- Crypto hacks are shifting away from code flaws as attackers target credentials, systems, and human errors.
- Security audits still find smart contract risks, but they cannot prevent operational failures and insider threats.
- Crypto firms face growing pressure to improve key management, monitoring, and employee security practices.
Crypto firms are spending heavily on security audits, but hackers are still making off with billions of dollars. According to a new report from Oak Security, many of the biggest attacks no longer target flaws in smart contract code. Instead, attackers are exploiting stolen credentials, weak internal controls, and operational mistakes.
Since 2022, cybercriminals, including North Korea’s Lazarus Group, have stolen more than $2.2 billion from crypto platforms. Over the same period, the industry sharply increased the number of code audits. However, many major security breaches have originated from areas that traditional audits are not designed to evaluate, including private key management, governance mechanisms, and internal security controls.
The report points to a growing gap between what audits can protect and how attackers now operate. As a result, security experts say crypto firms need to look beyond code and strengthen the systems and processes that protect customer funds.
Attackers Shift Beyond Smart Contracts
Code audits have become far more sophisticated, helping developers catch vulnerabilities before projects go live and reducing the number of flaws found in smart contracts. But as the technology has improved, hackers have changed their approach.
Attackers are trying to exploit humans and systems inside an organization rather than bugs in coding. Such types of attacks include phishing attacks, stealing private keys, exploitation of system updates, and internal threats. Many large-scale thefts in recent times have been due to such attacks, not flaws in the coding of applications.
Researchers said audits are still working as intended, identifying security issues before deployment. The problem is that audits can only assess code. They cannot prevent an employee from handing over credentials, approving a fraudulent transaction, or falling victim to a phishing attack. As a result, strong code is no longer enough to protect a crypto platform on its own.
Related: Binance at Risk of Losing EU Access as Greece Rejects MiCA Licence
False Confidence Creates New Risks
Crypto projects often point to security audits as evidence that their platforms are safe, highlighting completed reviews and reports from auditing firms. For many users, those audits can create the impression that a project is protected from major security failures.
Researchers say that assumption can be misleading. An audit only evaluates a project’s code at a specific point in time. New risks can emerge as platforms update their infrastructure, change governance structures, or expand operations.
The recent KelpDAO hack underscores that challenge. While the attack was not linked to a flaw in audited smart contract code, users still saw another crypto platform lose funds. Security experts say most investors do not distinguish between a coding failure and an operational failure when money is lost.
According to the report, reducing those risks will require more than code reviews. Researchers said projects should strengthen private key security, improve monitoring systems, expand employee security training, and add safeguards that can detect suspicious activity before losses escalate.
Related: SBF Says He Could Launch a New Coin After Prison as Lost Investments Reach Billions
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
