31 March 2025
Opinion by: Andrey Sergeenkov, researcher, analyst and writer
Crypto founders love big promises: decentralized finance, banking the unbanked and freedom from intermediaries. Then hacks happen. In some cases, billions vanish overnight.
On Feb. 21, 2025, the North Korean Lazarus Group stole $1.46 billion from Bybit. They sent phishing emails to staff with cold wallet access. After compromising these accounts, they accessed Bybit’s interface and replaced the multisignature wallet contract with their malicious version. When Bybit attempted a routine transfer, the hackers redirected 499,000 Ether (ETH) to addresses they controlled.
This wasn’t just a human error. This was a design failure. A system that allows human factors to enable a billion-dollar theft isn’t innovative — it’s irresponsible.
People are not protected
In just 10 days, the hackers converted all 499,000 ETH into untraceable funds, using THORChain as their primary channel. The decentralized exchange processed a record $4.66 billion in swaps in a week but implemented no safeguards against suspicious activity.
The crypto industry has created a system that cannot protect users even after they discover a theft. Some services actually profited from this crime, collecting millions in fees while processing the laundering of stolen funds.
Recent: SafeWallet releases Bybit hack post-mortem report
In February 2025, investigators ZachXBT and Tanuki42 revealed that Coinbase users lost over $300 million annually to social engineering attacks. Their report showed $65 million stolen through phishing and other social manipulation techniques in December 2024 and January 2025. According to the investigators, Coinbase failed to address known security vulnerabilities in their API keys and verification systems that make these human-targeted attacks successful.
ZachXBT directly criticized the exchange for having “useless customer support agents” and failing to properly report theft addresses to blockchain monitoring tools, making stolen funds harder to track. One scammer even admitted to targeting wealthy users, claiming they make at least five figures a week.
These aren’t isolated cases. The US Federal Bureau of Investigation reported that ordinary crypto users lost over $5.6 billion to fraud in 2023, and social engineering drove at least half of these schemes. Americans alone lose approximately $2 billion–$3 billion annually to human vulnerability attacks. With over 600 million crypto users worldwide, conservative estimates put individual losses from social engineering at $6 billion–$15 billion in 2024.
Barrier to adoption
Security concerns are now recognized as the main barrier to adoption by 37% of crypto users worldwide. Meanwhile, the industry continues to promote high-risk speculative assets like memecoins, where average users typically lose money while insiders profit.
While founders pitch financial freedom, millions of real people lose their savings through vulnerabilities the industry refuses to address. They’re symptoms of a fundamental problem: Crypto builders choose marketing over security.
When disasters happen, and they face pressure about security failures, crypto leaders hide behind blockchain’s “code is law” principle and offer philosophical arguments about self-sovereignty and personal responsibility. The crypto industry loves to blame ordinary users: “Don’t store keys online,” “Check addresses before sending,” “Never open suspicious files.”
Nobody is safe
Even industry leaders themselves fall victim to the same basic attacks. In January 2024, Ripple co-founder Chris Larsen lost 283 million XRP (XRP) due to storing private keys in an online password manager. DeFiance Capital founder Arthur_0x lost $1.6 million in non-fungible tokens (NFTs) and cryptocurrency simply by opening a phishing PDF file.
These people aren’t naive beginners — they’re creators and experts of the very system that could not protect even them. They know all the security rules, but the human factor is inevitable. If even the system architects lose millions, what chance do ordinary users have?
Knowledge of security rules doesn’t provide complete protection because fever, stress, sleep deprivation or emotional distress severely affect our decision-making abilities. Attackers continuously test different approaches, waiting for moments when users become vulnerable. They evolve their tactics constantly, creating increasingly convincing scenarios, impersonations and urgent situations.
The unchangeable nature of blockchain transactions demands extraordinary safeguards — not fewer. If users can’t reverse mistakes or thefts, the system must prevent them in the first place. True innovation means building systems that work for real humans, not theoretically perfect users. Banks learned this lesson over centuries. Crypto builders must learn it faster.
Instead, industry leaders seem to have lost touch with reality due to the extreme wealth dumped on them quickly. They’ve bought into their PR narrative, portraying them as geniuses, and started viewing themselves as visionaries.
A call to action
Vitalik Buterin lectures his audience on voting in elections and polishes his manifesto, while Justin Sun spends $6.2 million on a banana for a “unique artistic experience” — all while building an environment that makes dangerous mistakes easy to make. This approach is fundamentally dishonest. You can’t claim to revolutionize finance while providing less security than the systems you’re replacing.
What technical brilliance exists in systems that permit billion-dollar thefts and systematic fraud of ordinary users with such ease? As a core function, true technical excellence would include protecting users from permanent financial loss. A financial system that cannot secure its users’ assets is not technically advanced — it’s fundamentally incomplete.
It’s time to stop writing manifestos and promoting questionable PR stunts designed to attract a broader and more vulnerable audience. Start building genuine protections that match the level of risk your users face. No amount of blockchain innovation matters if ordinary people cannot use these systems without fear of instant, permanent financial loss.
Anything less is just reckless experimentation at users’ expense disguised as a revolution — a scheme that enriches founders and insiders while ordinary people bear all the risks.
If the industry doesn’t solve this problem, regulators will — and you won’t like their solutions. Your philosophical arguments about self-sovereignty won’t matter when licenses are revoked and operations shut down.
This is the choice crypto builders face: Either create truly secure systems that justify your claims about financial innovation or watch as regulators transform your “revolutionary technology” into another heavily regulated financial service. The clock is ticking.
Opinion by: Andrey Sergeenkov, researcher, analyst and writer.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.