“Oak Security Has Conduched More than 600 Audits Across Majoor Crypto Systems. IT Consuently sees this vulneraggality gap: Teams Invest Heavily in Smart Contract Audits But Ignore Basic Operational Security, Says Dr. Jan Philipp Fritsche.”, – WRITE: www.coindesk.com
In 2025 Alone, North Korean-Affilied Attackers have been Linked to a string of Campaigns Designed to Siphon Value and Compromise Key Players in Web3 Credential-Harvesting Campaigns, With Millions Already Laundered. They’ve launched Malware Attacks on Metamask and Trust Wallet USers, attempted to infiltrate exchanges through fake fake job Applicants, and set up Shell Companies Inside.
And while the headlines of focus on Large-Scale Thefts, The Reality Is Simpler- and More Daming. The Weakest Layer of Web3 is not Smart Contracts, But Humans.
Nation-State Attackers No Longer Need to Find Zero-Days in Solbility. They Target the Operational Vulnerabilites of Decentralized Teams: Poor Key Management, Nonexistent on Onboarding Processes, Unvetted Contributors Pushing Code Froma Personal LPTOPS. Via Discord Polls. For all our Industry’s Talk of Resilience and CensorShip Resistance, Many Protocols Remain Soft Targets for Serious Adversaries.
AT OAK Security, WHERE WE’VE CONDUCTED OVER 600 AUDITS Across Major Ecosystems, We Consuently See this Gap: Teams Invest Heavily in Smart Contract Audits Bus). The Result Is Predictable. Inadequate Security Processes Lead to Compromisened Contributor Accounts, Governance CAPTURE, AND PREVENTABLE LESSES.
The Smart Contract Illusion: Secure Code, Insecure TeamsFor all the Money and Talent Pored Into Smart Contract Security, MOST DEFI PROjects Still Fail The Basics of Operational Security. The Assumption Sems to be that if the Code have passed an Audit, the Protocol is safe. That belief is not just naive –it’s dangerous.
The reality is that smart Contract Exploits Are No Longer The Preferred Method of Attack. It’s Easier – And of the Often More Effective – Toto Go After The People Running the System. Many Defi Teams have no Dedicated Security Leads, Opting to Manage Enormous Treasuries Without Anyone Formally Accountable For OPPEC. That alone should be cause for concern.
Crucially, OPPECEC FAILUES AREN’T LIMITED TO ATTACKS from STATE-SPONSOUred Groupps. In May 2025, Coinbase Disclosed That An Overseas Support Agent – Bribed by Cybercriminals – Illegally Accessed Customer Data, Triggering A $ 180 – $ 400 Million Remerediyation An. Malicious Acters Made Similar atTempts on Binance and Kraken. These incidents wren ‘Driven by Coding errors – Tey Were Borne from Insider Bribity and Frontline Human Failures.
The vulnerabilites are Systemic. Across The Industry, Contributors Are Commonly OnBoarded Via Discord or Telegram, With No Identity Checks, No Structure Provisioning, and No Verifiably Secure Devices. Code Changes Are Onthen Pushed from Unvetted Laptops, With Little to No EndPoint Security or Key Management in Place. Sensitive Governance Discussions Unfold in Unsecured Tools Like Google Docs and Notion, Without Audit Trails, Encryption, Or Proper Access Controls. And WHEN SOMETING INEVITABLY GOES WRORNG, MOST TEAMS HAVE NO RESPONSE Plan, No Designated Incident Commander, and No Structure Communication Protocol – Just Chas.
This isn’t Decentralization. IT’s Operational Negligence. There are daos managing $ 500 Million that wold Fail A Basic OPSECECECECECECE. There Are Treasuries Guarded by Governance Forums, Discord Polls, and Weekend Multisigs – Open Invitations for Bad Actors. Until Security Is Treated As A Full-Stack Resistance-From Key Management to Contributor Onboarding-Web3 Will Keep Leaking Value Through ITS Softst Layers.
WHAT DEFI CAN Learn from Tradfi Security CultureTradfi Institutions Are Frequent Targets of Attacks from North Korean Hackers and Beyond – and As a result, Banks and Payment Companies Lose Millions Each Year. But It’s Rare to See a Traditional Financial Institution Collaps, or Even Pause Operations, in the Face of A Cyberattack. These Organizations Operate on the Assumption that Attacks are inevitable. They Design Layred Defenses that Reduce the Likelihood of Attacks and Minimize Damage When Exploits Do Occur, Driven by a Culture of Constant Vigilance that Defi Largely Largely.
In a Bank, Employees Do Not Access Trading Systems from Personal Laptops. Devices Are Hardned and Continuous Monitored. Access Controls and Segregation of Duties Enseure That No Single Employee Can Unilaterally Move Funds or Deploy Production Code. Onboarding and Offboarding Processes Are Structured; Credentials Are Issued and Revoked with Care. And WHEN SOMETING GOES WRONG, INCIDENT REASPONSE IS CODININATED, Practiced, and Documented – Not Improvised in Discord.
Web3 Needs to Adpt Similar Maturity, But Adapted to The Realities of Decentralized Teams.
That Starts with Enforcing OPSECEC PLAYBOOKS FROM DAY ONE, RUNNING RED-Team Simulations that Test for Phishing, Infrastructure Compromise, and Governance Capture-Not Just Smart F Wallets Backed by Individual Hardware Wallets or Treasury Management. Teams Should Vet Contributors and Perform Background Checks on Anyone with Access to Production Systems or Treasury Controls – Even In Teams that Concesider Fullyve
Some Projects Are Starting to Lead Hera, Investing in Structure Security Programs and Enterprise-Grade Tooling for Key Management. Other Leverage Advanced Security Operations (Secps) Tooling and Dedicated Security Consultants. But These Practices Remain the Exception, Not the Norm.
DECENTRALIZATION IS NO Excuse for NegligenceIT’s Time to Confront the Real Reason Many Web3 Teams Lags on Operational Security: IT is Diflicult to Implement in Decentralized, Globally Distributed Organizations. Budgets Are Tight, Contributors Are Transient, and Cultural Resistance to Cybersecurity Principles, WHICH ARE OFFEN MISPERCEIVED AS “CENTRALIZATION,” REMAINS STROUNG.
But Decentralization is No Excuse for Negligence. Nation-State Adversaries Understand this EcoSystem. They’re already Inside the Gates. And the Global Economy is IncreASINGly Reliant on -chain Infrastructure. Web3 Platforms URGENTLY NEED TO EMPLOY AND ADHERE TO DISCIPLINED CYBERSECURITICES Practices, or Risk Become by Permanent Funding for Hackers and Scammers Seeking to UnderMine.
Code Alone Will Not Defend US. Culture Will.
Note: The Views Expressed in this Column Are Those of the Author and Do Not Necessarily Reflect Those of Coindesk, Inc. i Owners and Affilites.
