Your keys, your coins.
This is one of the fundamental promises of Bitcoin and other cryptocurrencies, which remove the middlemen who stand between you and your money. But this phrase also conveys a latent assumption that Web3 companies would do well to abandon: that any security problem is the owner’s problem, not theirs. This mindset may have worked when cryptography was experimental. It doesn’t work when trillions of dollars and millions of people are involved.
The cryptocurrency design space has expanded significantly since the creation of Bitcoin over 15 years ago. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards, all connected to each other. It’s no longer just about decentralized money, but an ecosystem worth billions of dollars. Security risks have become more complex and the stakes higher. Self-guarding still has a role to play, sure, but Web3 designers shouldn’t put most of the security burden on users.
To succeed as a mainstream technology, the crypto industry must evolve to address real security risks – social engineering, human error and physical coercion – without compromising other core values such as anonymity and pseudonymity.
What the numbers tell us
Several decades of personal computing have provided us with a wealth of data on people’s cyber hygiene. In short: it’s not perfect.
Educational campaigns like Cybersecurity Awareness Month, underway right now, are helpful, but threats like phishing, fake QR codes, and malware still remain effective. These will not disappear. In fact, they evolve faster than our defenses.
According to data compiled by CoinLaw, crypto-phishing attacks are on the rise, increasing by 40% in early 2025 and resulting in user losses valued at $410 million. More bad news: AI-driven deepfakes are exacerbating the problem; these increased by more than 450% between mid-2024 and mid-2025, according to CoinLaw data.
Even more alarming: the surge in violent crypto-related attacks, as organized crime groups physically force wealthy holders to give up their credentials. According to blockchain tracking firm Chainalysis, more than 30 “key attacks” have been reported in 2024, and 2025 is on track to double that number.
In short, security issues are not anomalies. They are predictable.
We don’t shrug our shoulders at earthquakes in San Francisco or Japan; we build seismic buildings. The same logic should apply to cryptographic security.
What needs to change
The good news: There’s a lot of work being done in the Web3 space to make users safer and products more secure.
Just look at the portfolios. Security considerations have historically made the wallet user experience horrible, but things are improving thanks to innovations like split wallets with different keys, delegation, and multi-wallet accounts. But, in my experience, finding a balance between usability and security remains tricky.
So how can we do better for users?
First, we need to view security issues as feedback. Every violation teaches us something about design, not just behavior. Take a stolen password. An answer might be: “It’s the user’s fault that they were phished; he shouldn’t get caught up in this. » Maybe that’s true, maybe not. But what East It’s true that when this happens millions of times a year to your customer base, it indicates that your system is not designed for real people. Adjust accordingly.
Second, we need to incorporate successful examples from the non-web3 space.
Consider the problem of authentication. Using a cryptographic key for access is powerful, but does not confirm that the user is the rightful owner. That’s why the broader Internet has long embraced layers like multi-factor authentication and behavioral signals, and more recently human presence proof, methods that protect people automatically, without relying on constant vigilance. Crypto can and should follow suit.
Finally, we must recognize that security risks are no longer limited to social engineering tricks.
Cryptocurrency executives and deep-pocketed holders have been hit with a series of physical assaults, with thieves seeking access not through brute force decryption, but through simple brute force. If we design systems that do not incorporate the possibility of physical violence, we are not doing our job as designers of those systems. Attack vectors will evolve, and we will have to evolve too.
What’s next
Crypto’s robust ethos of individual responsibility made sense when it came to an experiment. However, now that trillions of assets – and livelihoods – are at stake, we need systems designed to address real risks rather than early adopters.
There is no panacea: cryptographic keys will remain vulnerable to phishing, biometrics will leave their holders vulnerable to physical attacks, and humans will continue to be imperfect. But as we close out Cybersecurity Awareness Month, let’s remember who we’re building for. When we design for real people, not ideal users, our products can strengthen lives while protecting them against their weaknesses. Security is no longer a user issue; This is an industry problem.
