The Human Factor: Why Web3's Biggest Threat in 2026 Isn't Bad Code — It's People

The industry spent years hardening smart contracts. Attackers noticed — and pivoted.

In 2025, social engineering accounted for 55.3% of crypto exploit losses — $1.39 billion out of $2.53 billion in protocol exploits alone (Sentora). The broader haul from all crypto theft surpassed $3.4 billion through the first three quarters of 2025 (Chainalysis), but the defining trend wasn't a novel on-chain exploit or a zero-day in a VM. It was phishing. Impersonation. Fake job offers. Bribed insiders. The oldest tricks in the book, retooled for Web3.

If your security strategy starts and ends with a smart contract audit, you're defending the wrong perimeter.

The Bybit Hack: ~$1.4 Billion Lost to a Compromised Laptop

On February 21, 2025, North Korea's Lazarus Group executed the largest single theft in crypto history — over 400,000 ETH (~$1.4 billion) from Bybit's cold wallet.

They didn't find a bug in the smart contract. They compromised a Safe{Wallet} developer's macOS machine, likely through social engineering, as early as February 4. From there, they injected targeted malicious JavaScript into Safe's AWS-hosted UI — code designed to activate only for Bybit's specific contract address. The malicious payload spoofed the transaction display, making a routine multisig signing appear legitimate while redirecting funds to attacker-controlled wallets. A detailed technical analysis by NCC Group confirmed the attack chain.

Two minutes after execution, the malicious code was scrubbed. The FBI formally attributed the attack to Lazarus.

The takeaway: The contract was fine. The wallet infrastructure was fine. A single developer's laptop was the entry point to a ~$1.4 billion loss.

Nation-State Social Engineering: DPRK's Web3 Playbook

Lazarus didn't stop at Bybit. North Korean threat actors ran multiple social engineering campaigns targeting the Web3 ecosystem throughout 2024-2025:

Radiant Capital (~$50M, October 2024): A DPRK-linked actor impersonated a former Radiant contractor on Telegram, sending a malware-laced zip file disguised as a PDF. The INLETDRIFT malware compromised developer machines and manipulated what signers saw in Gnosis Safe — displaying legitimate transaction data on screen while signing malicious transactions on their hardware wallets. Mandiant attributed the attack to UNC4736 (Citrine Sleet).

Operation 99 (January 2025): SecurityScorecard uncovered a campaign where Lazarus operatives posed as recruiters on LinkedIn, targeting Web3 developers with fake job opportunities. Victims were directed to clone malicious GitLab repositories embedded with command-and-control malware. The campaign hit developers across multiple countries.

The "Veltrix Capital" Campaign (April 2025+): DPRK actors registered fake U.S. shell companies — including "Veltrix Capital," complete with a polished website, team bios, and social media presence — as a front to recruit and compromise Web3 developers through malware-laced coding challenges.

The pattern is consistent: identify individuals with access, build trust through impersonation, deliver malware through routine-looking interactions. No exploits required.

AI Is Making Social Engineering Devastatingly Effective

Generative AI has fundamentally changed the economics of social engineering. TRM Labs reported a 456% increase in gen-AI-enabled scam reports between May 2024 and April 2025 compared to the prior year.

The tools are alarmingly accessible:

• Voice cloning now requires as little as 3 seconds of audio to produce an 85%-accurate replica of a target's voice (McAfee Labs). Deepfake-enabled voice impersonation is fueling executive fraud — an attacker doesn't need to hack your multisig if they can convince your CFO to approve a transfer.
• AI-generated phishing is increasingly indistinguishable from legitimate communication. Gone are the broken-English scam emails. Today's phishing campaigns are grammatically perfect, contextually aware, and personalized at scale.
• Deepfake video has matured to the point where real-time impersonation in video calls is feasible. When a protocol's team lead joins a Zoom call to authorize an emergency action, how do you verify it's actually them?

For Web3 specifically, this means the social layer around protocol operations — Discord governance discussions, Telegram group chats, video calls between team members — is now an active attack surface.

The Insider Threat: Coinbase's $307 Million Lesson

Not every social engineering attack comes from outside the organization.

Beginning as early as September 2024, threat actors bribed overseas customer support agents — contractors at TaskUs in India — paying $200 per record photo to exfiltrate customer records. One agent, later arrested in January 2025, was photographing up to 200 records per day. The breach affected 69,461 customers and wasn't publicly disclosed until May 2025.

The attackers demanded a $20 million ransom. Coinbase refused. The total cost: $307 million in Q2 2025 alone.

The Coinbase breach is a reminder that social engineering doesn't always mean tricking someone — sometimes it means buying them. Any organization with customer-facing staff, especially outsourced contractors with access to sensitive data, carries this risk.

Supply Chain Poisoning: When Your Dependencies Turn Against You

In September 2025, CISA issued an alert for one of the most significant supply chain attacks in npm history. Attackers phished maintainer accounts to compromise 18 widely-used packages — including chalk and debug — with a combined 2.6 billion weekly downloads.

The injected code specifically targeted cryptocurrency wallet transactions across Ethereum, Bitcoin, Solana, and Tron. The malicious versions were live for roughly two hours before detection and removal. Days later, a self-replicating worm dubbed "Shai-Hulud" emerged, ultimately compromising over 500 additional packages through automated propagation.

For Web3 teams, the implications are severe. Your smart contract may be flawless, but if a compromised dependency in your frontend or deployment pipeline intercepts transactions or leaks private keys, the outcome is the same.

DNS Hijacking: Stealing Users Without Touching the Protocol

A string of DNS hijacks in 2025 demonstrated that you don't need to compromise a protocol to steal from its users — you just need to compromise where they access it:

• Curve Finance (May 2025): Attackers compromised Curve's domain registrar (iwantmyname), redirecting curve.fi to a phishing site. Curve subsequently migrated to curve.finance.
• Aerodrome Finance (November 2025): Base's largest DEX had its .box and .finance domains hijacked via an insider threat at the NameSilo registrar. Users were prompted to sign a single innocuous-looking transaction. Over $1 million was drained within an hour.
• Arrakis Finance (January 2025): DNS records were manipulated to redirect users across Ethereum, Arbitrum, Optimism, and Base deployments. Smart contracts were never touched.

In each case, the smart contracts functioned exactly as designed. Users simply never reached them.

Wallet Drainers: A Shifting Threat

There's one bright spot. Scam Sniffer's 2025 report shows wallet drainer losses dropped to $83.85 million across 106,106 victims — an 83% decline from $494 million in 2024. Awareness campaigns and improved wallet UX are having an impact.

But the threat is evolving, not disappearing. The largest single wallet drainer theft of 2025 was $6.5 million via a malicious Permit signature in September. And following Ethereum's Pectra upgrade, a new attack vector leveraging EIP-7702 account abstraction features caused aggregate losses of over $2.5 million in August 2025.

As defenses improve, attackers adapt their techniques. Permit and EIP-7702 exploits target the gap between what users think they're signing and what they're actually authorizing — which is, at its core, still a human problem.

What This Means for Protocol Security

The data tells a clear story: the attack surface has shifted from code to people. Protocols that treat security as a one-time audit are defending against yesterday's threat model.

A modern Web3 security posture must address the human layer:

Operational Security

• Enforce hardware wallet signing with independent transaction verification for all privileged operations
• Implement out-of-band confirmation for high-value actions — if a request comes via Telegram, verify via a separate channel
• Treat every team member's device as a potential entry point. Endpoint security isn't optional for teams managing protocol keys

Supply Chain Hygiene

• Audit and pin dependencies. Monitor for compromised packages in your build pipeline
• Separate your deployment infrastructure from general development environments
• Assume your frontend can be compromised — design transaction flows that remain safe even if the UI is malicious

Infrastructure Hardening

• Use registrar lock and DNSSEC. Monitor for unauthorized DNS changes in real time
• Deploy multiple frontend access points so a single domain compromise doesn't capture all users
• Implement on-chain monitoring with automated circuit breakers for anomalous transaction patterns

Team Security Culture

• Train against targeted social engineering — not generic phishing simulations, but scenarios modeled on Lazarus-style campaigns
• Establish verification protocols for any unusual request, especially those involving urgency or authority
• Vet all new contacts, contractors, and collaborators. If someone sends you a file on Telegram, verify their identity through a separate channel before opening it

The Audit Isn't Enough

Smart contract security remains essential — but it's now table stakes, not a complete strategy. The most devastating losses of 2025 came through compromised laptops, bribed support agents, fake job offers, hijacked domains, and poisoned dependencies.

The question facing every Web3 project in 2026 isn't "is our code secure?" It's "are our people secure?"

If your security model doesn't have an answer for that, it's incomplete.