What happened this month

Compared to April and May, June experienced relatively modest losses across the ecosystem. However, attackers continued targeting familiar weaknesses:

• Legacy and deprecated smart contracts

• Cross-chain infrastructure

• Private key management

• Access controls and governance systems

Rather than discovering entirely new attack classes, adversaries continued exploiting known weaknesses that teams failed to address.

Emerging security trends

Legacy contracts are becoming time bombs

Operational security continues to dominate

AI is changing the threat landscape

Humanity protocol: When operations fail

Humanity Protocol suffered one of June’s largest incidents after malware compromised a developer machine and exposed multiple private keys.

Attackers gained control over critical infrastructure, drained funds, minted unauthorized tokens, and triggered a dramatic collapse in token value.

Lessons learned

1. Private keys remain the industry’s most valuable target.

2. Developer endpoints must be treated as high-risk environments.

3. Recovery planning matters.

Emerging threats

AI-powered social engineering

Attackers increasingly use AI-generated content to:

• Create convincing phishing campaigns

• Impersonate executives and founders

• Automate fraud at scale

• Generate realistic deepfake communications

Supply-chain compromise

Compromised npm packages, malicious dependencies, and poisoned development tools continue to create downstream risk across the Web3 ecosystem.

A single compromised dependency can undermine even well-audited systems.

What teams should do

• Implement strict dependency management policies

• Adopt software bills of materials (SBOMs)

• Isolate build environments

• Train employees to recognize AI-enhanced phishing

• Use automated monitoring and anomaly detection

• Conduct threat modeling against AI-assisted adversaries

OPSEC Quick Tip

Never store production keys on developer machines

If there is one operational security habit every team should adopt immediately, it is this:

Keep production keys off developer devices.

Recommended approach

• Use HSMs, MPC systems, or hardware wallets

• Separate development and signing environments

• Rotate credentials regularly

• Enforce phishing-resistant MFA

• Require transaction simulation and peer review before approvals

This single practice would have prevented many of the year’s largest operational security incidents.

CypherTalk

Peter Kacherginsky’s quarterly take on Web3 security

• The evolution of blockchain threat intelligence

• AI’s growing role in security

• Infrastructure-focused attack vectors

• Ethical security research

• Security predictions for the coming quarters

Listen here.

MetaMarkets

Why the CLARITY act is a breakthrough

Jacob Robinson, host of the Law of Code podcast, joined Jan Philipp Fritsche to discuss:

• The CLARITY Act

• Permissionless innovation

• Decentralization versus regulation

• The future of crypto compliance frameworks

Listen here.

In the media

CoinDesk

“Crypto’s security nightmare won’t be solved by ordinary audits”

Stefan examines a growing disconnect between what audits evaluate and what attackers exploit.

While audits continue to improve code quality, today’s largest losses increasingly stem from:

• Compromised private keys

• Governance attacks

• Insider compromise

• Supply-chain vulnerabilities

• Operational failures

The piece argues that the industry must evolve beyond audit-centric security models and embrace defense-in-depth strategies that address human and organizational risks.

Read here.

Newsweek

“Crypto cybersecurity practices must refocus on human error”

In Newsweek, Stefan highlights how many of crypto’s most damaging incidents originate from simple operational mistakes rather than coding flaws.

As AI lowers the cost of phishing and social engineering, human vulnerabilities are becoming increasingly attractive targets.

The article argues that security should be treated the same way banks and critical infrastructure providers approach it: as a continuous organizational discipline rather than a one-time review.

Read here.

Both articles reach the same conclusion as our latest research: Read here.

Events & community

Institutional and Policy Forum

This month we partnered with the European Ethereum Institute to host the Institutional and Policy Forum.

Discussions covered:

• Quantum security risks

• Institutional Web3 adoption

• Stablecoins and tokenization

• MiCA and regulatory developments

• Building resilient protocols

Thank you to our sponsors Arbitrum, Bermuda, and Frankencoin; our co-host, the European Ethereum Institute; speakers; moderators; and attendees for making the event a success.

Oak updates

Introducing the OpSec academy

Security does not end with an audit.

To help teams strengthen operational security, we launched the OpSec Academy: a free library of practical operational-security resources for Web3 organizations.

The Academy includes:

• Device hardening guides

• Hardware wallet setup tutorials

• Multisig operations guidance

• Infrastructure security playbooks

• Incident response resources

• An AI-powered OpSec Agent querying Oak’s knowledge base

Whether you’re securing a startup treasury or institutional infrastructure, the Academy provides actionable guidance for building operational resilience.

Access here.

Oak Security can now perform SEAL certifications

As operational security becomes one of the largest sources of loss in Web3, the industry needs a way to evaluate more than just code.

We’re pleased to announce that Oak Security is now participating in the Security Alliance (SEAL) Certification program and can support protocols seeking certification against the framework.

SEAL Certifications assess whether a protocol can:

• Defend itself against operational threats

• Detect incidents when they occur

• Respond effectively when things go wrong

Unlike traditional smart contract audits, SEAL Certifications focus on the operational controls that determine whether a protocol can withstand real-world attacks.

Interested in a SEAL Certification? Contact us at info@oaksecurity.io or via the contact form

Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.