Your keys, your coins.
It’s one of the fundamental promises of bitcoin and other cryptocurrencies, removing the middlemen that stand between you and your money. But the phrase also contains a latent assumption that Web3 companies would be wise to move on from: that any security problems are the owner’s problem, not theirs. That thinking may have worked when crypto was experimental. It doesn’t work when trillions of dollars and millions of people are involved.
The design space for crypto has expanded tremendously since Bitcoin was created over 15 years ago. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards that all connect to each other. It’s not just decentralized money anymore, it’s a trillion dollar ecosystem. The security risks have become more complicated and the stakes have become higher. Self-care still has a role to play, yes – but Web3 designers shouldn’t place the majority of the security burden on users.
To succeed as a mainstream technology, the crypto industry must evolve to match real-world security risks—social engineering, human error, and physical coercion—without compromising other core values such as anonymity and pseudonymity.
What the numbers tell us
Decades of personal computing have given us plenty of data about people’s cyber hygiene. In short: it’s not perfect.
Education campaigns like Cybersecurity Awareness Month going on right now help, but threats like phishing, fake QR codes and malware remain constantly effective. These do not disappear. In fact, they are evolving faster than our defenses.
According to data compiled by CoinLaw, cryptophishing attacks are on the rise, increasing by 40% in early 2025 and leading to user losses worth $410 million. Some more bad news: AI-powered deepfakes exacerbate the problem; they increased by over 450% between mid-2024 and mid-2025, according to CoinLaw’s data.
Even more alarming: the rise in violent crypto-related attacks, as organized crime groups physically force high-net-worth holders to give up their credentials. According to blockchain tracking firm Chainalysis, there were over 30 reported “key attacks” in 2024, and 2025 is on track to double that amount.
In short, security issues are not anomalies. They are predictable.
We don’t shrug off earthquakes in San Francisco or Japan; we build earthquake-resistant buildings. The same logic should apply to crypto security.
What needs to be changed
The good news: A lot of work is being done in the Web3 area to make users safer and products safer.
Just look at wallets. Security concerns have historically made the wallet user experience terrible, but things are improving thanks to innovations like split wallets with different keys, delegation, and multi-wallet accounts. However, in my experience, it remains difficult to balance usability and security.
So how do we make users better?
First, we need to take security issues as feedback. Every break tells us something about design, not just behavior. Take a stolen password. An answer could be: “It’s the user’s fault for being phished; they shouldn’t fall for it.” Maybe it’s true, maybe it’s not. But what is the truth is, when it happens millions of times a year to your customer base, it’s an indication that your system isn’t designed for actual people. Adjust accordingly.
Second, we need to incorporate successful examples from the non-web3 space.
Consider the issue of authentication. Using a cryptographic key for access is effective, but it does not verify that the user is the legitimate owner. That’s why the wider internet long ago adopted layers like multi-factor authentication and behavioral signals, and more recently proof-of-human — methods that protect people automatically without relying on constant vigilance. Crypto can and should follow this trail.
Finally, we need to recognize that security risks are no longer limited to social engineering tricks.
Cryptocurrency managers and deep-pocketed holders have been hit by a rash of physical assaults, with thieves seeking to gain access through not brute force decryption, but plain old brute force. If we design systems that do not incorporate the possibility of physical abuse, we are not doing our job as designers of those systems. The attack vectors will evolve and we will have to evolve as well.
What’s next
Crypto’s robust ethos of individual responsibility made sense when it was an experiment. But now that trillions in assets—and human livelihoods—are at stake, we need systems designed for real-world risk rather than early adopters.
There are no silver bullet solutions: cryptographic keys will remain vulnerable to phishing, biometrics will make holders vulnerable to physical attacks, and humans will continue to be imperfect. But as we close out Cybersecurity Awareness Month, let’s remember who we’re building for. When we design for real people, not ideal users, our products can empower lives while protecting against their weaknesses. Security is no longer a user concern; it is an industry problem.
