Not so long ago, our firm received a cybersecurity alert from a client. Their crypto protocol, which we had audited and which they had recently launched, was being exploited. This was obviously terrible news, so we rushed to look at what happened.
After some confusion, we realized that our client had actually deployed the wrong version of their protocol—a test version used during development, not the version we had audited. It was a simple human error, but it cost the client a lot of money.
This anecdote illustrates a real, widespread problem in the crypto sector: these days, the most damaging cybersecurity attacks don’t target errors in the code so much as they target operational mistakes.
Since 2022, the industry has lost an astonishing $2.2 billion to malicious actors. The industry’s response has been to triple the number of software audits it conducts. But our research shows that the majority of attacks actually focus on human vulnerabilities, which are beyond the scope of ordinary audits.
Put differently, the crypto industry needs to change its attitude toward cybersecurity checks. It shouldn’t abandon code audits, but it should seriously ramp up efforts to protect itself from human attack vectors. Otherwise, it will keep bleeding money away and never have the opportunity to go properly mainstream.
Traditional Audits Aren’t Enough
To be fair, audits have improved the quality of crypto software. Fewer exploits are due to technical coding errors than before. The industry has gotten better at this specific thing.
But criminals adapt. Today’s most costly attacks involve tricking employees into handing over passwords, manipulating the voting systems that govern how these platforms make decisions, planting malicious software through routine updates, or simply compromising a trusted insider.
Meanwhile, AI tools have made it dramatically easier for attackers to craft convincing fake emails, impersonate colleagues and automate the kind of social manipulation that once took significant effort. The human side of security has become a bigger target, and the industry’s defenses haven’t kept up.
Worse, our data (which looks at more than four years of audit findings from 22 firms and compares them to exploits that occurred during the same period) shows that cyberattacks tend to siphon away more money when they take advantage of human vulnerabilities than when they take advantage of code vulnerabilities. So the crypto industry isn’t investing its defense resources in the right cybersecurity sectors.
False Sense of Security
Many crypto platforms advertise the number of security reviews they have completed and which prestigious firms they hired to do these reviews. This has become a trust signal, a way of saying they’re safe to use.
The problem is that audits function more like snapshots than continuous security reviews. They examine a specific piece of software at a specific moment. The moment the platform updates its software, changes how it’s governed or brings on new team members, the picture changes. Yet the “we’ve been audited” badge stays on the website.
This creates a false sense of safety for users and for the teams themselves. People stop asking hard questions because they think the hard work is done. Meanwhile, the risks have moved to a different place.
What Actually Needs to Change
Every time a major crypto platform loses millions of dollars overnight, it chips away at public trust in the whole industry. Most people don’t care whether it was a coding error or a scammed employee. They just see another supposedly secure platform fail. That’s a serious obstacle for an industry that wants to be taken seriously by the mainstream.
The solution isn’t to abandon security reviews, as they still matter. But they can’t be the only line of defense. The industry needs to think about security the way a bank or hospital does: as a layered, organization-wide discipline that includes training staff to recognize scams, tightly controlling who has access to critical systems, building early warning systems that flag unusual activity, and having automatic safeguards that can halt suspicious transactions before damage is done.
Crypto platforms aren’t just software. They’re organizations full of human beings, and human beings can be manipulated, deceived and pressured in ways that no code review can prevent. Hackers figured this out awhile ago. Now the industry needs to catch up.
Stefan Beyer is the managing director of Oak Security, a cybersecurity firm specializing in Web3 audits.
