Your keys, your coins.
That’s one of the fundamental promises of bitcoin and other cryptocurrencies, that they eliminate the middlemen that stand between you and your money. But the phrase also carries a latent assumption that Web3 companies would do well to leave behind: that any security problem is the owner’s problem, not theirs. That mentality may have worked when cryptocurrencies were experimental. It doesn’t work when billions of dollars and millions of people are involved.
The design space for cryptocurrencies has expanded tremendously since Bitcoin was created over 15 years ago. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards, all connected to each other. It’s no longer just decentralized money, it’s a trillion-dollar ecosystem. Security risks have become more complicated and the stakes have increased. Self-custody still has a role to play, yes, but Web3 designers shouldn’t put most of the security burden on users.
To succeed as a mainstream technology, the crypto industry must evolve to match real-world security risks (social engineering, human error, and physical coercion) without compromising other core values such as anonymity and pseudonymity.
What the numbers tell us
Several decades of personal computing have provided us with abundant data on people’s cyber hygiene. In short: it’s not perfect.
Educational campaigns like Cybersecurity Awareness Month, which are happening right now, help, but threats like phishing, fake QR codes, and malware remain consistently effective. These are not going away. In fact, they are evolving faster than our defenses.
According to data collected by CoinLaw, crypto phishing attacks are on the rise, increasing by 40% by early 2025 and causing user losses valued at $410 million. Some more bad news: AI-powered deepfakes are exacerbating the problem; these increased more than 450% between mid-2024 and mid-2025, according to data from CoinLaw.
Even more alarming: the rise in cryptocurrency-related violent attacks, as organized crime groups physically force high-net-worth holders to give up their credentials. According to blockchain tracking company Chainalysis, more than 30 “spanner attacks” were reported in 2024, and 2025 is on track to double that number.
In short, security problems are not anomalies. They are predictable.
We don’t shrug our shoulders at earthquakes in San Francisco or Japan; We build earthquake-resistant buildings. The same logic should apply to cryptographic security.
What needs to change?
The good news: There is a lot of work being done in the Web3 space to make users safer and products more secure.
Just look at the wallets. Security considerations have historically made for a horrible wallet user experience, but things are improving thanks to innovations like split wallets with different keys, delegation, and multiple wallet accounts. But in my experience, balancing usability and security is still tricky.
So how can we improve with users?
First of all, we must take security issues as feedback. Each violation tells us something about the design, not just the behavior. Take a stolen password. An answer might be: “It’s the user’s fault that they were a victim of phishing; they shouldn’t fall for that.” Maybe that’s true, maybe it’s not. but what is The truth is that when this happens millions of times a year to your customer base, it’s an indication that your system is not designed for real people. Adjust accordingly.
Secondly, we need to incorporate successful examples from the non-web3 space.
Consider the problem of authentication. Using a cryptographic key for access is powerful, but it does not confirm that the user is the rightful owner. That’s why the Internet as a whole long ago adopted layers like multi-factor authentication and behavioral signals, and more recently human proof, methods that protect people automatically, without relying on constant surveillance. Cryptocurrencies can and should follow that example.
Finally, we must recognize that security risks are no longer limited to social engineering tricks.
Cryptocurrency executives and big-money holders have been hit by a series of physical assaults, with thieves seeking to gain access not through brute force decryption, but simply brute force. If we design systems that do not incorporate the possibility of physical abuse, we are not doing our job as designers of those systems. Attack vectors will evolve and we will have to evolve too.
What’s next?
Crypto’s strong spirit of individual responsibility made sense when it came to an experiment. However, now that trillions of dollars in assets (and human livelihoods) are at stake, we need systems designed for real-world risks rather than early adopters.
There are no panaceas: cryptographic keys will remain vulnerable to phishing, biometrics will make their holders vulnerable to physical attacks, and humans will remain imperfect. But as we close out Cybersecurity Awareness Month, let’s remember who we’re building for. When we design for real people, not ideal users, our products can strengthen lives while protecting against their weaknesses. Security is no longer a user problem; It is an industry problem.
