Why crypto risk management still ignores the biggest attack surface

On January 10, 2026, someone lost $284 million in a single conversation. No smart contract was exploited. No protocol was breached. A person was convinced to authorize a transfer of 2.05 million LTC and 1,459 BTC to wallets they didn't control.

The attacker didn't need to write a single line of code. They needed a phone, a story, and patience.

The victim used a hardware wallet. The industry's gold standard for security. And it didn't matter, as the attacker didn't steal the keys. Instead, they convinced the owner to use those keys voluntarily. Within hours, the funds were swapped for Monero through multiple instant exchanges, and on-chain investigator ZachXBT confirmed this was a solo social engineering operation, the largest of its kind ever recorded.

Since 2021 we observe gradual shift from security exploits to operational (where people are the weakest link). On one hand, security get better, and smart contracts become harder to manipulate. On the other hand, people don't get better in *not* clicking the malicious links and *not* trusting lurkers from the internet.

According to AMLBot, roughly 65% of security incidents in 2025 were driven by social engineering rather than flaws in code or protocols. Hacken's annual report found that access control failures and operational breakdowns caused $2.12 billion in losses, 54% of the year's total. Smart contract vulnerabilities accounted for roughly $512 million.

So we can confidently state that the attack surface has moved from what's deployed on-chain to the humans who manage what's deployed. And the industry's approach to measuring risk hasn't moved with it.

Firstly, it’s out of their coverage. Audits and bounties assess code, find vulnerabilities and remediate them. Secondly, when code is safe is sound, it doesn’t mean the intern won’t escalate a malicious transfer request or code package to the management.

And, sadly, the state-of-the-art protection in 2023, now is just a part of a bigger picture of threat surface. Hacken's 2025 report documented how widespread these gaps are. For example, many Web3 companies still don't revoke developer access during off-boarding. Single private keys manage entire protocols. Endpoint detection systems are absent or not set up.

Which, again, highlights how precisely the industry has to look at the people layer of protection.

What makes this trend accelerate is the tooling behind it. With the development of AI, phishing and social engineering became cheaper, easier, and scalable. 

Attackers generate synthetic voices that mimic executives, support agents, and colleagues. AI-produced messaging personalizes approaches at volumes manual operations never could. The Chainalysis 2026 Crypto Crime Report found that impersonation scams grew 1,400% year over year, and AI-enabled scams proved 4.5 times more profitable than traditional methods.

North Korean state-sponsored groups have added a layer most people haven't considered. Beyond remote hacking, DPRK operatives now embed themselves as employees inside crypto companies, applying for engineering roles under fabricated identities. Once inside, they have direct access to internal systems, credentials, and signing infrastructure. 

The tools are cheaper, the targeting is more precise, and the human on the receiving end has no equivalent upgrade in defense.

The gap between where attacks happen and where risk gets measured is the core problem. 

CORE3's PoL methodology was built around this reality. The security domain, weighted at 35% of the total PoL, includes conditions that go well beyond code review. It evaluates whether a project has monitoring systems that detect anomalous access patterns in real time. Whether prevention controls exist to interrupt unauthorized signing attempts before funds move. Whether the project has been assessed against ISO 27001 or CCSS standards, which cover the human and procedural layers of security

The operational domain adds another set of conditions: incident response maturity (has the plan been tested under simulated stress, or does it only exist as a document?), access control practices (are permissions scoped and regularly audited?), and key management procedures (are signing keys rotated, stored in HSMs, or still sitting on a single laptop?).

These conditions are used to calculate the probability of loss score because the reality demands them. When 54% of losses trace back to access control and operational failures, a risk metric that ignores those conditions isn't really measuring risk.

The market currently treats security and operations as separate concerns. The trend says they're the same concern, and the human layer is the one producing the larger losses.

In 2025, the code got better, and the losses got worse. That gap will keep widening until risk measurement catches up to where the attacks have moved. The projects that survive won't be the ones with the cleanest audits. They'll be the ones that built operational resilience into every layer, including the people.

CORE3 evaluates projects across the full risk surface, not just the code. If you want to see how operational resilience, access control, and incident response maturity factor into a project's probability of loss, explore the methodology.

Dmytro Zaporozhchenko, CORE3 content lead, has a background in public relations for cybersecurity firms, centralized exchanges, and DeFi projects.