By: Andrey Sergeenkov, researcher, analyst, and writer
Creators in the crypto space are drawn to grand promises: decentralized finance, empowering the unbanked, and liberation from intermediaries. Yet when breaches occur, significant amounts can simply disappear overnight.
On February 21, 2025, the Lazarus Group from North Korea managed to siphon off $1.46 billion from Bybit. They initiated a phishing scheme targeting employees with access to cold wallets. After successfully breaching these accounts, they manipulated Bybit’s interface and substituted the multisignature wallet contract with their own malicious version. Consequently, when Bybit executed a routine transaction, the hackers rerouted 499,000 Ether (ETH) to their own addresses.
This incident was not merely an oversight; it was a systemic flaw. A design that permits human errors to facilitate a multi-billion dollar theft is not cutting-edge; it is highly irresponsible.
Users remain unprotected
Within just ten days, the hackers successfully laundered all 499,000 ETH into untraceable assets, primarily through THORChain. This decentralized exchange handled a staggering $4.66 billion in trades within a week but had no protections against dubious activities.
The industry has created a framework unable to safeguard users, even after crimes are uncovered. Some platforms even profited from this illicit activity, accruing millions in transaction fees while facilitating the laundering of stolen assets.
Additionally: SafeWallet releases analysis of Bybit breach
In February 2025, analysts ZachXBT and Tanuki42 disclosed that users of one major exchange suffered over $300 million annually from social engineering scams. Their findings indicated that in December 2024 and January 2025, $65 million was lost due to phishing and other manipulative tactics. They highlighted that the exchange did not address known security weaknesses in its API and verification systems, which made these targeted attacks effective.
ZachXBT went as far as to criticize the exchange for having “ineffective customer support” and failing to report compromised addresses to blockchain surveillance tools, which complicated the tracking of stolen assets. One scammer even confessed to focusing on affluent users, claiming they reap significant weekly profits.
These incidents are not anomalies. The FBI reported that average crypto users lost more than $5.6 billion to scams in 2023, with social engineering constituting at least half of these fraudulent schemes. In the US alone, losses due to vulnerabilities linked to human behavior are estimated to be around $2 billion to $3 billion each year. With a global user base exceeding 600 million, conservative estimates of individual losses from social engineering in 2024 range from $6 billion to $15 billion.
A barrier to broader adoption
Security issues are now identified as the primary obstacle to adoption by 37% of crypto users globally. Yet, the industry continues to promote high-risk speculative assets like memecoins, which typically result in average users losing funds while insiders gain.
While founders advocate for financial freedom, countless individuals have lost their savings due to vulnerabilities that the industry remains unwilling to address. These are indicative of a deeper issue: Crypto developers prioritize marketing over safety.
When crises arise and they come under scrutiny for security lapses, crypto leaders often retreat to the philosophy of “code is law” and offer rationalizations about personal sovereignty and accountability. The industry frequently shifts blame to average users: “Don’t store keys online,” “Verify addresses before sending,” “Never click on suspicious attachments.”
No one is immune
Even the industry’s influential figures are not spared from basic security breaches. In January 2024, the co-founder of Ripple, Chris Larsen, lost 283 million XRP due to keeping his private keys in an online password manager. Similarly, Arthur_0x, the head of DeFiance Capital, lost $1.6 million in NFTs and cryptocurrency simply by opening a phishing PDF.
These individuals are hardly novices; they are established creators and experts within a system that failed to protect them. While they are well-versed in security protocols, human error is an unavoidable reality. If even the architects of the system can lose millions, what hope do regular users have?
Understanding security procedures does not guarantee safety, as anxiety, fatigue, or emotional strain can drastically impair decision-making. Attackers continually experiment with different strategies, exploiting moments of user vulnerability. They adapt their methods over time, producing increasingly persuasive narratives and impersonations that create a sense of urgency.
The immutable nature of blockchain transactions necessitates advanced safeguards—rather than fewer. If users cannot reverse errors or thefts, the system must work to prevent them from the outset. Genuine innovation entails designing systems that are suitable for real users, not just hypothetically flawless ones. Financial institutions have grasped this lesson through centuries of experience; crypto developers must absorb it more quickly.
Instead, it seems that industry leaders have become disconnected from reality due to the rapid accumulation of wealth. They’ve embraced their public relations narratives, crafting images of themselves as visionaries.
A call for change
While Vitalik Buterin discusses the importance of voting and refines his manifesto, Justin Sun spends $6.2 million on a banana for a “unique artistic experience”—all amidst building an environment where critical mistakes are too easily made. This attitude is fundamentally disingenuous. One cannot profess to revolutionize finance while delivering less security than the systems being replaced.
What genuine technical competence is present in systems that facilitate billion-dollar thefts and systematic fraud against ordinary individuals with such simplicity? True technical excellence should encompass protecting users from sustaining irreversible financial losses. A financial system that cannot secure user assets is not advanced; it is fundamentally flawed.
It’s time to halt the creation of manifestos and the endorsement of dubious PR stunts aimed at a broader and more vulnerable audience. The focus should shift to constructing real protections that equate to the risks users encounter. No level of blockchain progress holds any value if everyday individuals cannot engage with these systems without the anxiety of immediate, irreversible financial loss.
Anything less amounts to reckless experimentation at the expense of users, disguised as a movement—an endeavor that enriches founders and insiders while placing all the risk on ordinary people.
If the industry does not rectify this issue, regulators will intervene, and the outcomes will be unwelcome. Philosophical arguments about personal sovereignty will hold little weight when licenses are revoked and operations are shut down.
The challenge facing crypto developers is clear: build genuinely secure systems that validate their claims of financial innovation or witness regulators reshape your “revolutionary technology” into just another highly regulated financial service. Time is of the essence.
By: Andrey Sergeenkov, researcher, analyst, and writer.
This content is meant for informational purposes only and should not be construed as legal or investment counseling. The views expressed belong solely to the author and do not necessarily reflect the opinions of any organization.