Jan Philipp Fritsche of Oak Security says that Web3 should stop ignoring basic OPSEC hygiene, especially as the state-sponsored threat rises.
As North Korea’s “Clickfake” campaign draws new attention to crypto companies’ cyberattacks, security experts say the biggest vulnerability in Web3 is not smart contracts, it is people.
In a note to Crypto.News, Oak Security’s Managing Director Jan Philipp Fritsche argued that most blockchain projects do not even have the most basic operational security standards.
Fritz, a former European Central Bank analyst who currently advises and audits protocols, says there are real risks in the way the team manages devices, permits and production access.
“The Clickfake campaign shows how easily a team is compromised,” Fritsche said in a memo. “Web3 projects should assume that most employees are exposed to cyber threats outside the work environment.”
You might like it too: Koreans will get $2 million in prison time.
North Korea’s campaign
For background, the North Korean Lazarus Group uses a cyber campaign called the “Clickfake Interview” targeting cryptocurrency experts. The group disguised as LinkedIn and X recruiters, inviting victims to fake interviews and distributing malware.
The malware named “Clickfix” provided remote access to attackers and stole sensitive data such as Crypto Wallet credentials. Researchers said Lazarus uses realistic documents and full interview conversations to increase credibility.
Most DAOs and early stage teams rely on personal devices that are often used for both development and discrepancies chats. Unlike traditional companies, many DAOs do not have a way to implement security standards.
“There is no way to implement security hygiene,” Fritz said. “Too many teams, especially small teams, ignore this and want the best.”
Fritz says that even the assumption that the device is clean may be flawed. For high value projects, this means that developers do not have the ability to unilaterally push changes to production.
“Devices issued by companies with limited privileges are a good start,” Fritche said. “But you also need failsafes. A single user should have no such control.”
Lessons from traditional finance? All risks are assumed to be realistic until proven otherwise.
“Tradfi requires a key card just to check your inbox,” says Fritsche. “That standard exists for a reason. Web3 needs to catch up.”
You might like it too: Circles considering delays in IPO due to market slump: Report
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
