fifth of all losses, has quietly become the norm. That is the biggest risk that no one wants to take responsibility for. There is a hard truth here. Phishing is not a side issue. Until we stop ignoring it as “user error” and start treating it like financial fraud, we are actively sabotaging our own future.

You may also like: Web3 is open and transparent, but building on top of it is miserable. opinion

Phishing is an infrastructure failure, not a user problem

In traditional finance, fraud protection is built into the infrastructure. Banks can automatically monitor for unusual behavior and put a hold on transactions, and often protect you with real-time alerts by default. If something goes wrong, there is a process by which the fraud department will investigate, insurance will apply and the consumer will often receive a refund.

In the United States, Regulation E guarantees that consumers will not be held liable for fraudulent electronic transfers if they are promptly reported. Even peer-to-peer payments platform Zelle is under pressure from regulators and banks to refund money to fraud victims.

The point is, users don’t care about whether their bank has a perfect security system, they care about never leaving behind a bill. Insurance that pays out almost instantly and no questions asked is a real safety net. Security makes that possible, but it’s insurance that allows people to trust the system.

In contrast, Web3 requires users to take care of themselves. If you click on the wrong link and sign a malicious transaction, the industry shrugs its shoulders. It’s your fault. This way of thinking is unfair and unsustainable. If multi-million dollar frauds occur every day, it’s not luck, it’s because our infrastructure is broken. Retail users do not need to be cybersecurity experts just to participate in the financial system. All they need to know is that the system is on their side.

The industry’s obsession with “postmortem”

Web3 security discussions are backward-looking. Smart contract audits, incident reports, and “never again” statements dominate the discussion, but only after the damage has been done. Auditing cannot stop phishing emails. Postmortem does not protect your wallet. Real-time preventive measures are lacking.

What is needed is a system that monitors transactions as they occur, analyzes behavior in real time, and automatically protects users at the wallet level. These tools exist in a variety of forms, including transaction intent previews, malicious contract warnings, and wallet-level safeguards, but adoption remains fragmented and protections remain optional rather than standard.

The industry needs to make these safeguards invisible, automated, and universal.

Why phishing is destroying adoptions

It’s tempting to think that phishing primarily affects uninformed retail users. But that mindset is what holds web3 back.

Individual users are understandably hesitant to participate in a system where one wrong click can wipe out their funds. Financial institutions will not commit capital to markets that do not meet basic fraud standards. Even major exchanges and custodians cite security risks as a barrier to entry for institutional investors.

Phishing isn’t just a security issue; it’s also a deployment bottleneck. If we ignore it, the future of our ecosystem will be compromised.

TradFi presents the model, web3 should lead

Traditional finance isn’t perfect, but we understand that fraud is a systemic threat. Suspicious transactions are flagged, users are automatically notified, and an investigation and refund process is in place. These are standard expectations and are not optional features.

The frustrating part is that web3 actually has better tools. We have a programmable infrastructure. We have full transparency on-chain. We have the ability to embed real-time analytics into the core of our systems.

Despite this, the industry still lags behind rather than leading the traditional financial industry.

Treating phishing as a scam is a matter of survival.

The dividing line between mainstream adoption and continued stagnation is a matter of trust, not blockchain speed. Users do not feel safe at this time.

Until phishing is treated as a financial scam, the losses will continue. Real-time detection must be built into the transaction layer. Securing your wallet should be proactive, not reactive. Users must be aware that the system itself protects them.

Preventing fraud is not the end goal; a fearless user experience is. Security is an enabler, but insurance is a promise. It is a guarantee that no matter what happens, the user will not be ruined. That is the basis of recruitment.

the way to go

Auditing, education, and user blaming alone will not solve this problem. We must design a way to escape. Fraud detection and protection must be built directly into the infrastructure. These systems must work automatically behind the scenes, without your knowledge. After all, bank customers don’t need to read any code to confirm transactions. Web3 users don’t have to either.

The question that will determine the future of Web3 is simple. Do users believe their funds are safe? For now, the answer is no. Phishing is a headline, not a footnote. It’s time for the industry to treat it as such.

read more: Web3 builders are dangerously complacent about quantum risk | Opinion