As the threat of cyberattacks intensifies, specifically in the wake of North Korea’s notorious “ClickFake” campaign, security experts are urging Web3 to step up their game. They argue that the greatest vulnerability within the blockchain-based internet evolution isn’t the smart contracts that underpin the technology, but rather the people using them.
Jan Philipp Fritsche, Managing Director at Oak Security, has been particularly vocal on this issue. In a note to crypto.news, he stated that a significant number of blockchain projects fail to meet even the most basic operational security standards. Fritsche, a former analyst for the European Central Bank who now advises and audits protocols, asserts that the primary risk lies in how teams manage devices, permissions, and production access.
“The ClickFake campaign has demonstrated just how susceptible teams can be,” Fritsche stated. “Web3 projects must accept the reality that their employees are likely exposed to cyber threats outside of their work environment.”
The North Korean campaign, led by the infamous Lazarus Group, targeted cryptocurrency professionals through a cyber scheme known as the “ClickFake Interview.” The group masqueraded as recruiters on LinkedIn and X, luring unsuspecting victims into fabricated interviews where they introduced malware.
Named “ClickFix,” the malware enabled attackers to gain remote access and pilfer sensitive data, including crypto wallet credentials. Researchers found that Lazarus used realistic documents and thorough interview conversations to boost their deceptive credibility.
Significantly, most Decentralized Autonomous Organizations (DAOs) and fledgling teams continue to use personal devices for both development and communication purposes, such as Discord chats. This practice leaves them highly susceptible to attacks from nation-state level cybercriminals. Unlike traditional enterprises, many DAOs lack the capability to enforce security standards.
“Enforcing security hygiene is virtually impossible,” Fritsche stated. “Too many teams, particularly the smaller ones, choose to overlook this fact and optimistically hope for the best.”
Even the assumption that a device is clean may be erroneous, according to Fritsche. For high-value projects, this implies that developers should never have the exclusive ability to push changes to production.
“Company-issued devices with limited privileges are a good starting point,” Fritsche said. “However, safeguards are also necessary—no single user should possess that kind of control.”
Drawing from the traditional finance sector, Fritsche highlights that every risk should be considered real until evidence suggests otherwise.
“In TradFi, you need a keycard just to check your inbox,” Fritsche said. “There’s a reason that standard exists. It’s high time Web3 caught up.”
As the new frontier of Web3 continues to evolve, these warnings should serve as a stark reminder that along with the exciting potential of this technology, comes a new battleground for cyber threats.
