Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Your keys, your coins.
This is one of the core promises of Bitcoin and other cryptocurrencies, which remove the middlemen standing between you and your money. But the phrase also carries a latent assumption that Web3 companies would be wise to move on from: that any security problems are the holder’s problem, not theirs. This way of thinking might have worked when crypto was experimental. It doesn’t work when trillions of dollars and millions of people are involved.
Since the creation of Bitcoin over 15 years ago, the design space for cryptocurrencies has expanded immensely. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards that all interconnect. It’s not just decentralized money anymore, it’s a trillion dollar ecosystem. Security risks have gotten more complicated and the stakes have gotten higher. Self-governance still plays a role, yes – but Web3 designers shouldn’t place most of the security burden on users.
For the crypto industry to succeed as a mainstream technology, it must evolve to address real-world security risks—social engineering, human error, and physical coercion—without compromising other core values such as anonymity and pseudonymity.
What the numbers tell us
Several decades of personal computing have given us a wealth of data about people’s cyber hygiene. In short: it’s not perfect.
Educational campaigns like Cyber Security Awareness Monthongoing right now help, but threats like phishing, fake QR codes and malware remain persistently effective. These won’t go away. In fact, they are evolving faster than our defenses.
According to data compiled by CoinLawcrypto phishing attacks are on the rise, growing by 40% in early 2025 and leading to $410 million worth of user losses. More bad news: AI-powered deepfakes make the problem worse; these grew by more than 450% between mid-2024 and mid-2025, according to data from CoinLaw.
Even more alarming: the rise in cryptocurrency-related violent attacks as organized crime groups physically force high-net-worth holders to give up their credentials. According to blockchain tracker Chainalysis, they were in 2024, more than 30 “key attacks” were reported.and 2025 is on pace to double that amount.
In short, security issues are not an anomaly. They are predictable.
We don’t shrug our shoulders at earthquakes in San Francisco or Japan; we build earthquake resistant buildings. The same logic should apply to cryptocurrency security.
What needs to change
The good news: a lot of work is being done in the Web3 space to make users safer and products safer.
Just look at the wallets. Security considerations have historically made the wallet user experience terrible, but things are improving with innovations such as split wallets with different keys, delegation, and multi-wallet accounts. But in my experience, balancing usability and security is still difficult.
So how do we as users do better?
First, we need to take security issues as feedback. Every violation tells us something about the design, not just the behavior. Take the stolen password. One answer might be, “It’s the user’s fault for getting phished, they shouldn’t have run into it.” Maybe it’s true, maybe not. But what is the truth is, when this happens a million times a year to your customer base, it’s a sign that your system isn’t designed for real people. Adjust accordingly.
Second, we need to incorporate successful examples from the non-web3 space.
Consider the authentication problem. Using a cryptographic key for access is effective, but does not confirm that the user is the legitimate owner. That’s why the wider internet has long since embraced layers like multi-factor authentication and behavioral signals, and more recently proof-of-human – methods that protect people automatically without relying on constant vigilance. Crypto can and should follow this lead.
Finally, we must recognize that security risks are no longer limited to social engineering tricks.
Cryptocurrency executives and holders have been hit by a flurry of physical attacks where thieves sought to gain access not by brute force decryption, but by plain brute force. If we design systems that do not include the possibility of physical abuse, we are not doing our job as designers of those systems. Attack vectors will evolve and we will have to evolve as well.
What’s next?
Crypto’s rugged ethos of individual responsibility made sense as an experiment. However, now that trillions of assets – and human livelihoods – are at stake, we need systems designed for real risks rather than early adopters.
There are no panaceas: cryptographic keys will remain vulnerable to phishing, biometrics will make holders vulnerable to physical attacks, and humans will continue to be imperfect. But as we wrap up Cyber Security Awareness Month, let’s remember who we’re building for. When we design for real people, not ideal users, our products can strengthen lives while protecting against their weaknesses. Security is no longer a user concern; it’s an industry problem.
