From the $625 million hack of Ronin Bridge in 2022 to multiple high-profile attacks in 2025, North Korean hackers are treating the crypto world as an ATM. Security company Oak Security analyzed that they are no longer just using vulnerabilities to attack smart contracts, but are targeting the most vulnerable link of the Web3 team: people. This offensive and defensive battle is no longer a duel between technology and technology, but a tug-of-war between security culture and loose management.
Table of Contents
ToggleNorth Korean hackers go all out to steal billions more in 2025
North Korean hackers are becoming more active. In 2025 alone, they launched a series of high-precision attacks on the crypto industry, attempting to steal assets and infiltrate core teams. They tried to steal up to $1.5 billion worth of assets from the Bybit exchange, using fake job applications to obtain account passwords, and have successfully laundered millions of dollars.
In addition, they also launched malicious program attacks against MetaMask and Trust Wallet, attempting to infiltrate the exchanges by "disguising themselves as job seekers" and setting up shell companies in the United States to specifically target crypto developers.
These attacks are becoming more sophisticated and the methods are becoming more diverse, but the core is not technological breakthroughs, but targeting loopholes in "operational security."
Hackers no longer look for vulnerabilities, they look for human errors
The Web3 team has been focusing on smart contract security for many years, but generally ignores operational security issues (OPSEC) in organizational operations. Experts from Oak Security pointed out that the company has conducted security audits on more than 600 crypto projects and found that most teams have almost no defenses for operational security.
Common questions include:
Loose private key management
Contributors are onboarded via Discord without any identity verification
Critical code is deployed directly from unencrypted personal laptops
Governance and funding decisions are made via Discord voting
These mistakes made the project team an easy target for attack.
Code defense alone is not enough to protect against modern attacks
Conventional wisdom holds that "as long as the smart contract audit passes, the system is secure", but the reality is completely the opposite. Hackers don't even need to break through Solidity's zero-day vulnerability. They can paralyze the entire project by infiltrating an insider.
In May 2025, Coinbase faced compensation and extortion risks of $180 million to $400 million due to a hacker bribery of an overseas customer service staff member, which led to the leakage of customer data. The same method was also attempted to be applied to Binance and Kraken.
These incidents were not technical errors, but human errors.
Web3’s daily tasks have become a hacker’s paradise
The current daily operations of the Web3 team are a hacker’s dream:
No formal onboarding process
No device management and endpoint protection
Key governance and financial meeting minutes stored in unencrypted Google Docs or Notion
There is no contingency plan when an incident occurs, and we can only rely on Discord for temporary coordination.
What is even more worrying is that some DAOs manage assets worth hundreds of millions of dollars, but use amateur Discord voting and "weekend multi-signature" for governance, and security vulnerabilities are like opening the door to thieves.
How can traditional finance protect billions of dollars in assets? Web3 still has a lot to learn
Traditional financial (TradFi) institutions also face pressure from North Korean hackers and global cyberattacks, but they rarely shut down because of this, relying on systematic defense and mature security culture.
The bank’s internal system includes:
Employees cannot operate transactions from personal devices
Strict identity and device management
Clear division of labor and separation of responsibilities
Regularly practice accident response plans
These are not just for compliance, but also a way to save lives. If Web3 really wants to develop in the long run, it must learn from these systems and build a comprehensive security framework that conforms to the characteristics of decentralization.
Security should not be an option, Web3 needs a complete cultural overhaul
Some cutting-edge projects have been introduced:
Standardized OPSEC guidelines
Red Team Simulations
Using a hardware wallet with multi-signature governance
Background check and identity verification mechanism
Safety specialists and external consultants are stationed on site
Unfortunately, such measures remain the exception rather than the norm in the industry.
Decentralization is not an excuse for irresponsibility
One of the core reasons why Web3 security lags behind is the contradiction between "decentralization" and "security control." Many teams have insufficient budgets, high staff turnover, and even cultural resistance to information security, believing that "setting up a firewall is centralization."
But the reality is harsh: North Korean hackers are already inside the system, and the world economy is gradually being built on blockchain.
If Web3 continues to tolerate such loose operations, hackers and fraud groups will continue to regard it as a "perpetual capital pool." To stop the bleeding, it is not about writing perfect code, but about establishing a more mature organizational security culture.
Risk Warning
Cryptocurrency investment carries a high degree of risk. Its price may fluctuate drastically and you may lose all your capital. Please assess the risk carefully.
When we talk about the future of cryptocurrency payments, we are actually asking an essential question: What kind of payment method is the real solution to the crypto world? Is it card payment, or seamless withdrawal without the need for intermediary exchange? This article takes the perspective of three market participants to clarify the question and potential answers.
Table of Contents
ToggleNot a failure, but the end of the transition: Why did Infini abandon the U card?
A few days ago, crypto payment startup Infini announced the closure of its personal user crypto financial card (U card) business, which caused regret from the outside world. However, for the insiders, this seemed to be a future that could have been foreseen long ago.
In an interview with BlockBeats yesterday, Infini co-founder Junzhu said that although the U card is effective, it runs counter to the original intention of the company to "help users make DeFi income simple":
The U card is actually exchanging stablecoins for USD, and then swiping them into the traditional financial system. This is a step backward in history.
The high compliance costs, the lengthy and cumbersome refund process, and the fact that TVL did not grow in sync with the number of cardholders eventually made the team realize that the U card business was actually an episode that deviated from the direction: "What we should do is focus on helping users manage their finances."
Infini gave up not because the payment demand did not exist, but because it realized that "cards are not the final solution, but only a compromise with the status quo."
The usage scenario of U card is only a transitional solution, and in the future, payment should be made directly with stablecoins.
Stablecoin native payment: the real end of the crypto world
The end game that the princess talked about is that "users no longer need to withdraw funds or use cards, they can pay by sending tokens from their wallets." This may sound far-fetched at first, but from Telegram mini-apps to China's JD.com, it seems that more and more platforms are trying to integrate stablecoin payments natively into their own product experiences.
Colin Wu, editor-in-chief of Wu Blockchain Blockchain, also observed in his three-layer theory that although the "innermost layer" of the crypto field, which represents the native ecology on the chain (BTC, DeFi, etc.), is saturated, the "second layer" applications such as stablecoins, payments, and clearing still have unlimited potential:
Looking back, this is something that traditional finance at the "third layer" cannot do. It is also difficult for the innermost layer to attack outward, and it is only good at what the second layer does.
This breakthrough must avoid the product model that uses the slogan of decentralization but returns to the traditional architecture. True crypto-native payments should be sent, received and confirmed on the chain, and users should settle instantly with stablecoins instead of deducting money from the card and clearing it with the bank.
Psychological barriers are as important as technical barriers: Are credit card token rewards a good idea?
Compared to the product and industry observations of Princess and Colin, crypto KOL @VannaCharmer started from the perspective of behavioral finance, taking the Coinbase One Card as an example, emphasizing that "using credit card points to automatically invest in high-risk assets" is a very good idea, taking advantage of the user's psychological illusion that "points are not money" to lower the threshold for entering the crypto world:
The psychological tactics work well, credit card points feel like "free money" that wasn't yours to begin with. Losing $500 in points feels much less painful than losing $500 from an investment account, even though the concept is the same.
Although this is not a crypto-native payment product in the broad sense, it is still a very good case study, showing that to achieve the ultimate goal of crypto payment, we cannot just talk about technology and the merchant side, but also make users willing to enter the market and dare to use it to ensure its true popularization.
Breaking the middleman and moving towards the future of on-chain payment
When thinking about the princess's words "We should not let crypto payments return to the banking system", it does not only refer to product design, but also how the entire crypto field should define itself and what path to take: should it continue to copy Web2 gameplay on the edge of traditional finance? Or should it rebuild its own payment and settlement system ?
U Card is not a mistake, nor will it be the final answer, but it still stirs up the possibility of innovative design. I look forward to the day when crypto payments are widely adopted in the future, and we no longer need to specifically call it "crypto payments."
Risk Warning
Cryptocurrency investment carries a high degree of risk. Its price may fluctuate drastically and you may lose all your capital. Please assess the risk carefully.
