A latest report by Kerberus, a Web3 safety agency, means that human conduct is now the first danger in Web3.
BeInCrypto spoke with the agency’s CEO, Alex Katz, and CTO, Danor Cohen, to know why customers proceed to fall sufferer to assaults and what they will do to raised defend themselves.
Sponsored
Sponsored
Human Error Drives Main Web3 Losses, Kerberus Report Finds
In its newest report titled “The Human Factor – Real-Time Protection Is the Unsung Layer of Web3 Cybersecurity (2025),” Kerberus revealed that human-focused assaults had been probably the most structurally harmful vector in Web3.
The report cites information exhibiting {that a} vital share of business losses stems from consumer errors. Roughly 44% of crypto thefts in 2024 resulted from the mismanagement of personal keys. One other analysis signifies that human error is concerned in roughly 60% of safety breaches.
With 820 million energetic wallets in 2025, the menace panorama is increasing shortly, and everybody stays in danger. Katz instructed BeInCrypto that dangerous actors are concentrating on each newcomers and skilled customers, however for very completely different causes.
“New users are attractive because they don’t yet understand what ‘normal’ Web3 behavior looks like,” he stated
Curiously, the chief famous that long-time customers have gotten more and more higher-value targets in comparison with newcomers. Based on him,
“Veteran users interact with far more dApps, sign more transactions, and move larger amounts. That means a single moment of complacency can do far more damage. So the group most at risk today is anyone who assumes they’re not at risk.”
Cohen added that one of many largest misconceptions in Web3 is the idea that safety failures stem from customers not understanding the know-how. His evaluation factors in the other way. Individuals are getting hacked as a result of the system locations an unrealistic burden on them.
“Users think, ‘I’m too smart to get drained, I know how wallets work – I’m safe.’ But the threat landscape changes faster than users do. Attackers aren’t trying to outsmart your wallet; they’re trying to outsmart you. And they’re extremely good at it. What people misunderstand is that Web3 puts an enormous cognitive burden on the individual. Users shouldn’t have to decipher technical signals to stay safe – security must work for them automatically,” he talked about.
Sponsored
Sponsored
Why Even Sensible Web3 Customers Maintain Getting Drained in 2025
These human-driven danger persists regardless of report spending on safety in 2025. Kerberus’ report said that crypto-related providers and traders misplaced over $3.1 billion to hacks and scams within the first half of the 12 months. That is already greater than the full for all of 2024.
That quantity contains the historic Bybit breach. Excluding this, human-targeted assaults comparable to phishing and social engineering nonetheless accounted for $600 million. This represented 37% of the remaining $1.64 billion in losses.
The report famous that these assaults scale with rising adoption and bypass technical defenses completely. This makes it troublesome for conventional safety fashions to stop them.
Whereas corporations make investments closely in audits, monitoring, and code critiques, attackers more and more exploit customers immediately on the transaction stage. However what makes people so weak to those assaults?
Sponsored
Sponsored
“Humans are vulnerable because every scam is designed to exploit natural psychological shortcuts — urgency, authority, familiarity, fear of missing out, or comfort with routine. These are not flaws; they’re the same instincts that allow us to function in everyday life. Technology alone can’t change human psychology, but it can catch the moment when psychology is being weaponized,” Cohen detailed.
He emphasised that the strongest type of safety isn’t counting on customers to keep away from errors by means of schooling alone, however relatively stopping dangerous actions in real-time earlier than injury happens.
“That’s why real-time detection matters so much. If you can warn a user at the exact moment their trust is being manipulated, you can stop most losses before they occur,” Cohen added.
The manager famous that it’s unrealistic to count on an on a regular basis consumer to tell apart between a malicious dApp, an airdrop, or a mint web page. Fashionable fraudulent platforms typically carefully mirror legit ones. This makes them practically indistinguishable.
He added that customers can click on phishing hyperlinks repeatedly. They don’t accomplish that out of carelessness, however as a result of the assaults are deliberately crafted to deceive.
Even real-time warnings can typically look like false positives, highlighting the superior nature of those scams.
Sponsored
Sponsored
“Users shouldn’t be expected to perform forensic checks. The burden has to shift to tools that analyze intent and behavior in real time,” Cohen urged.
The report additionally states that these assaults exploit moments when customers are least capable of assess threats. It could occur when somebody checks their pockets whereas distracted at work, reacts to an pressing message claiming their account can be frozen, or approves a transaction on the finish of a protracted day once they’re exhausted.
Based on the findings, the business’s response has largely been so as to add extra warnings and verification steps. However this strategy typically backfires attributable to “security fatigue.” As customers grow to be accustomed to fixed alerts—lots of that are false alarms that merely gradual them down—their capacity to make cautious choices diminishes underneath the continual cognitive strain.
3 Actions Customers Can Take to Keep Safer in Web3
To scale back real-world losses, Katz disclosed three practices customers can undertake. He suggested customers to:
- Pause earlier than signing: Most compromises happen in underneath ten seconds. Taking even a short second to learn the immediate or verify whether or not the request aligns with the supposed motion can forestall a big share of profitable assaults.
- Separate high-value belongings from on a regular basis exercise: Utilizing a number of wallets stays probably the most efficient safeguards. He urged that customers ought to preserve their long-term holdings in a chilly or low-touch pockets and use a separate pockets for exploration, mints, and dApps. This compartmentalization limits potential injury.
- Depend on real-time transaction safety: As a result of many threats contain social engineering relatively than technical exploits, customers profit from instruments that interpret on-chain actions earlier than they’re finalized. This single layer of protection blocks lots of the extra superior scams.
The intention, he burdened, is to not flip customers into safety specialists, however to construct guardrails that forestall errors from turning into monetary losses.
