North Korea’s hacking groups have been targeting crypto for years. The 2022 $ 625 million exploitation of the Ronin Bridge is an early call to wake up-but the threat has only emerged.
Only in 2025, those who attract North Korea are linked to a string of campaigns designed to sip value and compromise major players on the web3: they have Target of $ 1.5 billion The cost of property in Bybit through credentials harvesting campaigns, with millions of laundered. They are Malware attacks have been launched In metamask and trust wallet users, attempted to infiltrate exchanging by fake job applicantsand Set up Shell companies within the US to target crypto developers.
And while the titles are often focused on large robbery, the truth is simpler-and more perish. The web3’s weakest layer is not smart contracts, but people.
The countries do not have to look for zero-day. They target the weaknesses in running decentralized teams: poor basic management, no onboarding processes, not provided contributors that drive the code from personal laptops, and Treasury management conducted through Discord Polls. For all the communication of our resilience industry and censorship immunity, many protocols remain a soft target for serious opponents.
In Oak Security, where we conducted more than 600 auditing major ecosystems, we always see this space: teams are invested in intelligent contract audiences but ignore the Basic Operational Security (OPSEC). The result is unpredictable. Insufficient security processes lead to compromised accounts of contributing, managing, and avoid losses.
Smart Contract Illusion: Secure Code, Insecure Teams
For all the money and talents poured into the security of the wise contract, most DEFI projects still failed the basics of operating security. The assumption seems to be if the code passes a audit, the protocol is safe. That belief is not just naive – it’s dangerous.
The fact is that exploitation of the wise contract is no longer the preferred method of attack. It’s easier – and often more effective – to follow people who run the system. Many Defi teams have no security leader, selective to manage massive wealth without anyone formally responsible for Opsec. That is the only thing that should cause concern.
Crucially, opsec failures are not limited to attacks from state-sponsored groups. In May 2025, Coinbase revealed that a foreign support agent – was pierced by cybercriminals – that -natural accessible customer data, which motivated a $ 180- $ 400 million remediation and ransom limbo. Malicious actors make similar attempts In Binance and Kraken. These events are not driven by the errors in the coding – they give birth from the bribery of the insider and the frontline human failure.
The weaknesses are systematic. Throughout the industry, those who contribute are usually riding through the discord or telegram, with no identity checks, no structured allocation, and no fair devices. Code changes are often pushed from failed laptops, with little to the security of the endpoint or basic management in the area. Sensitive management discussions open up to unsafe tools such as Google Docs and Notions, without trails to audit, presciting, or proper accessing controls. And when something inevitably goes wrong, most teams do not have a response plan, no appointed commander of the incident, and there is no structured communication protocol – just chaos.
This is not decentralization. This is negligence in operation. There are DAOs in charge of $ 500 million to fail a major Opsec auditing. There are treasures guarded by management forums, contention polls, and weekend multisigs – open invitations for evil actors. Until security is considered as a responsibility to whole-stack-from primary management to contributing to onboarding-the web3 will maintain leakage of value by its softer layers.
What will the defi learn from Trade security culture
Tradfi institutions are often the targets of attacking from North Korean hackers and beyond -and as a result, banks and payment companies lose millions each year. But it is rare to see a traditional collapse of the financial institution, or even to pause the operations, in front of a cyberattack. These organizations operate in the assumption that attacks are inevitable. They designed layered defenses that reduce the likelihood of attacks and reduce injury when exploits occurred, driven by a culture of ongoing monitoring that Defi was more lacking.
In a bank, employees are not accessible to trading systems from personal laptops. The devices are tough and constantly monitored. Accessing the controls and separation of duties will ensure that no one employee can unilaterally transfer funds or deploy a production code. Onboarding and offboarding processes are structured; The credentials were issued and revoked with care. And when something goes wrong, the response of the incident is fixed, conducted, and that is being documented -no longer -improvised in dispute.
The Web3 needs to adopt a similar maturity, but adapts to the facts of decentralized teams.
It starts with the implementation of Opsec playbooks from one day, operates red-team simulations that test for phishing, infrastructure compromise, and managing-not just smart contract audits-and using multi-signature wallets supported by individual hardware wallets or wealth management. Teams should have contributed and conduct background checks to anyone who has access to labor systems or treasury controls -even with teams considering themselves completely ‘decentralized.’
Some projects are starting to lead here, investing in structured security programs and tooling grade-enterprise for basic management. Others use advanced security operations (SECOPS) Tooling and dedicated security consultants. But these skills remain an exception, not the norm.
Decentralization has no reason for neglect
It is time to deal with the real reason that many web3 teams are caught in operational security: it is difficult to implement in decentralized, global distributed organizations. The budgets are tight, the contributors are passing by, and the resistance to the culture on the principles of cybersecurity, which is often misconceptions as “centralization,” remains strong.
But decentralization has no reason for neglect. The country-state opponents understand this ecosystem. They are already inside the doors. And the global economy relies on the on-chain infrastructure. Web3 platforms will immediately need to use and adhere to cybersecurity skills, or risk to become a permanent stream funding for hackers and scammers who seek to break them.
The code alone will not defend us. Culture is.
