In 2025, Web3 is full of big narratives—especially as regulation shifts course and stablecoins are steadily integrated into traditional finance (TradFi). “Compliance,” “mainstream integration,” and “rebuilding the next phase of order” have become recurring themes this year (further reading: 2025 Global Crypto Regulation Map: The Dawn of "Assimilation"—Where Crypto and TradFi Converge).
But behind these structural shifts is a more basic issue that’s been overlooked for too long: the account itself is becoming a systemic risk surface for the industry.
CertiK’s latest security report puts 2025 losses at about $3.35B across 630 incidents. The total is striking—but the breakdown is more revealing:
A large share of losses didn’t come from complex smart-contract bugs or direct protocol exploits. Instead, they stemmed from phishing: 248 phishing-related incidents in 2025, causing about $723M in losses. Slightly higher than code-vulnerability exploits: 240 incidents, about $555M.
In many cases, the chain didn’t fail, cryptography wasn’t broken, and the transactions followed the rules. The real problem lies with the account itself.
1. EOAs are becoming Web3’s biggest “legacy debt”
In both Web2 and Web3, phishing has long been one of the most common ways people lose money.
The difference is Web3’s smart contracts and irreversible execution: when something goes wrong, the impact is often far more severe. To see why, start with the core model: the EOA (Externally Owned Account).
The EOA model is simple by design: private key equals ownership, signature equals will. Whoever holds the private key effectively controls the account—an early breakthrough that reduced reliance on custodians and intermediaries and returned asset sovereignty to individuals.
But it also assumes something unrealistic: users won’t be phished, won’t make mistakes, and won’t misjudge under stress. Under EOAs, a signature is treated as fully informed consent.
Reality doesn’t work that way.
The incidents we saw repeatedly in 2025—malicious signatures, rushed transfers, incomplete checks—share the same root cause: EOAs offer almost no fault tolerance for human error (further reading: From EOA to AA: Will Web3’s Next Leap Happen at the Account Layer?).
A typical example is the long-standing approval pattern: once you approve a spender, it may move assets without asking again. It’s efficient in contract logic—but in practice, it often becomes the first step toward phishing and wallet drains.
Take the recent $50M address-poisoning case: attackers didn’t break the system—they generated look-alike addresses with matching first and last four characters, then relied on hurried transfers. It’s hard to reliably verify a long, semantically meaningless address every single time under time pressure.
Ultimately, EOAs don’t ask whether you were tricked—they ask only one thing: did you sign?
That’s why address poisoning has kept making headlines in recent years. Attackers don’t need to attempt a thankless and costly 51% attack—just an address that looks similar enough, and a moment of user inattention during copy-paste and confirmation.
EOAs can’t tell whether a recipient is unfamiliar, or whether an action deviates from past patterns. To the system, it’s a valid instruction that must execute. That’s the paradox: cryptography can be strong, while the account layer remains fragile.
From this angle, the $3.35B lost in 2025 isn’t just “careless users” or “better hackers.” It signals that once EOAs are used at real financial scale, their long-standing design debt becomes visible—and costly.
2. Why AA is becoming inevitable: a systemic correction for Web3 accounts
When major losses occur while the system is operating exactly as designed, that’s the real issue.
In CertiK’s breakdown, phishing, address poisoning, malicious approvals, and accidental signatures share the same traits: the transaction is valid, the signature checks out, execution is irreversible—and everything can look “normal” in a block explorer.
From the system’s perspective, these often aren’t “attacks”—they’re user instructions executed correctly.
EOAs collapse identity, authorization, and risk into a single private key. Once you sign, identity is accepted, permissions are granted, and risk is assumed—immediately and irreversibly. That simplicity once improved efficiency, but at today’s scale it becomes a structural weakness.
As Web3 becomes high-frequency, cross-protocol, and always-on, accounts are no longer occasional “cold wallets.” They power payments, approvals, interactions, and more—so the idea that every signature reflects a fully rational decision is hard to sustain.
Address poisoning works not because attackers are smarter, but because EOAs provide no buffer for common human mistakes. The system doesn’t flag first-time recipients, unusual amounts, or abnormal behavior—and it doesn’t add friction like delays or step-up confirmation. If the signature is valid, the transaction executes.
Traditional finance has long built in safeguards—limits, cooling-off periods, anomaly freezes, tiered permissions, and revocable authorizations—because it accepts a simple fact: people aren’t always rational. Account design must account for that.
In this context, Account Abstraction (AA) matters less as a feature and more as a redefinition: shifting accounts from passive signature executors to intent-aware systems.
With AA, an account isn’t just “a private key.” It can support multiple verification methods, set different permissions by action type, delay execution on anomalies, and even recover control under predefined conditions.
This isn’t a departure from decentralization—it’s a sustainability fix. True self-custody shouldn’t mean one mistake leads to permanent loss. Without relying on centralized custody, the account itself should provide guardrails and self-protection.
3. What account evolution can unlock for Web3
As I’ve said before: every successful scam costs Web3 a user—and without new users, the ecosystem can’t grow.
That’s why security teams, wallets, and builders can’t treat “user mistakes” as individual negligence. The account experience must be safe, understandable, and resilient in real-world use.
AA isn’t just an account upgrade—it’s a system-level shift in how security is designed and enforced.
For a long time, seed phrases have been treated as the passport to self-custody, but single-point key management isn’t friendly for most users. With AA features like social recovery, an account no longer depends on a single private key: you can set trusted guardians and recover access if a device is lost or the key becomes unavailable or compromised.
Combined with Passkey, AA can feel much closer to how people intuitively expect account security to work in traditional finance (further reading: Web3 Without Mnemonics: How AA × Passkey Could Shape Crypto’s Next Decade).
In EOAs, gas is an invisible barrier. With AA mechanisms like Paymaster, fees can be sponsored by a third party—or paid in stablecoins.
A smoother, gas-sponsored experience isn’t just a nice-to-have. It’s one of the prerequisites for Web3 to reach users beyond early adopters.
AA accounts can bundle multi-step flows into one atomic operation. For example, a DEX trade that used to require approval → swap → extra signatures can be executed as a single transaction: it either fully succeeds or fully fails—reducing cost and avoiding wasted partial attempts.
AA enables fine-grained permissions instead of an all-or-nothing model: higher amounts can require stronger verification; different counterparties can have different permissions; and allowlists/blocklists can limit interactions to vetted contracts.
Even if a key is exposed, these controls can buy time and reduce the chance of an immediate, total drain.
AA isn’t the only path: wallets can mitigate EOA weaknesses today
It’s important to emphasize: the evolution of account security doesn’t rely solely on full AA adoption. Existing wallet products can—and should—mitigate parts of the EOA model.
For example, imToken’s Address Book lets users save trusted addresses and choose from known entries during transfers—reducing copy-paste errors and look-alike address mistakes.
Another key principle is What You See Is What You Sign (WYSIWYS): the goal isn’t to overload users with data, but to ensure what they sign matches what they see, understand, and intend.
Safety prompts when sending to risky or contract addresses
Following this principle, imToken presents signatures in a structured, human-readable way across key flows—DApp login, transfers, swaps, and approvals—so users can understand what they’re agreeing to before signing. This doesn’t change on-chain irreversibility, but it adds a critical safety layer at the decision point.
More broadly, AA helps reset the assumptions for Web3’s next stage—so on-chain systems can support real users at scale. Otherwise, no matter how advanced the protocol or narrative, the same basic question remains:
Will everyday users trust on-chain accounts enough to keep assets there long term?
In that sense, AA isn’t a bonus feature—it’s a baseline requirement. It’s not about “nice UX”; it’s about whether Web3 can evolve from a niche experiment for enthusiasts into broader, accessible financial infrastructure.
Final thoughts
$3.35B was, in essence, the tuition the entire industry paid in 2025.
It’s also a reminder: as the industry discusses compliance and institutional participation, if accounts remain in a world where one mistaken signature or approval can wipe you out, then “financial infrastructure” is still built on sand.
The real question may not be whether AA becomes mainstream, but this:
If accounts don’t evolve, how big a future can Web3 actually carry?
That may be the most important security lesson of 2025—and one the industry should keep revisiting.