North Korean hacking groups have been targeting crypto for years. Ronin Bridge 2022’s feat at $ 625 million was an early awakening, but the threat only evolved.
In 2025 alone, the attackers affiliated to North Korea were linked to a series of campaigns designed to siphon the value and compromise key players in web3: they targeted $ 1.5 billion in Bybit through references campaigns, with already washed millions. They launched malware attacks against Metamask and Trust Wallet users, tried to infiltrate exchanges via false candidates and configure Shell companies in the United States to target crypto developers.
And while titles often focus on large -scale flights, reality is simpler and more overwhelming. The lowest layer of web3 is not intelligent contracts, but humans.
Nation-state attackers no longer need to find zero days in solidity. They target the operational vulnerabilities of decentralized teams: key management, non -existent integration processes, unrecognized contributors pushing the personal computers code and the governance of the treasury carried out via discord surveys. For all the speeches of our industry on resilience and resistance to censorship, many protocols remain soft targets for serious opponents.
At Oak Security, where we have carried out more than 600 audits in the main ecosystems, we constantly see this gap: the teams invest massively in intelligent contract audits but ignore basic operational security (OPSEC). The result is predictable. Inadequate security processes involve accounts of compromise contributors, a capture of governance and avoidable losses.
The illusion of the smart contract: secure code, unsecured teams
For all the money and talents faded in the safety of intelligent contracts, most of the DEFI projects always fail the basics of operational security. The hypothesis seems to be that if the code has succeeded in an audit, the protocol is sure. This belief is not only naive – it is dangerous.
The reality is that exploits of intelligent contracts are no longer the favorite attack method. It is easier – and often more efficient – to continue the people who direct the system. Many Defi teams do not have dedicated safety tracks, choosing to manage huge treasury vouchers without anyone who is officially responsible for OPSEC. It should be worrying.
Above all, the failures of OPSEC are not limited to the attacks of groups sponsored by the State. In May 2025, Coinbase revealed that an assistance agent abroad – tested by cybercriminals – illustrated customer data, triggering a repair of 180 to 400 million dollars and ransom limbo. The malicious actors made similar attempts on Binance and Kraken. These incidents were not motivated by coding errors – they were brought by the corruption of initiates and the front -line human failures.
Vulnerabilities are systemic. Throughout the industry, contributors are generally integrated via discord or telegram, without identity verification, without structured provisioning and without checking secure devices. Code modifications are often driven from laptops not evaluated, with little or no final point security or keys management. Sensitive governance discussions take place in unmarked tools such as Google Docs and the concept, without audit trails, encryption or appropriate access controls. And when something is inevitably badly, most teams do not have a response plan, no designated incident commander and no structured communication protocol – just chaos.
It is not a decentralization. It is operational negligence. There are DAOs that managed $ 500 million that would fail a basic opsec audit. There are treasury vouchers kept by governance forums, discord polls and weekend multisigs – open invitations for bad players. Until security is processed as a complete responsibility – from key management to the integration of contributors – WAB3 will continue to flee the value through its softest diapers.
What Defi can learn from tradfi security culture
Tradfi institutions are frequent targets of attacks by North Korean pirates and beyond-and, therefore, banks and payment companies lose millions each year. But it is rare to see a traditional financial institution collapse, or even take a break, facing a cyber attack. These organizations operate by assuming that attacks are inevitable. They conceive of stricken defenses which reduce the probability of attacks and minimize damage when exploits occur, driven by a constant vigilance culture which is still largely lacking.
In a bank, employees do not access trading systems from personal laptops. The devices are hardened and monitored continuously. Access controls and segregation of tasks ensure that no employees can unilaterally move funds or deploy production code. Integration and conduct processes are structured; Skills titles are delivered and carefully revoked. And when something is wrong, the response to incidents is coordinated, practiced and documented – not improvised in discord.
Web3 must adopt similar maturity, but adapted to the realities of decentralized teams.
It starts with the application of OPSEC game books from the first day, running simulations in the red team that test phishing, infrastructure compromise and governance capture – not only intelligent contract audits – and the use of multi -signating portfolios supported by individual material portfolios or treasure management. The teams should verify the contributors and carry out checks of the history of anyone with access to production systems or to cash controls – even in the teams that consider themselves fully “decentralized”.
Some projects are starting to lead here, investing in structured security programs and business quality tools for keys management. Others take advantage of the tools of advanced safety operations (Secops) and dedicated safety consultants. But these practices remain the exception, not the norm.
Decentralization is not an excuse for negligence
It is time to face the real reason why many web teams are lagging behind operational security: it is difficult to implement in decentralized and distributed organizations worldwide. The budgets are tight, the contributors are transient and cultural resistance to the principles of cybersecurity, which are often poorly perceived as “centralization”, remains strong.
But decentralization is not an excuse for negligence. The nation-state opponents include this ecosystem. They are already inside the doors. And the global economy is increasingly depends on chain infrastructure. Web 3 platforms must urgently use and respect disciplined cybersecurity practices, or risk becoming a permanent funding flow for hackers and crooks seeking to undermine them.
The code alone will not defend us. Culture will be.
