Web3 Security: Why People Are the Weakest Link
Jan Philipp Fritsche, Managing Director at Oak Security, warns that Web3 projects are overlooking basic operational security. As state-sponsored threats increase, this oversight becomes more hazardous.
North Korea’s “ClickFake” campaign highlights the issue. The Lazarus Group poses as recruiters on platforms like LinkedIn and X, luring crypto professionals into fake interviews. They use malware called “ClickFix” to gain remote access and steal sensitive data, such as crypto wallet credentials.
Fritsche explains that the real risk lies in how teams manage devices, permissions, and production access. “Web3 projects must assume employees face cyber threats outside work,” he says. Many DAOs and early-stage teams use personal devices for advancement and dialog, leaving them vulnerable to nation-state level attacks.
Unlike conventional enterprises, many DAOs lack enforced security standards. “There’s no way to ensure security hygiene,” Fritsche notes. He advises using company-issued devices with limited privileges and implementing fail-safes. “No single user should have unilateral control over production changes.”
learning from traditional finance, Fritsche stresses assuming every risk is real. “In TradFi, you need a keycard just to check your inbox.Web3 needs to catch up,” he concludes.
