North Korean hacking groups have been targeting crypto for years. 2022 $ 625 million Ronin Bridge Exploit was an early wake-up call-but threat has only evolved.
By 2025 alone, North Korean affiliated attackers have been linked to a number of campaigns designed to sifle the value and compromise key players in web3: They have targeted $ 1.5 billion assets on city bit through credentials information campaigns, with millions already laundered. They have launched malware -attacks on metamask and trust wallet users, tried to infiltrate exchanges through false job applicants and created Shell companies in the United States to target crypto developers.
And while the headlines often focus on large thefts, reality is simpler and more cursed. The weakest layer of web3 is not smart contracts but humans.
Nation-state attacks no longer need to find zero days in solidity. They are targeted at the operational vulnerabilities of decentralized teams: poor key management, non -existent onboarding processes, untreated contributors pushing code from personal laptops, and treasury management conducted via discord polls. For all of our industrial talk of resilience and censorship resistance, many protocols remain soft targets for serious opponents.
At Oak Security, where we have completed over 600 revisions across larger ecosystems, we consistently see this hole: Teams invest heavily in smart contract revisions but ignore Basic Operational Security (Opsec). The result is predictable. Inadequate security processes lead to compromised contributors accounts, government trapping and preventable losses.
The Smart Contract Illusion: Safe Code, Uncertain Hold
For all the money and talent poured into smart contract security, most defi projects still fail the basic of operational security. The assumption seems to be that if the code has passed an audit, the protocol is safe. This belief is not just naive – it’s dangerous.
The reality is that the utilization of smart contract is no longer the preferred method of attack. It is easier – and often more effective – to follow the people who run the system. Many Defi Teams have no dedicated security lines that choose to control huge treasuries without any formally responsible for Opsec. That alone should be cause for concern.
Of crucial importance is Uptec errors not limited to attacks by state-sponsored groups. In May 2025, Coinbase revealed that an overseas support agent – widely by cyber criminals – access to customer data that triggered a $ 400 – $ 400 million remedy and Ransom Limbo. Malicious actors made similar attempts at Binance and Kraken. These incidents were not driven by coding errors – they were carried by insider passing and frontline -human failures.
The vulnerabilities are systemic. Across the industry, contributors are often aboard via Discord or Telegram, without identity control, no structured delivery and no verifiable secure units. Code changes are often pushed from non -visible laptops, with little or no endpoint security or key control in place. Sensitive management discussions take place in unsecured tools such as Google Docs and the performance without auditing tracks, encryption or correct access control. And when something inevitably goes wrong, most teams have no response plan, no one appointed event commander and no structured communication protocol – just chaos.
This is not decentralization. It is operational negligence. There is DAOS that manages $ 500 million that would fail in a basic Opsec audit. There are treasuries that are protected by governance forums, discrepancy measurements and multisigs over the weekend – open invitations to bad actors. Until security is treated as a full-tuned responsibility-from key management to contributor onboarding-will web3 continue to leak value through its softest layers.
What Defi can learn from Tradfi Security Culture
Tradfi institutions are frequent targets of attacks by North Korean hackers and beyond – and as a result, banks and payment companies lose millions every year. But it is rare to see a traditional financial institution collapse or even break operations in the light of a cyberattack. These organizations operate under the assumption that attacks are inevitable. The designer layered defense that reduces the likelihood of attacks and minimizes damage when exploits occur, driven by a culture of constant vigilance, which Defi is still largely missing.
In a bank, employees do not have access to trading systems from personal laptops. Devices are hardened and monitored continuously. Access controls and separation of tasks ensure that no single employee can unilaterally move funds or implement production code. Onboarding and offboarding processes are structured; Credentials are issued and revoked with care. And when something goes wrong, coordinated, exercised and documented incidental response and documented – not improvised in discord.
Web3 has to adopt similar maturity, but adapted to the realities of decentralized teams.
It starts by enforcing Optec playbooks from day one, running red-team simulations testing for phishing, compromising on infrastructure and governance of governance-not only smart contract revisions and using multi-signature wallets supported by individual hardware drawing or trial box. Teams must veterinary contributors and carry out background checks of anyone with access to production systems or Treasury control – even in teams that consider themselves fully ‘decentralized’.
Some projects are starting to lead here and invest in structured security programs and tools for corporate quality for key management. Others utilize Advanced Security Operations (Secops) tools and dedicated security consultants. But this practice is still the exception, not the norm.
Decentralization is no excuse for negligence
It’s time to confront the real reason why many Web3 teams are delaying operational security: It is difficult to implement in decentralized globally distributed organizations. Budgets are tight, contributors are short -lived, and cultural resistance to cyber security principles, often misunderstood as “centralization”, remains strong.
But decentralization is no excuse for negligence. Nation -state opponents understand this ecosystem. They are already inside the gates. And the global economy is increasingly dependent on chain infrastructure. Web3 platforms are urgent need to use and comply with disciplined cyber security practices or risk becoming a permanent financing stream for hackers and scammers seeking to undermine them.
Code alone will not defend us. Culture will.
