Web3 needs to stop ignoring basic OPSEC hygiene, especially as state-sponsored threats become more frequent, says Jan Philipp Fritsche, Managing Director at Oak Security.
As North Korea’s “ClickFake” campaign draws renewed attention to targeted cyberattacks on crypto firms, security experts argue the space’s greatest vulnerability isn’t flawed smart contracts — it’s human error.
In a note to crypto.news, Fritsche emphasized that most blockchain projects lack even the most fundamental operational security (OPSEC) protocols. A former European Central Bank analyst, Fritsche now advises and audits protocols, and says the real danger lies in how teams manage devices, permissions, and access to production environments.
“The ClickFake campaign shows just how easily teams can be compromised,” Fritsche noted. “Web3 projects have to assume that most of your employees are exposed to cyber threats outside their work environment.”
Inside North Korea’s ClickFake Campaign
The Lazarus Group, a state-backed North Korean hacking collective, has been linked to a campaign dubbed “ClickFake Interview,” where attackers posed as recruiters on LinkedIn and X. Their goal: trick unsuspecting developers and executives into mock job interviews, during which they deployed malware.
The malware — known as “ClickFix” — gave attackers remote access to devices, allowing them to steal critical data including crypto wallet credentials. Researchers say the group used realistic documentation and entire interview scripts to boost the campaign’s credibility.
Fritsche warns that many DAOs and early-stage teams still rely on personal devices used for everything from development to Discord chats — a major red flag in the context of nation-state threats.
“There’s no way to enforce security hygiene,” he said. “Too many teams, especially smaller ones, ignore this and hope for the best.”
He added that even the assumption that a developer’s device is clean can no longer be taken for granted. For high-value projects, that means no single team member should be able to push changes to production without multiple levels of approval.
“Company-issued devices with limited privileges are a good start,” said Fritsche. “But you also need fail-safes — no single user should have that kind of control.”
Drawing on his background in traditional finance (TradFi), Fritsche stressed the difference in approach: “In TradFi, you need a keycard just to check your inbox,” he said. “That standard exists for a reason. Web3 needs to catch up.”
