North Korean piracy groups have been pointing to cryptography for years. Bridge Ronin 2022 $ 625 million was an early attention call, but the threat has only evolved.
In 2025 alone, the attackers affiliated with North Korea have been linked to a series of campaigns designed to divert the value and compromise the key web actors: they have pointed to assets worth $ 1.5 billion in Bybit through credential collection campaigns, with millions already washed. They have launched malware attacks on Users of Metamk and Trust Wallet, tried to infiltrate exchanges through false employment applicants and establish Shell companies within the US. UU. To point to cryptography developers.
And although the headlines often focus on large -scale robberies, reality is simpler and more condemnatory. Web3’s weakest layer are not intelligent, but human contracts.
State-nation attackers no longer need to find zero days in solidity. They are aimed at the operational vulnerabilities of decentralized equipment: key management, non -existent incorporation processes, non -diverse taxpayers that push the code of personal laptops and treasure governance carried out through discord surveys. In spite of the entire talk of resistance and resistance to the censorship of our industry, many protocols remain soft objectives for serious adversaries.
In Oak Security, where we have carried out more than 600 audits in the main ecosystems, we constantly see this gap: the equipment invest a lot in intelligent contract audits but ignore the basic operational security (OPSEC). The result is predictable. Inadequate security processes lead to committed taxpayers accounts, governance capture and preventable losses.
The illusion of smart contract: safe code, insecure equipment
Despite all the money and the talent in intelligent contracts, most of the projects defi still lack the basic concepts of operational security. The assumption seems that if the code has passed an audit, the protocol is safe. That belief is not just naive, it is dangerous.
The reality is that smart contract exploits are no longer the preferred attack method. It is easier, often more effective, going after people who execute the system. Many Defi teams do not have dedicated potential clients, choosing to administer huge treasure bonds with no one formally responsible for OPSEC. That should only be a reason for concern.
Crucially, OPSEC failures are not limited to attacks by groups sponsored by the State. In May 2025, Coinbase revealed that a support agent abroad, crossed by cybercriminals, accessed to customer data accessed by illegally, which triggers a remediation and rescue limbo of $ 180– $ 400 million. Malicious actors made similar attempts about Binance and Kraken. These incidents were not driven by coding errors: they were born of internal bribes and first -line human failures.
Vulnerabilities are systemic. Throughout the industry, collaborators are commonly incorporated through Discord or Telegram, without identity controls, without structured provisioning and without verifiably safe devices. Changes in the code are often pushed from non -vertated laptops, with little or no end point security or keys of keys instead. Sensitive governance discussions are developed in unusual tools such as Google Docs and the notion, without appropriate audit, encryption or access controls. And when something inevitably goes wrong, most teams do not have an response plan, no designated incident commander and no structured communication protocol, only chaos.
This is not decentralization. It is operational negligence. There are damage that administer $ 500 million that would fail a basic OPSEC audit. There are treasures protected by governance forums, discord surveys and weekend multisigs: open invitations for bad actors. Until security is as a complete responsibility, from key management to the incorporation of taxpayers, web3 will continue to be a value through their softest layers.
What I define can learn from traditional security culture
Traditional institutions are frequent objectives of attacks by computer pirates of North Korea and beyond, and as a result, banks and payment companies lose millions every year. But it is rare to see the collapse of a traditional financial institution, or even do pause operations, in front of a cyber attack. These organizations operate with the assumption that attacks are inevitable. They design defenses in layers that reduce the probability of attacks and minimize damage when exploits are produced, driven by a constant surveillance culture that he defines still lacks.
In a bank, employees do not access commercial systems from personal portable computers. The devices harden and controlled continuously. The access controls and segregation of the tasks ensure that no employee can only move funds unilaterally or implement the production code. The incorporation and out of edge processes are structured; The credentials are emitted and carefully revoked. And when something goes wrong, the response to incidents coordinates, practices and documented, not improvised in discord.
Web3 needs to adopt similar maturity, but adapted to the realities of decentralized equipment.
That begins with the application of OPSEC plays books from day one, running red equipment simulations that prove phishing, infrastructure commitment and governance capture, not only smart contract audits, and the use of multiple signature wallets backed by individual hardware wallets or treasure management. The equipment must examine taxpayers and make background verifications in any person with access to production systems or treasury controls, even in equipment that are considered completely “decentralized.”
Some projects are starting to lead here, investing in structured security programs and business degree tools for key management. Others take advantage of advanced security operations (SECPS) and dedicated security consultants. But these practices are still the exception, not the norm.
Decentralization is no excuse for negligence
It is time to face the real reason that many web3 teams are delayed in operational security: it is difficult to implement in decentralized and distributed organizations worldwide. Budgets are adjusted, taxpayers are transitory and cultural resistance to cybersecurity principles, which are often erroneously perceived as “centralization”, remains strong.
But decentralization is no excuse for negligence. State-nation adversaries understand this ecosystem. They are already inside the doors. And the global economy depends more and more on the infrastructure in the chain. Web3 platforms urgently need to use and adhere to disciplined cybersecurity practices, or risk becoming a flow of permanent financing for computer pirates and scammers seeking to undermine them.
The code only will not defend us. Culture will do it.
