North Korea’s latest crypto hack reveals Web3’s security weakness: pro

Oak Security’s Jan Philipp Fritsche says Web3 needs to stop ignoring basic OPSEC hygiene, especially as state-sponsored threats rise.

As North Korea’s “ClickFake” campaign draws renewed attention to cyberattacks on crypto firms, security experts say Web3’s biggest vulnerability isn’t smart contracts — it’s people.

Jan Philipp Fritsche, Managing Director at Oak Security, argued in a note to crypto.news that most blockchain projects lack even the most basic operational security standards. 

Fritsche, a former European Central Bank analyst who now advises and audits protocols says the real risk lies in how teams manage devices, permissions, and production access.

“The ClickFake campaign shows just how easily teams can be compromised,” Fritsche said in a note. “Web3 projects have to assume that most of your employees are exposed to cyber threats outside their work environment.”

North Korea’s campaign

For background, North Korea’s Lazarus Group is using a cyber campaign called “ClickFake Interview” targeting cryptocurrency professionals. The group posed as recruiters on LinkedIn and X, luring victims into fake interviews to distribute malware. 

The malware, named “ClickFix,” gave attackers remote access to steal sensitive data like crypto wallet credentials. Researchers said Lazarus used realistic documents and full interview conversations to enhance credibility.

Most DAOs and early-stage teams still rely on personal devices — often used for both development and Discord chatting — which leaves them exposed to nation-state level attackers. Unlike traditional enterprises, many DAOs have no way to enforce security standards.

“There’s no way to enforce security hygiene,” Fritsche said. “Too many teams, especially smaller ones, ignore this and hope for the best.”

Fritsche says even the assumption that a device is clean may be flawed. For high-value projects, that means developers should never have the ability to push changes to production unilaterally. 

“Company-issued devices with limited privileges are a good start,” Fritsche said. “But you also need fail-safes—no single user should have that kind of control.”

The lesson from traditional finance? Every risk is assumed to be real until proven otherwise. 

“In TradFi, you need a keycard just to check your inbox,” Fritsche said. “That standard exists for a reason. Web3 needs to catch up.”