North Korean hacker groups have targeted cryptocurrencies for several years. The exploit of the Ronin bridge in 2022, which resulted in a $625 million loss, served as an alarm—and the situation has since progressed further.

In 2025, attackers linked to North Korea are associated with multiple operations aimed at stealing value and compromising critical Web3 players. For instance, they have attempted to obtain $1.5 billion in assets from Bybit via credential harvesting, with a significant amount already laundered. Other actions include malware attacks on MetaMask and Trust Wallet users, infiltration attempts through false job applicants, and the establishment of shell companies in the United States to attack crypto developers.

While headlines often focus on substantial thefts, the reality points to a grimmer truth: the most vulnerable aspect of Web3 is its users. Attackers no longer aim for coding vulnerabilities but instead leverage operational weaknesses within decentralized teams. These weaknesses include poor key management, lack of onboarding processes, and unvetted contributors making changes from personal devices, coupled with governance decisions made on informal platforms like Discord polls.

At Oak Security, which has completed over 600 audits across major ecosystems, we repetitively identify this security gap: while teams focus extensively on smart contract audits, they overlook essential operational security (OPSEC). This oversight results in compromised contributor accounts, governance disruptions, and preventable financial losses.

The Smart Contract Misconception: Secure Code, Unsafe Teams

Despite large investments in smart contract security, many DeFi initiatives neglect the basics of operational security. The prevalent belief is that passing an audit guarantees protocol safety. This assumption is not just naive; it poses significant risks.

Smart contract exploits are no longer the prime attack method, as it has become easier and often more impactful to target the people behind the systems. Many DeFi projects lack dedicated security leads, managing vast treasuries without formal OPSEC accountability. This reality alone is concerning.

Incidents of OPSEC failures extend beyond state-sponsored attacks. For instance, in May 2025, Coinbase revealed that an overseas agent—bribed by cybercriminals—illegally accessed customer information, leading to potential remediation costs between $180 and $400 million. Binance and Kraken faced similar attempts. These breaches stem from insider bribery and general human shortcomings rather than programming mistakes.

Across the industry, onboarding processes commonly take place via Discord or Telegram without proper identity verification, structured onboarding, or secure device usage. Code modifications often originate from unverified laptops, with minimal endpoint security and key management. Sensitive governance discussions happen on unsecured platforms lacking audit trails, encryption, or appropriate access controls. When crises arise, many teams lack response strategies, designated incident managers, and organized communication—resulting in chaos.

This absence of security culture is operational negligence masquerading as decentralization. DAOs managing considerable funds could fail a rudimentary OPSEC audit due to reliance on insecure governance practices.

Learning from Traditional Finance Security Practices

Traditional financial institutions regularly face attacks from North Korean hackers, costing banks and payment companies millions annually. Yet these organizations rarely collapse or halt operations following a cyberattack, as they acknowledge that such breaches are inevitable. They employ multilayered defenses to lessen the chances of attacks and mitigate damage during incidents, rooted in a culture of vigilance that DeFi lacks.

In banks, employees don’t access financial systems from personal devices. Systems are secured and monitored continuously. Access controls and segregation of roles prevent any single employee from moving funds or deploying production systems independently. Processes for onboarding and offboarding are methodical, and credential management is handled with care. When problems occur, incident responses are coordinated and documented, not left to chance on Discord.

Web3 must adopt a similar level of security maturity, tailored for the realities faced by decentralized teams. This begins with enforcing OPSEC protocols from day one—conducting red-team simulations to test phishing, infrastructural integrity, and governance integrity—not just focusing on smart contract audits. Multi-signature wallets should be used alongside individual hardware wallets for treasury management. Contributor backgrounds should be vetted when they gain access to production systems or treasury governance, even within teams that consider themselves entirely decentralized.

Some projects are starting to make strides here by investing in structured security programs and high-caliber tools for key management, while others utilize advanced Security Operations (SecOps) tools and specialists. However, these practices remain exceptions rather than the industry standard.

Decentralization Is Not an Excuse for Carelessness

It’s crucial to confront the fundamental reason many Web3 initiatives lag in operational security: it is challenging to implement in decentralized, globally distributed organizations. Resources are limited, contributors are often transient, and there’s a strong cultural resistance against cybersecurity protocols, often mislabeled as promoting centralization.

Nonetheless, decentralization cannot justify negligence. Adversaries are already capitalizing on these vulnerabilities. As the global economy increasingly relies on on-chain infrastructures, Web3 organizations must rigorously adopt and maintain disciplined cybersecurity practices, or risk becoming ongoing funding sources for hackers and scammers.

Code alone cannot protect us. Culture is the true defender.