Your keys, your coins.
This is one of the fundamental promises of Bitcoin and other cryptocurrencies, removing the middlemen standing between you and your money. But this phrase also carries a latent assumption that Web3 companies would be wise to move on from: that any security problems are the holder’s problem, not theirs. This mentality may have worked when crypto was experimental. It doesn’t work when trillions of dollars and millions of people are involved.
The design space for crypto has expanded significantly since the creation of Bitcoin 15 years ago. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards that all connect to each other. It is no longer just decentralized money, it is a trillion dollar ecosystem. Security risks have become more complex, and the stakes have become higher. Self-custody still has a role to play, yes – but Web3 designers shouldn’t put most of the security burden on users.
To succeed as a mainstream technology, the crypto industry must evolve to match real-world security risks – social engineering, human error and physical coercion – without compromising other core values such as anonymity and pseudonymity.
What do the numbers tell us?
Decades of personal computing have given us a lot of data about people’s cyber hygiene. In short: it’s not perfect.
Educational campaigns like the ongoing Cyber Security Awareness Month help, but threats like phishing, fake QR codes and malware remain prevalent. These are not going away. In fact, they are evolving faster than our security.
According to data compiled by CoinLaw, crypto phishing attacks are on the rise, increasing by 40% at the beginning of 2025 and causing user losses of $410 million. Some more bad news: AI-powered deepfakes are adding to the problem; According to data from Coinlaw, it increased by more than 450% between mid-2024 and mid-2025.
Even more worrying: a rise in violent crypto-related attacks, as organized crime groups physically force high-net-worth holders to give up their credentials. According to blockchain tracking company Chainalysis, more than 30 “wrench attacks” were reported in 2024, and that number is on pace to double in 2025.
In short, security issues are not anomalies. They are predictable.
We don’t shrug our shoulders when an earthquake occurs in San Francisco or Japan; We build earthquake resistant buildings. The same logic should apply to crypto security.
what needs to change
The good news: A lot of work is being done in the Web3 space to make users safer and products more secure.
Just look at the wallet. Security considerations have historically made the wallet user experience terrible, but things are getting better due to innovations like split wallets with different keys, delegation, and multi-wallet accounts. But, in my experience, balancing usability and security still remains difficult.
So how do we do better by users?
First of all, we need to take security issues as feedback. Every violation tells us something about design, not just behavior. Capture the stolen password. One response might be, “It’s the user’s fault for being phished; they shouldn’t have fallen for it.” Maybe it’s true, maybe it’s not. But what Is The truth is, when this is happening millions of times per year to your customer base, it’s a sign that your system isn’t designed for real people. Adjust accordingly.
Second, we need to include successful examples from the non-Web3 space.
Consider the problem of authentication. Using cryptographic keys for access is powerful, but it does not verify that the user is the legitimate owner. That’s why the broader Internet has long adopted layers like multifactor authentication and behavioral signals, and more recently human-proof methods that automatically protect people, without relying on constant vigilance. Crypto can and should follow that lead.
Finally, we have to understand that security risks are no longer limited to social engineering tactics.
Cryptocurrency executives and deep-pocketed holders have been hit with physical attacks, with thieves looking to gain access not through brute force decryption, but through plain old brute force. If we design systems that do not include the possibility of physical abuse, we are not doing our job as designers of those systems. Attack carriers will evolve, and we will have to evolve too.
what will happen next
Crypto’s strict ethos of personal responsibility made sense when it was an experiment. However, now when trillions of assets – and human livelihoods – are at stake, we need systems designed for real-world risk rather than for early adopters.
There is no panacea: cryptographic keys will remain vulnerable to phishing, biometrics will make holders vulnerable to physical attacks, and humans will remain imperfect. But as we end Cybersecurity Awareness Month, let’s remember who we’re building for. When we design for real people, not idealized users, our products can make lives stronger while protecting against their weaknesses. Security is no longer the user’s problem; This is an industry problem.