Web3 is losing billions, still calling fraud a ‘user error’

In the first half of 2025 alone, the web3 industry lost over $3.1 billion to hacks, scams, and exploits, according to Hacken’s H1 2025 Security Report. Nearly $600 million (almost one in every five dollars) was drained by phishing and social engineering attacks.

And the problem isn’t slowing down. In August 2025 alone, phishing scams stole more than $12.7 million from web3 users: not through complex exploits, but through simple deception. Fake links, spoofed sites, and malicious dApps continue to outpace user defenses.

Yet despite this, the industry still focuses its attention elsewhere. High-profile protocol hacks dominate headlines, while phishing, responsible for nearly a fifth of all losses, is quietly normalized. It’s the biggest risk no one wants to take responsibility for. Here’s the hard truth: phishing is not a side problem. Until we stop dismissing it as “user error” and start treating it like financial fraud, we are actively sabotaging our own future.

Phishing isn’t a user problem but an infrastructure failure

In traditional finance, fraud prevention is built into the infrastructure. Banks automatically monitor unusual behavior, can place holds on transactions, and often protect the user by default with real-time alerts. If something goes wrong, there’s a process: fraud departments investigate, insurance kicks in, and consumers often receive reimbursement.

In the U.S., Regulation E ensures consumers aren’t liable for unauthorized electronic transfers if reported promptly. Even Zelle, a peer-to-peer payment platform, has come under pressure from regulators and banks to reimburse fraud victims.

Crucially, what users care about isn’t whether their bank has perfect security systems — it’s that they’re never left holding the bill. Insurance, with near-instant reimbursement and no questions asked, is the real safety net. Security enables it, but insurance is what makes people trust the system. 

Web3, by contrast, leaves users to fend for themselves. Click the wrong link, sign a malicious transaction, and the industry shrugs: it’s your fault. This mindset is both unfair and unsustainable. When multi-million-dollar scams occur daily, it’s not luck — it’s broken infrastructure. Retail users shouldn’t need to be cybersecurity experts just to participate in a financial system. They just need to know the system has their back.

The industry’s obsession with “post-mortems”

Web3 security discourse is backward-looking. Smart contract audits, incident reports, and “never again” statements dominate discussions — but only after the damage is done. Audits can’t stop phishing emails. Post-mortems don’t protect wallets. Real-time prevention is missing.

What’s needed are systems that monitor transactions as they happen, analyze behavior in real time, and protect users automatically at the wallet level. These tools exist in various forms — transaction intent previews, malicious contract warnings, wallet-level safeguards — but adoption is fragmented, and protections remain optional rather than standard.

The industry must make these safeguards invisible, automatic, and universal.

Why phishing is killing adoption

It’s tempting to think phishing mostly affects unsophisticated retail users. But that mindset is exactly what’s holding web3 back.

Retail users understandably hesitate to engage in a system where one wrong click can wipe out their funds. Institutions won’t commit capital to markets that can’t meet basic fraud standards. Even large exchanges and custodians cite security risks as a barrier to institutional entry.

Phishing isn’t just a security issue — it’s a bottleneck for adoption. Ignoring it undermines the ecosystem’s future.

TradFi shows the model, web3 should lead

Traditional finance isn’t perfect, but it understands that fraud is a systemic threat. ​​Suspicious transactions are flagged, users are notified automatically, and there are established processes for investigation and reimbursement. These are standard expectations, not optional features.

What’s frustrating is that web3 actually has better tools available. We have programmable infrastructure. We have full transparency on-chain. We have the ability to build real-time analytics into the core of the system.

And yet, despite this, the industry continues to lag behind traditional finance instead of leading the way.

Treating phishing as fraud is existential

The line between mainstream adoption and continued stagnation isn’t about faster blockchains — it’s about trust. Right now, users don’t feel safe.

Until phishing is treated as financial fraud, losses will continue. Real-time detection must be built into the transaction layer. Wallet protections must be proactive, not reactive. Users must know that the system itself is protecting them.

Fraud prevention isn’t the end goal — fearless user experience is. Security is the enabler, but insurance is the promise: a guarantee that no matter what happens, users won’t be ruined. That’s the foundation of adoption.

The path forward

Audits, education, and blaming users won’t solve this. We must design our way out. Fraud detection and protection need to be built directly into the infrastructure. These systems should work automatically, behind the scenes, and without requiring user awareness. After all, bank customers don’t need to read code to verify a transaction. Web3 users shouldn’t have to either.

The defining question for web3’s future is simple: do users trust that their funds are safe? Right now, the answer is no. Phishing isn’t a footnote — it’s the headline; it’s time the industry treats it that way.