Security Awareness in Web3
The context, impacts, and mitigations
Lesson Objectives:
- Be able to describe the threats which exist in the Web3 space
- Navigate the risks posed with confidence
- Understand the measures taken to minimize impact
The Inevitable Jargon
Time for a quick speedrun
Threat Actor
Any individual, group, or entity that poses a potential risk or threat to the security of a system or organization.
Attack Surface
The points of entry, or potential vulnerabilities in a system that could be exploited by a threat actor to compromise or gain unauthorized access.
Attack Vector
Specific paths or methods that threat actors use to launch attacks against a system or organization.
Eyes are on us
- Crypto Market Capitalization: $1,231,359,133,397
- 24 Hour Trading Volume: $39,807,353,848
In the real world
there is no scope
Funds
Quickest and easiest way to make money: attack wallets and services
Networks & Infrastructure
- Smart Contracts
- Ransomware
- Impact on network availability
- Malicious code injection/node creation
Personally Identifiable Information
- Account takeover
- Identity theft
- Impersonation
A look at potential adversaries
- Lazarus Group (APT 38)
- Sanctioned Nation States
- Future Adversaries
Up to date devices are great
but there's more to it than that
Types of Adversaries
A Deeper Dive
Opportunists
Individuals or small groups who take advantage of easily exploitable vulnerabilities without significant planning, often targeting low-hanging fruit and utilizing readily available tools and techniques.
I Pickpocketed a Pickpocket

Organized Crime Groups (OCGs)
More sophisticated adversaries with dedicated resources and a more defined focus. They operate like traditional criminal organizations and often engage in large-scale, financially motivated attacks.
Nation States
The most sophisticated and well-resourced adversaries in the landscape. They have significant technical capabilities and may engage in cyber-espionage sabotage, or warfare.
Methods of Adversaries
Theft
- Laptops
- Phones
- Keys
- Auld Wallets
- ID Documents
- Hardware Wallets
Tampering
Tampering: Mitigations

Hacking
- Direct attacks
- DNS poisoning
- Targeted Man in the Middle attacks
Social Engineering
Phishing and its counterparts, vishing, smishing, etc.
Situational Awareness
Shoulder Surfing
Shoulder Surfing

Shoulder Surfing

Shoulder Surfing

Shoulder Surfing

Visual Cues
Device Stickers
Some things can be identified from these, such as:
- Role
- Industry
- Employer/Projects
Clothing, Swag, Drip
Call it what you will, but it can be a source of information disclosure
Digital Footprint
Social Media
The Usual Suspects
- Meta
The Less Obvious
- Telegram
- Discord
Phishing
Humans get distracted, stressed, and tired, this is when phishers thrive.
If it didn't work, they would have stopped by now.
Rise of AI
Phishing is easier than ever, just ask ChatGPT:

Beyond the Nigerian prince
Phishers are getting smarter, and your digital footprint is on their radar.

Reacting to a Phish
- Stop
- Take a moment
- Verify
- Report