North Korean hacking groups have been targeting crypto for years. The 2022 $625 million Ronin bridge exploit was an early wake-up call—but the threat has only evolved.

In 2025 alone, North Korean-affiliated attackers have been linked to a string of campaigns designed to siphon value and compromise key players in Web3: They’ve targeted $1.5 billion worth of assets at Bybit through credential-harvesting campaigns, with millions already laundered. They’ve launched malware attacks on MetaMask and Trust Wallet users, attempted to infiltrate exchanges through fake job applicants, and set up shell companies inside the U.S. to target crypto developers.

And while the headlines often focus on large-scale thefts, the reality is simpler—and more damning. The weakest layer of Web3 is not smart contracts, but humans.

Nation-state attackers no longer need to find zero-days in Solidity. They target the operational vulnerabilities of decentralized teams: poor key management, nonexistent onboarding processes, unvetted contributors pushing code from personal laptops, and treasury governance conducted via Discord polls. For all our industry’s talk of resilience and censorship resistance, many protocols remain soft targets for serious adversaries.

At Oak Security, where we’ve conducted over 600 audits across major ecosystems, we consistently see this gap: teams invest heavily in smart contract audits but ignore basic operational security (OPSEC). The result is predictable. Inadequate security processes lead to compromised contributor accounts, governance capture, and preventable losses.

The Smart Contract Illusion: Secure Code, Insecure Teams

For all the money and talent poured into smart contract security, most DeFi projects still fail the basics of operational security. The assumption seems to be that if the code has passed an audit, the protocol is safe. That belief is not just naive—it’s dangerous.

The reality is that smart contract exploits are no longer the preferred method of attack. It’s easier—and often more effective—to go after the people running the system. Many DeFi teams have no dedicated security leads, opting to manage enormous treasuries without anyone formally accountable for OPSEC. That alone should be cause for concern.

Crucially, OPSEC failures aren’t limited to attacks from state-sponsored groups. In May 2025, Coinbase disclosed that an overseas support agent—bribed by cybercriminals—illegally accessed customer data, triggering a $180–$400 million remediation and ransom limbo. Malicious actors made similar attempts on Binance and Kraken. These incidents weren’t driven by coding errors—they were borne from insider bribery and frontline human failures.

The vulnerabilities are systemic. Across the industry, contributors are commonly onboarded via Discord or Telegram, with no identity checks, no structured provisioning, and no verifiably secure devices. Code changes are often pushed from unvetted laptops, with little to no endpoint security or key management in place. Sensitive governance discussions unfold in unsecured tools like Google Docs and Notion, without audit trails, encryption, or proper access controls. And when something inevitably goes wrong, most teams have no response plan, no designated incident commander, and no structured communication protocol—just chaos.

This isn’t decentralization. It’s operational negligence. There are DAOs managing $500 million that would fail a basic OPSEC audit. There are treasuries guarded by governance forums, Discord polls, and weekend multisigs – open invitations for bad actors. Until security is treated as a full-stack responsibility—from key management to contributor onboarding—Web3 will keep leaking value through its softest layers.

What DeFi Can Learn from TradFi Security Culture

TradFi institutions are frequent targets of attacks from North Korean hackers and beyond — and as a result, banks and payment companies lose millions each year. But it’s rare to see a traditional financial institution collapse, or even pause operations, in the face of a cyberattack. These organizations operate on the assumption that attacks are inevitable. They design layered defenses that reduce the likelihood of attacks and minimize damage when exploits do occur, driven by a culture of constant vigilance that DeFi still largely lacks.

In a bank, employees do not access trading systems from personal laptops. Devices are hardened and continuously monitored. Access controls and segregation of duties ensure that no single employee can unilaterally move funds or deploy production code. Onboarding and offboarding processes are structured; credentials are issued and revoked with care. And when something goes wrong, incident response is coordinated, practiced, and documented — not improvised in Discord.

Web3 needs to adopt similar maturity, but adapted to the realities of decentralized teams.

That starts with enforcing OPSEC playbooks from day one, running red-team simulations that test for phishing, infrastructure compromise, and governance capture — not just smart contract audits — and using multi-signature wallets backed by individual hardware wallets or treasury management. Teams should vet contributors and perform background checks on anyone with access to production systems or treasury controls — even in teams that consider themselves fully ‘decentralized.’

Some projects are starting to lead here, investing in structured security programs and enterprise-grade tooling for key management. Others leverage advanced Security Operations (SecOps) tooling and dedicated security consultants. But these practices remain the exception, not the norm.

Decentralization Is No Excuse for Negligence

It’s time to confront the real reason many Web3 teams lag on operational security: it is difficult to implement in decentralized, globally distributed organizations. Budgets are tight, contributors are transient, and cultural resistance to cybersecurity principles, which are often misperceived as «centralization,» remains strong.

But decentralization is no excuse for negligence. Nation-state adversaries understand this ecosystem. They’re already inside the gates. And the global economy is increasingly reliant on on-chain infrastructure. Web3 platforms urgently need to employ and adhere to disciplined cybersecurity practices, or risk becoming a permanent funding stream for hackers and scammers seeking to undermine them.

Code alone will not defend us. Culture will.