Security, investigations, asset recovery and protection

Exclusive interview for iTrusty.io

Alexander Mercer, Editor-in-Chief of iTrusty.io × Robert Stanley, Head of Cybersecurity

Editor's Foreword

In 2025, the crypto industry faced an unprecedented wave of theft: according to Chainalysis and TRM Labs, more than $3.4 billion was stolen over the course of the year. The February 2025 hack of the Dubai-based exchange Bybit alone netted the North Korean Lazarus group approximately $1.5 billion in Ethereum — the largest theft in crypto history and one of the largest financial heists in human history.

Meanwhile, the number of personal wallet compromise incidents rose to 158,000 cases, affecting more than 80,000 unique victims. North Korean hackers collectively stole $2.02 billion in 2025 alone — 51% more than the year before — bringing the cumulative estimate of funds stolen by Pyongyang to $6.75 billion.

We live in an era where digital assets worth hundreds of billions of dollars are protected by 12 words written on a piece of paper, while professional state-sponsored hackers attack crypto exchanges with the same methodical precision that special forces use to storm military installations.

To explore the anatomy of crypto crime, the technology behind investigations, and practical ways to protect yourself, we brought two experts together.

Alexander Mercer is Editor-in-Chief of iTrusty.io, host of the "AI × Crypto: Data-Driven Insights" column, and a specialist at the intersection of technology and financial markets. His weekly reviews are read by more than 200,000 subscribers.

Robert Stanley is Head of Cybersecurity at one of the world's largest banks. He previously led the high-tech crime investigations unit at a European national police department. Over a career spanning more than 15 years, he has participated in the investigation of dozens of major crypto crimes, including cases involving state-sponsored hacking groups. For security and corporate policy reasons, the names of the bank and country are not disclosed.

Format: an in-depth expert interview. Alexander Mercer asks questions from the perspective of a journalist and analyst; Robert Stanley responds as a practitioner — someone who has personally investigated major hacks and built security systems for institutional players. The conversation lasted more than four hours and covered everything from the technical anatomy of hacks to the psychology of victims, from blockchain forensics to practical recommendations for storing crypto assets. What follows is the full transcript.

Part I. The Scale of the Problem: How Much Is Stolen in Crypto and Why the Numbers Keep Growing

Alexander Mercer: Robert, let's start with the scale. When an average person hears "one and a half billion dollars stolen from an exchange," it sounds like something from a movie. How real and systemic is the problem of theft in the crypto industry?

Robert Stanley: It's not from a movie — it's reality, and the scale is staggering even to us as professionals. Let's look at the numbers over recent years, because the trend speaks for itself.

In 2022, the previous record was set — $3.8 billion in stolen funds. In 2023, the volume dropped to $1.7 billion — a 54% decline. It seemed the industry was learning. But in 2024, the trend reversed: $2.2 billion, a 21% year-on-year increase, across 303 separate incidents. And 2025 broke all records: $3.4 billion, with $2.17 billion stolen in the first half alone — more than the entirety of 2024.

Alexander Mercer: So as the industry grows, theft grows with it?

Robert Stanley: Exactly. But it's important to put this in context: the total volume of theft amounts to less than 1% of all crypto transactions. The problem is real, but it doesn't define the industry. What defines it is the industry's ability to respond, investigate, and recover.

What concerns me as a professional is the shift in the nature of the threats. Where DeFi protocols with unaudited code used to be the primary target, in 2024–2025 the focus has shifted to centralized services and private key compromise. According to TRM Labs, infrastructure attacks — primarily the theft of private keys and seed phrases — accounted for nearly 70% of the total value stolen in 2024. This means the problem has moved from the domain of "bad code" to "bad security practices."

Alexander Mercer: And North Korea — is that not just a myth? Is a state actually stealing cryptocurrency?

Robert Stanley: It's not a myth, and it's not an exaggeration. North Korea is the only state in the world that systematically steals cryptocurrency at a government level to fund its military programs. In 2025, North Korean hackers stole $2.02 billion — 76% of all service-level thefts. The cumulative total since their operations began is no less than $6.75 billion.

The Lazarus Group, responsible for most of these attacks, uses incredibly sophisticated methods. One key vector is the infiltration of North Korean IT specialists into Western companies posing as freelancers. These individuals gain legitimate access to systems and pass it on to their hacker colleagues. This is not a "hooded hacker in a basement" — it is an organized, resource-intensive, state-sponsored operation.

The FBI has publicly stated that the Bybit hack was carried out by North Korea. And unfortunately, traditional sanctions tools don't work — North Korea is already under maximum sanctions. For them, crypto theft is not a crime; it's an economic strategy.

Part II. The Anatomy of Crypto Crime: Every Method of Hacking and Theft

Alexander Mercer: Let's break this down in as much detail as possible. What methods do criminals actually use to steal cryptocurrency? I want our readers to understand every attack vector.

Robert Stanley: That's exactly the right approach, because without understanding the threats, protection is impossible. I'll map out all the major vectors — seven broad categories, each with subcategories.

Category 1. Smart Contract Exploits

Robert Stanley: Smart contracts are software code that controls billions of dollars. A single error in one line can cost hundreds of millions.

Reentrancy Attacks

A classic vector that became famous back in 2016 with the DAO attack, which resulted in the theft of 3.6 million ETH ($60 million at the time). The idea: an attacker calls a withdrawal function, and before the contract updates the balance, calls the same function again — recursively. The contract "thinks" the balance hasn't changed and pays out again. You'd think everyone knows about this by now. But in 2023, Curve Finance lost around $70 million due to a similar vulnerability. Developers know the theory, but in complex systems with dozens of interacting contracts, reentrancy bugs hide in non-obvious places.

Oracle Manipulation

Smart contracts have no direct access to external data. They receive asset prices, exchange rates, and other information through oracles — external intermediary services. If an attacker can briefly manipulate the price of an asset on one platform (using a flash loan, for example), they can "trick" the oracle into processing a profitable trade at an artificial price. It's like someone temporarily changing the exchange rate on a currency board while you're making a transaction.

Logic Errors in Collateral and Liquidity Systems

DeFi lending and liquidity protocols use complex mathematical formulas to calculate collateral, interest rates, and positions. An error in a formula, an unaccounted edge case, or incorrect rounding can allow an attacker to withdraw more than they're entitled to — or create a position that the system is structurally unable to liquidate.

Bridge Exploits

Bridges are the infrastructure for transferring assets between blockchains. Essentially, they act as a "bank" that holds collateral in one network and issues equivalent tokens in another. Bridges have become the most expensive target: Ronin Network lost $624 million, Wormhole lost $320 million, and Nomad lost $190 million. The reason is that bridges combine the complexity of cross-chain interactions with enormous volumes of locked funds.

Flash Loan Attacks

A flash loan is an instant, uncollateralized loan that must be repaid within a single transaction. It's a legitimate instrument that attackers exploit for manipulation: borrow a massive sum, manipulate a price, extract profit, repay the loan — all within one transaction. The attacker needs no capital of their own.

Category 2. Private Key and Seed Phrase Compromise

Alexander Mercer: You said this is now the primary vector — 70% of all thefts. Tell us more.

Robert Stanley: This is the "simplest" and simultaneously the most dangerous method. A private key is the only thing needed for complete control over a wallet. A seed phrase is its mnemonic representation — typically 12 or 24 words. Whoever holds the key holds the assets. No exceptions, no appeals.

Phishing — Classic and Advanced

The most common method. A victim receives an email, Telegram message, Discord or Twitter notification that impersonates a legitimate service: an exchange, a wallet, a DeFi protocol. The link leads to a phishing site that is visually indistinguishable from the real one. The victim enters their seed phrase or signs a malicious transaction.

Advanced phishing in 2025 uses AI to generate personalized messages, clone voices for phone calls, and create deepfakes for video conferences. We've seen cases where "colleagues" on a video call asked someone to sign a transaction — and every face on the screen was a deepfake.

Malware

Clippers — programs that replace a copied wallet address with the attacker's address. You copy a friend's address, paste it into the send field — and the hacker's address appears instead. Keyloggers — record all keystrokes, including password and seed phrase entry. Stealers — specialized software that searches a computer for wallet files, configurations, cookies, and session data. InfoStealer trojans like RedLine, Raccoon, and Vidar are a widespread threat. They spread through pirated software, cracked programs, and fake updates.

Compromised Libraries and CI/CD Pipelines

This vector targets developers. An attacker publishes a malicious package to npm, PyPI, or another repository using a name similar to a popular library (typosquatting). A developer installs it, and the malicious code gains access to private keys, environment variables, and CI/CD pipeline secrets. This is precisely how the private keys of several major projects were compromised.

Seed Phrase Exposure Through Human Error

A photo of a seed phrase stored in the cloud (Google Photos, iCloud), a note in a phone app, a "passwords.txt" file on the desktop, a seed phrase stored in a password manager that was itself compromised (like LastPass in 2022). These might seem like obvious mistakes — yet they remain one of the primary channels for data leaks.

"Signed the Wrong Thing" — Malicious Approvals

A user connects their wallet to a site and signs a transaction without understanding what it says. Instead of "allow this contract to use 100 USDT," they sign "allow this contract to use an unlimited amount of all my tokens." Or they sign a permit that grants the attacker the right to withdraw funds without further confirmation. This is a plague for DeFi users.

This is exactly how Bybit was hacked: the multisig wallet signers approved a transaction without verifying what they were actually signing on the hardware wallet screen. Had they verified the transaction data, $1.5 billion would have remained safe.

Category 3. Infrastructure Attacks

Robert Stanley: These are more "traditional" hacking attacks, adapted for the crypto context.

DNS Hijacking — Domain Spoofing

An attacker gains control over the DNS records of a project's domain. When a user visits a familiar site at a known address, they are redirected to a phishing copy. The domain is the same, and an SSL certificate can be reissued. The victim sees no difference. Several major DeFi projects have been targeted this way.

Frontend Substitution

An attacker compromises a project's CDN (content delivery network) or CI/CD pipeline and modifies the frontend — the user interface. The smart contract remains secure, but the interface substitutes a malicious address in transactions. The user thinks they're interacting with a legitimate contract, while in reality they're sending funds to a hacker.

Exchange API Key Compromise

If a user creates an API key on an exchange for a bot or third-party service and that key leaks — through a compromised service, a GitHub repository, or logging — an attacker gains access to the trading account and may be able to trade or withdraw funds, depending on the key's permissions.

SIM-Swap Attacks

An attacker convinces a mobile carrier to reissue the victim's SIM card in their name. They then gain access to SMS codes for 2FA and can log into the victim's email, exchange accounts, or wallets. This attack is particularly effective in countries where carrier verification is insufficient. We've seen dozens of cases where a SIM swap led to the loss of hundreds of thousands of dollars.

Cloud Storage and Server Attacks

If private keys or seed phrases are stored on a cloud server, VPS, or corporate network, any compromise of that infrastructure automatically means the wallets are compromised too. An AWS S3 leak, a compromised administrator account, misconfigured access permissions — all of these are real attack vectors.

Category 4. Social Engineering and Insider Threats

Alexander Mercer: This is probably the most "human" attack vector?

Robert Stanley: Yes, and often the most devastating. Here the problem lies not in technology, but in trust, manipulation, and human vulnerability.

Pig Butchering — Romantic Crypto Scams

A scheme that has become a genuine epidemic. A victim meets an "attractive" person on social media or a dating site. A relationship develops — sometimes over weeks or months. Then the "partner" tells them about an "incredible investment opportunity" in crypto. The victim registers on a fake platform, deposits money, and sees "profits" on the screen. They invest more and more. When they try to withdraw — the money is gone.

According to the US Department of Justice, Americans alone lost approximately $10 billion to crypto investment scams in 2024. In October 2025, the DOJ seized more than $15 billion in one of the largest operations against a pig butchering network. The scale of these schemes is industrial, often involving forced labor in call centers across Southeast Asia.

Fake Investment Platforms

Counterfeit exchanges with professional designs, fake charts, and "customer support." The victim transfers funds — and never sees them again. These platforms are often promoted through YouTube, Telegram channels, spam emails, and increasingly through AI-generated "financial experts" in video content.

Insider Attacks

The most troubling category. An exchange employee, project developer, partner, or contractor with system access uses it to steal — or provides that access to an external attacker. Insider thefts are especially difficult to investigate because the "attacker" looks like a legitimate user.

North Korea actively exploits this vector: their IT specialists fraudulently obtain remote jobs at Western companies, gain access to internal systems, and open the door for the hacking group.

Fake Airdrops and Giveaways

"Elon Musk is giving away Bitcoin — send 0.1 BTC and get 1 BTC back." It sounds absurd. Yet people keep falling for it. A more sophisticated version involves fake airdrops that require "confirming" participation by connecting a wallet to a malicious contract.

Category 5. Rug Pulls

Robert Stanley: A separate category that deserves attention. A rug pull is when the creators of a project deliberately build a token or protocol to attract investment, then take all the funds and disappear.

How it works: a team creates a token, builds hype through social media and influencers, attracts liquidity from investors, then instantly withdraws all funds from the liquidity pool. The token price collapses to zero. Investors are left holding worthless tokens.

Variations include: a "soft rug" — where the team doesn't disappear immediately but gradually loses interest, stops development, and sells their tokens. A "hard rug" — an instant withdrawal of all liquidity. A "honeypot" — a token that can be bought but technically cannot be sold due to hidden code in the contract.

Category 6. Physical Security Attacks

Alexander Mercer: We've been talking about digital attacks. What about physical threats?

Robert Stanley: Unfortunately, this is a growing trend. As the value of crypto assets rises, so does the number of physical attacks on crypto holders.

A "wrench attack" is a term from the crypto community describing a situation where an attacker physically threatens a wallet owner to gain access to their funds. This can take the form of kidnapping, robbery, or blackmail. Public records of such incidents document dozens of cases around the world, some with fatal outcomes.

In 2024–2025, there has been a notable increase in targeted attacks on cryptocurrency investors and entrepreneurs. Attackers identify victims through public blockchain data, social media activity, and conference attendance.

Category 7. State-Level and Systemic Threats

Robert Stanley: It's worth separately mentioning risks that come not from hackers, but from governments and institutional failures.

Confiscation: government agencies can freeze or seize crypto assets held on regulated platforms. Exchange collapses: FTX, Mt. Gox, QuadrigaCX — cases where user funds became inaccessible not due to an external hack, but because of fraud or mismanagement by exchange leadership. Regulatory changes: sudden bans, freezes, or new requirements can restrict access to funds.

Part III. Chain forensics: How Blockchain Thefts Are Investigated

Alexander Mercer: Let's move on to investigations. When people say "crypto is completely anonymous" — is that actually true?

Robert Stanley: That's one of the most persistent myths out there. Blockchain is not an anonymous system. It's a pseudonymous system. And that's a massive difference.

Anonymity would mean transactions can't be seen at all. But blockchain is literally a public ledger. Every transaction is recorded permanently, accessible to anyone, and immutable. Yes, a wallet address is just a string of characters — not a name. But linking an address to an identity is precisely what chain forensics does.

What is chain forensics as an industry?

Robert Stanley: Chain forensics sits at the intersection of several disciplines. It's not a "one button" solution or some magic tool. It's an ecosystem built on five key components.

The first component is data. That means blockchain nodes, indexers, and transaction archives. Investigations require access to the complete history of every address, every contract, and every movement of funds across all networks.

The second is analytics. Address clustering, building transaction graphs, identifying patterns. This is algorithmic work where AI and machine learning are playing an increasingly significant role.

The third is operational work. Contacts with exchanges, OTC desks, bridges, and wallet providers. Once you've determined that funds have reached a specific exchange, you need to quickly get in touch with their compliance department to freeze the assets.

The fourth is compliance and the legal side. Sanctions lists, AML procedures, preparing evidence for court, and working with law enforcement agencies.

The fifth is incident response. This covers what needs to happen in the first minutes and hours following a hack.

Key players in the chain forensics industry

How does address clustering work?

Alexander Mercer: There are billions of addresses on the blockchain. Criminals split funds across hundreds of wallets. How do you link them into a single "cluster"?

Robert Stanley: Clustering isn't guesswork. It's the systematic accumulation of signals, each of which increases our confidence in a connection between addresses.

Behavioral patterns: identical time intervals between transactions, identical amounts (or amounts that are mathematically related), similar sequences of steps. If two addresses transact with an interval of exactly 3 minutes and 47 seconds five times in a row — that's not a coincidence.

Technical links: on UTXO blockchains (Bitcoin) — shared inputs in transactions, which typically indicate control by a single key. On account-based blockchains (Ethereum) — interactions through shared intermediary contracts, gas patterns.

Infrastructure traces: use of the same bridges, mixers, and exchange contracts. Identical fund movement routes.

Intersections with known entities: deposit addresses of centralized exchanges, known service hot-wallets, OFAC-sanctioned addresses. If money lands on an address we've already linked to a specific exchange — the chain closes.

An important principle: serious investigations operate with confidence gradations. We don't say "it's definitely them" without a basis. We work with categories: high confidence, medium confidence, low confidence — and we always specify what data the claim is based on.

Mixers, tumblers, and privacy coins: can you really "launder" a trail?

Alexander Mercer: What about mixers like Tornado Cash? Don't they erase the trail?

Robert Stanley: Mixers make the job harder, but they don't make it impossible. Tornado Cash, ChipMixer, Sinbad — all of these services "mix" funds from different users to break the link between sender and recipient.

But forensics has countermeasures. Timing analysis: when funds enter a mixer and when they exit, with correlation by time and amounts. Dust analysis: small residual amounts that can't be perfectly "mixed." De-anonymization of mixer deposit addresses through external data. Network analysis: if the same user repeatedly uses a mixer, their pattern becomes recognizable.

On top of that, major mixers come under sanctions. Tornado Cash was added to the OFAC sanctions list in 2022. This means funds that passed through Tornado Cash are automatically "flagged" in the compliance systems of all regulated exchanges.

As for privacy coins (Monero, Zcash) — they do significantly complicate investigations. Monero uses ring signatures, stealth addresses, and confidential transactions. But even here there are points of vulnerability: the moment of entry (buying Monero with other crypto) and exit (converting back). And one Russian company reportedly developed tools for partial de-anonymization of Monero.

Part IV. The First Hour After a Theft: A Step-by-Step Response Protocol

Alexander Mercer: Let's say one of our readers discovers their funds have been stolen. Or the head of a crypto project finds out they've been hacked. What should they do? Give us a step-by-step guide.

Robert Stanley: The first hour is like emergency resuscitation. Every minute counts. I'll give two protocols: one for individual users and one for projects and companies.

Protocol for individual users: what to do if your cryptocurrency is stolen

Step 1. Stop the bleeding (first 5 minutes)

Immediately transfer all remaining funds from the compromised wallet to a new, secure address. If it's an exchange account — freeze the account through support and revoke all API keys. If the seed phrase has been compromised — assume that ALL wallets derived from that phrase are at risk. Create a new wallet with a NEW seed phrase on a CLEAN device.

Step 2. Document the evidence (5–30 minutes)

Record: the exact time of discovery, transaction hashes through which funds were withdrawn, the sender address (yours) and the recipient address (the attacker's), the amounts and types of tokens, screenshots of your screen, any correspondence, and suspicious links. Don't try to "fix" anything at this stage — just document. This data will be needed for the investigation and any potential legal proceedings.

Step 3. Notify exchanges (30 minutes — 2 hours)

If funds were transferred to an exchange — contact that exchange's support immediately. All major exchanges (Binance, Coinbase, Kraken, OKX, Bybit) have emergency freeze procedures when proof of theft is provided. The faster you reach out — the higher the chance funds will be frozen before the hacker withdraws them.

What to include in your report: transaction hashes, a description of the incident, your address (sender), the recipient address, and proof of ownership (transaction history, KYC data).

Step 4. Contact forensics specialists (2–24 hours)

If the amount is significant — reach out to a company specializing in blockchain investigations (Chainalysis, TRM Labs, SlowMist, Crystal Blockchain, or independent experts). They can: trace the path of the funds, prepare a report for law enforcement, and notify exchanges through their own channels (often faster than through public support).

Step 5. File a police report (24–72 hours)

Even if it seems like "the police won't help" — filing a report is essential. First, it provides a legal basis for requesting data from exchanges. Second, in some jurisdictions, the recovery process cannot be initiated without a formal report. Third, if the case is investigated at an international level (Interpol, Europol, FBI), your report will become part of the evidence base.

Step 6. Conduct a security audit (1–7 days)

Find out HOW the theft happened. Scan your computer for malware, change passwords on all services, enable or strengthen 2FA, and review all active sessions and connections. If the cause cannot be determined — consult a cybersecurity specialist.

Protocol for a project or company: the first hour after a hack is discovered

Robert Stanley: For projects, the procedure is more complex and requires team coordination.

Part V. Can Stolen Cryptocurrency Be Recovered?

Alexander Mercer: The most important question from our readers: is there a realistic chance of getting stolen funds back?

Robert Stanley: The honest answer: sometimes — yes. But it depends on a number of factors.

What determines the chances of recovery?

Speed of response — the single most critical factor. If the funds reached a CEX before you notified the exchange — they may be frozen. If the hacker has already withdrawn them — the chances drop sharply.

The route the funds took. If the money went to a regulated exchange — there's a high chance of freezing. If it went through a mixer and into Monero — the chances are minimal. If it went through a decentralized bridge into another network — it depends on the complexity of the investigation.

Jurisdiction. If the hacker is in a country with a well-developed legal system — a court can compel the return of funds. If it's North Korea — there's no realistic chance.

The amount stolen. Paradoxically, larger thefts receive more active investigation. Bybit's $1.5 billion hack mobilized the entire industry. A $5,000 personal wallet theft — unfortunately — will receive minimal attention.

The quality of the evidence. The better documented the incident — the easier it is to investigate and the more compelling it is in court.

Real cases of fund recovery

As you can see, the spectrum is wide — from full recovery within days to decade-long legal battles. But even when full recovery isn't possible, forensics still helps: closing the vulnerability, rebuilding user trust, providing a transparent report, reducing the likelihood of recurrence, and assisting law enforcement with their investigation.

Part VI. Where and How to Store Cryptocurrency: A Complete Security Guide

Alexander Mercer: Let's get practical. How can an ordinary person protect their crypto assets?

Robert Stanley: Let's start with a fundamental principle: there is no 100% secure storage method. But there is a spectrum — from "very dangerous" to "maximally protected." Your job is to choose a security level that matches your holdings and your needs.

Types of wallets: from the riskiest to the most secure

Hardware wallets in 2026: which one to choose?

Robert Stanley: A hardware wallet is the gold standard for storage. Your private keys never leave the physical device — even when connected to a computer. Here are the main models:

The asset distribution rule: "Don't put all your eggs in one basket"

Alexander Mercer: How should you properly distribute crypto assets across different storage options?

Robert Stanley: For most users, I recommend the 5/25/70 rule.

5% — on an exchange. Only the funds you're actively trading right now. Hot cash for trades.

25% — in a hot wallet (MetaMask, Trust Wallet, Phantom). For DeFi, staking, and everyday transactions. Amounts whose loss you could absorb.

70% — in a hardware wallet or multisig. Long-term savings. Funds you don't plan to touch for months or years.

For large amounts (over $100,000), I recommend a multisig setup: 2-of-3 or 3-of-5 keys, distributed across different devices and physical locations. This protects you even if a single device is stolen.

Top 20 security rules: the master checklist

Part VII. How to Evaluate the Security of a Crypto Project: An Investor's Checklist

Alexander Mercer: How can an ordinary user determine whether it's safe to trust a specific project or exchange with their funds?

Robert Stanley: Great question. I've developed an evaluation framework that I use myself and recommend to clients.

Smart contract audits

Has an audit been conducted? By whom? (CertiK, Trail of Bits, OpenZeppelin, Halborn are reputable auditors.) How many audits? One audit is the minimum. Two or three from different auditors is solid. Were any critical vulnerabilities found? How were they addressed? Is the report public? If a project claims to have "passed" an audit but the report isn't available — that's a red flag.

Bug bounty program

Does the project have a reward program for discovered vulnerabilities? Platforms like Immunefi, HackerOne, and Code4rena are standard channels. Reward adequacy matters: if a project manages hundreds of millions in assets but the maximum bounty is $10,000 — that's not serious. The best projects offer bounties of up to 10% of the maximum possible damage.

Key management

Multisig: how many signatures are required? 3-of-5 is the standard. 1-of-1 is a red flag. Timelock: is there a delay when changing critical contract parameters? This gives users time to react to suspicious activity. An anonymous team with full control over funds is the biggest red flag of all.

Proof of Reserves

For exchanges: do they publish regular Proof of Reserves reports? Do they use a Merkle Tree for verification? Is the auditor independent? After the FTX collapse, this has become a mandatory standard.

Communication transparency

How has the project responded to past incidents? Was there a public post-mortem? Were affected users compensated? Transparency is the best indicator of how seriously a project takes security.

Part VIII. The Future of Crypto Security: What Will Change Between 2026 and 2030

Alexander Mercer: Where is the industry heading? Will it get safer?

Robert Stanley: I see several key trends emerging.

AI in cybersecurity and forensics

AI is already being used by both sides. Attackers are using AI to generate phishing messages, create deepfakes, and automate vulnerability discovery. Defenders are using it to analyze transaction patterns, run predictive monitoring, and automatically classify threats. Chainalysis acquired Hexagate — a company that uses AI to detect and prevent attacks in real time. This is the future: AI that stops an attack before it happens.

Account abstraction and the end of seed phrases

Account abstraction technology (EIP-4337) enables the creation of "smart accounts" with flexible security logic: social recovery (trusted contacts confirm access), transaction limits, and multi-factor authentication built directly into the blockchain layer. Tangem already offers wallets without seed phrases. ZenGo uses MPC. The goal is to eliminate the single point of failure — the one phrase that can be stolen.

Regulation and compliance

MiCA in Europe, regulatory frameworks in the UAE, Singapore, and Japan. Exchanges are required to implement increasingly strict AML/KYC procedures. This makes life harder for criminals at the cashing-out stage. Russia is preparing its own rules by July 2026. The trend is clear — more and more "exit points" are coming under regulatory control.

The quantum threat — what's coming?

Quantum computers could theoretically break the cryptography underlying Bitcoin and Ethereum. But in practice, this is a threat on a 10–15 year horizon. The Trezor Safe 7 is already marketed as "quantum-ready." The industry is preparing — the transition to post-quantum cryptography is a matter of time, but not yet an emergency.

Decentralization of keys

MPC (Multi-Party Computation), SSS (Shamir Secret Sharing), distributed key generation. These technologies distribute control over a key across multiple parties or devices, eliminating any single point of compromise. Cypherock X1 already uses Shamir's scheme to split keys across physical cards. This direction will continue to grow.

Part IX. The Psychology of Crypto Crime: Why People Get Caught

Alexander Mercer: The last topic I wanted to discuss is the human factor. Why do even experienced people fall victim?

Robert Stanley: Because criminals exploit psychological vulnerabilities, not technical ones. And they do it professionally.

FOMO (Fear of Missing Out)

"This token is up 1,000%, and you still haven't bought?" — that's the most powerful driver of impulsive decisions in crypto. FOMO pushes people to invest in unverified projects, connect to shady contracts, and ignore red flags. Criminals deliberately manufacture artificial FOMO: "only 5 spots left," "price goes up in an hour," "exclusive access via this link only."

Trust in Authority

"Elon Musk recommended it," "this influencer made a million" — false authorities and fake endorsements. Deepfakes make it even more convincing. We've seen videos where "Vitalik Buterin" recommended a specific token. The video was entirely AI-generated.

Cognitive Overload

DeFi interfaces are complex. Transactions look like strings of hexadecimal characters. People are asked to sign something they can't read, and there's "no time" to figure it out. Criminals exploit this overload: the more steps involved and the more complex the process, the more likely the victim is to click "confirm" without looking.

The Dark Side of Decentralization: "No Cancel Button"

In traditional finance, a bank can reverse a fraudulent transaction. In crypto, it can't. That's freedom, but it also means responsibility. Many people enter crypto with a banking mindset: "if something goes wrong, it'll be reversed." It won't. And you need to understand that from the start.

Part X. Breaking Down the Biggest Hacks: Lessons Worth Billions

Alexander Mercer: Robert, let's go through specific cases — the largest and most instructive hacks of recent years. What lessons is the industry taking away?

Robert Stanley: Every major hack is a cybersecurity textbook. Let's break down six key cases.

Case 1: Bybit — $1.5 Billion (February 2025)

The largest theft in the history of the crypto industry. Dubai-based exchange Bybit lost approximately $1.5 billion in Ethereum. The FBI and several blockchain analytics firms attributed the attack to the North Korean Lazarus Group.

Attack vector: compromise of the multisig transaction signing process. The signers of Bybit's multisig wallet approved a transaction without verifying its contents on their hardware wallet screens. Essentially, they signed a malicious transaction while believing they were signing a routine transfer.

What went wrong: insufficient verification. If each signer had checked exactly what they were signing — the recipient address, the amount, the calldata — the attack would have been prevented. The problem is that many hardware wallets display transactions in raw form — a string of hexadecimal characters that a human cannot interpret.

Lesson: multisig is a necessary but not sufficient security measure. Without a culture of verifying every transaction, it becomes a formality. Following Bybit, the industry has been actively discussing standards for "human-readable" transaction verification and improved hardware wallet interfaces.

Response: Bybit launched a bounty program for information about the movement of stolen funds. Some funds were tracked and frozen on various platforms. But the bulk was quickly distributed through bridges and mixers using complex chains characteristic of North Korean tactics.

Case 2: DMM Bitcoin — $305 Million (May 2024)

The Japanese exchange lost 4,502 BTC. The attack is also attributed to Lazarus Group.

Vector: private key compromise. Allegedly, the attackers gained access through social engineering — one employee was compromised. North Korean IT specialists used fake LinkedIn profiles to make contact.

The consequences were catastrophic: DMM Bitcoin was unable to recover from the blow and decided to shut down the exchange in December 2024. Client assets and accounts were transferred to SBI VC Trade, a subsidiary of Japanese financial conglomerate SBI Group.

Lesson: even a regulated exchange in a country with some of the strictest crypto regulations in the world (Japan) can fall victim to social engineering. Technical defenses are powerless when an employee becomes the weakest link.

Case 3: WazirX — $234.9 Million (July 2024)

India's largest exchange lost funds after hackers tricked authorized signers into approving a malicious transaction. The attack bypassed a multi-layered security system because it targeted people, not code.

What made this case notable: the attackers spent a long time studying the exchange's signing procedures, identified weak points in the human layer, and struck at a moment when vigilance was lowered. This demonstrates the level of preparation that state-sponsored hacking groups bring — they study their targets for months before striking.

Case 4: Ronin Network — $624 Million (March 2022)

The Ronin Network bridge, serving the game Axie Infinity, lost 173,600 ETH and 25.5 million USDC. The attack wasn't discovered until six days after it occurred.

Vector: compromise of 5 out of 9 validators through social engineering. Four keys were obtained through a compromised Sky Mavis employee. The fifth was obtained through a third-party organization, Axie DAO, which still had signing authorization even though it was no longer part of the process.

Key lesson: access hygiene. Outdated authorizations are a silent security killer. If an organization is no longer involved in signing, its key must be revoked immediately. Also: 5-of-9 is too low a threshold for $624 million. And a six-day detection delay represents a catastrophic monitoring failure.

Case 5: FTX — $8.7 Billion (November 2022)

Technically, FTX was not a "hack." It was fraud — the largest in crypto history. Founder Sam Bankman-Fried used client funds for trading through the affiliated fund Alameda Research. When this came to light, the exchange collapsed within days.

But beyond the fraud, a theft also occurred during the bankruptcy: approximately $477 million was withdrawn from FTX wallets by unknown parties. The investigation is ongoing.

Lessons from FTX: don't keep all your funds on a single exchange. Proof of Reserves is a mandatory standard. Regulation and transparency are not enemies of innovation — they are conditions for survival. A charismatic leader and a nice office are not proof of trustworthiness.

Case 6: Poly Network — $611 Million (August 2021)

A unique case: a hacker exploited a vulnerability in the cross-chain verification logic and drained $611 million. But then... returned almost everything. They claimed the attack was done "for fun" and to demonstrate the vulnerability. Poly Network offered them the position of "Chief Security Advisor."

This case gave rise to the concept of white hat hacking in crypto and the practice of bounty negotiations. Today, many projects include "safe harbor" clauses in their contracts — legal frameworks that allow hackers to return funds in exchange for a reward and immunity from prosecution.

Part XI. DeFi Security: How to Use Decentralized Finance Without Losing Everything

Alexander Mercer: DeFi is one of the most innovative and simultaneously most dangerous parts of crypto. How do you use DeFi safely?

Robert Stanley: DeFi offers incredible opportunities — decentralized lending, exchanges, staking, yield farming. But DeFi is also where users are most vulnerable, because there's no "support team" or "cancel button." Let's go through some concrete rules.

Rule 1: Always Check What You're Signing

Every interaction with a DeFi protocol involves signing a smart contract transaction. Before signing, you need to understand: which contract you're interacting with (is the address known and verified?), which function you're calling, and what permissions (approvals) you're granting.

Use tools that "translate" transactions into plain language: Fire Extension, Pocket Universe, Blowfish. These browser extensions show you what will actually happen if you sign a transaction — before you click "Confirm."

Rule 2: Regularly Review and Revoke Approvals

When you use a DEX (Uniswap, PancakeSwap), you grant the contract permission (approval) to spend your tokens. This is often an "unlimited approval" — an infinite allowance. If the contract is later compromised, a hacker gains access to all approved tokens.

Solution: use revoke.cash to regularly review and revoke unnecessary approvals. Do this at least once a month. Even better — when granting any approval, specify an exact amount rather than unlimited.

Rule 3: Don't Chase Abnormal Yields

If a protocol promises 100% APY when the average market offers 5–15%, ask yourself: where is that money coming from? In 90% of cases, the answer is from the pockets of new investors (Ponzi) or from risks you can't see (impermanent loss, smart contract risk, rug pull).

Rule: if a yield looks too good to be true, it is. Sustainable DeFi yields in 2026 are 3–15% annually for stablecoins and 5–20% for volatile assets.

Rule 4: Use Test Transactions

Before sending a large amount, always send a minimal "test" transaction first. It costs next to nothing in fees but can save thousands of dollars. Confirm that the funds arrived at the correct address and that the contract is working as expected.

Rule 5: Separate Your "Hot" and "Cold" DeFi Wallets

Don't use a single wallet for both storage and DeFi interactions. Create a separate "working" wallet, and transfer only the amount you're willing to use in DeFi. If that wallet gets compromised through a malicious contract, your main funds will remain safe.

Rule 6: Verify the Contract Before Interacting

Minimum checks: is the contract verified on Etherscan/BSCScan? Has it been audited? When was the contract deployed (newer contracts carry higher risk)? What is the TVL (Total Value Locked)? Low TVL = high risk. Who is behind the project — a public team or anonymous developers?

Use DeFi Safety, DefiLlama, and DappRadar to verify protocols before investing. Use Token Sniffer and GoPlusLabs to check tokens for honeypots and hidden functions.

Rule 7: Be Careful with Bridges

Cross-chain bridges are one of the most vulnerable categories of infrastructure. Three of the five largest thefts in crypto history were bridge attacks (Ronin, Wormhole, Nomad). If you need to move funds between networks, use well-established bridges with strong reputations and audits. Split large transfers into multiple smaller ones. And remember: every bridge adds contract risk.

Part XII. The Regulatory Landscape: How Legislation Helps and Hinders the Fight Against Crypto Crime

Alexander Mercer: How does regulation affect the fight against crypto crime? Does it help or hinder?

Robert Stanley: It's a complex question, because the answer is "both," depending on the specific jurisdiction and the specific regulatory measure.

How Regulation Helps

KYC/AML on exchanges is a critically important tool. When stolen funds reach an exchange with mandatory KYC, they can be frozen and the recipient's identity established. That's precisely why criminals work so hard to avoid regulated platforms.

Sanctions lists (OFAC) — adding mixers like Tornado Cash to sanctions lists creates a legal barrier to their use. Funds that have passed through sanctioned addresses are automatically flagged by exchange compliance systems.

International cooperation — Europol, Interpol, and the FBI are increasingly collaborating on crypto crime investigations. In 2025, the DOJ seized more than $15 billion in the largest operation ever conducted against a pig butchering network.

Mandatory security standards — licensed exchanges are required to implement Proof of Reserves, user insurance funds, and incident response procedures.

How Regulation Hinders

Jurisdictional fragmentation — a criminal steals in one country, launders in another, and cashes out in a third. Coordination between law enforcement agencies across different countries takes weeks or months, while money moves in seconds.

Overly burdensome regulation pushes users into a "gray zone." If legitimate exchanges become too difficult to use, people migrate to unregulated platforms where their protections are minimal.

The inability of traditional legal systems to move at the speed of crypto. Obtaining a freeze order can take days. By then, funds may have passed through ten bridges and three mixers.

Key Regulatory Initiatives for 2025–2026

Part XIII. Crypto Inheritance and Emergency Access: What Happens to Your Crypto If Something Happens to You

Alexander Mercer: A topic almost no one thinks about: what happens to your crypto assets if you suddenly become unable to manage them?

Robert Stanley: This is one of the most underestimated security problems out there. By various estimates, between 3 and 4 million Bitcoin are permanently lost due to lost keys. That's roughly 20% of the entire BTC supply. And a significant portion of those losses are cases where the owner died or became incapacitated, and their heirs had no idea how to gain access.

The Crypto Inheritance Problem

In traditional finance, a bank account passes to heirs through a notary. Crypto works differently: there is no centralized authority that can "transfer" access. If your seed phrase exists only in your head — or in a safe no one knows about — your assets will be lost forever.

Solutions

First. Document everything. Create a detailed guide: which wallets you have, which exchanges you hold accounts on, where your seed phrases are stored. Keep this guide in a sealed envelope with a notary, in a bank safe deposit box, or with a trusted person.

Second. Shamir Secret Sharing. Split your seed phrase into multiple parts (for example, 3-of-5) and give the parts to different trusted individuals. None of them has full access on their own, but any 3 of the 5 together can restore the wallet. Cypherock X1 implements this feature at the hardware level.

Third. Use services with an inheritance mechanism. Casa Wallet offers an "inheritance access" feature — if you don't access your wallet for a set period of time, a transfer procedure is triggered, granting access to a designated heir through multiple verification steps.

Fourth. Social recovery via smart contract. Some wallet solutions allow you to designate "guardians" — trusted individuals who can collectively restore access to your account. This is implemented in a number of wallets built on account abstraction.

Fifth. Multisig with distributed access. Create a 2-of-3 multisig, where one key is yours, the second belongs to your spouse or partner, and the third to a lawyer. You manage the wallet with the first two keys, and in an emergency, your spouse and lawyer can gain access together.

Part XIV. Frequently Asked Questions: Expert Answers to Readers' Top Questions

Can Bitcoin be stolen by hacking the blockchain?

Robert Stanley: No. The Bitcoin blockchain has never been hacked in 16+ years of existence. All Bitcoin thefts involve stealing keys, not breaking the protocol. The blockchain is an impenetrable fortress. Your keys are the lock on your front door — one that can be picked, stolen, or handed over if someone tricks you into giving it up.

Which is safer — Ledger or Trezor?

Robert Stanley: Both are excellent options, and both are significantly safer than keeping funds on an exchange or in a hot wallet. The key difference: Trezor is open-source (the code is open to independent review). Ledger is closed-source (the code is proprietary), but uses certified secure chips. For most users, both options are more than sufficient. Choose based on convenience, price, and support for the coins you need.

Is it true that Monero is impossible to trace?

Robert Stanley: Monero is significantly harder to trace than Bitcoin or Ethereum, thanks to ring signatures, stealth addresses, and confidential transactions. But "impossible" is too strong a word. Entry and exit points (exchanges to or from other currencies) create vulnerabilities. Researchers are actively developing statistical de-anonymization methods. In practice, Monero presents a serious obstacle to investigation — but not an insurmountable one, especially when users make mistakes.

Do I need a hardware wallet if I only have $500 in crypto?

Robert Stanley: Not strictly necessary, but useful. Tangem costs $55 — that's 11% of your $500. If you plan to grow your portfolio, it makes sense to start building good habits now. If $500 is your ceiling and you have no plans to expand, a solid hot wallet (MetaMask, Trust Wallet) with a strong password and 2FA will do the job.

What should I do if I signed a malicious transaction?

Robert Stanley: Immediately: check what approvals you granted via revoke.cash and revoke them. Transfer all remaining funds to a new, clean wallet. If funds have already been drained, follow the incident response protocol: document the transaction hashes, contact exchanges, forensics specialists, and the police.

How do I verify that a DeFi protocol's website is real and not a phishing site?

Robert Stanley: A few checks: bookmark frequently visited sites (don't Google them every time — phishing links can appear in ads). Verify the SSL certificate. Compare the URL character by character. Use extensions like MetaMask Snaps or Pocket Universe, which warn you about suspicious sites. If in doubt, verify the link in the project's official Discord or Twitter.

Can crypto assets be insured?

Robert Stanley: Yes, and it's a growing space. Decentralized insurance protocols (Nexus Mutual, InsurAce, Unslashed) offer coverage against smart contract hack risks. Premiums typically run 2–10% of the insured amount per year. Centralized options include Binance's SAFU fund and insurance provided by some custodians. Institutional players use traditional insurance through Lloyd's of London and specialized underwriters.

How can I tell if a token is a scam (honeypot)?

Robert Stanley: Check the token contract through Token Sniffer or GoPlusLabs. Red flags include: inability to sell the token, hidden mint functions (creating new tokens from nothing), a high hidden sell tax, unlocked liquidity (LP unlocked), and an anonymous team with no track record. If even two of these flags are present, stay away.

Someone is offering me "guaranteed returns" in crypto. Is it a scam?

Robert Stanley: In 99% of cases — yes. There are no "guaranteed" returns in crypto. Even ETH staking, which comes closest to a "risk-free rate," still carries slashing risks and base asset volatility. Anyone promising "guaranteed 50% per month" is a scammer. No exceptions.

What is a "drainer" and how do I protect myself?

Robert Stanley: A drainer is a malicious smart contract that, when you connect your wallet and sign a transaction, automatically drains all your tokens and NFTs. Drainers spread through phishing sites, fake airdrops, and compromised Discord servers. Protection: don't connect your wallet to unfamiliar sites, use an "empty" wallet for interactions with new services, and use protective extensions like Pocket Universe or Wallet Guard.

How does laundering stolen crypto work?

Robert Stanley: A typical scheme: after the theft, funds are immediately split across dozens or hundreds of addresses. Some pass through mixers (Tornado Cash, ChipMixer). Some are converted through DEXes into other tokens. Some are moved through bridges into other blockchains. Final amounts arrive at a CEX or OTC desk for conversion to fiat. According to TRM Labs, North Korean hackers primarily use Chinese-language services for laundering, with a typical cycle of around 45 days from theft to cash-out.

Conclusion: Key Takeaways and Recommendations

Alexander Mercer: Robert, let's wrap up. What is the single most important thing our readers should take away?

Robert Stanley: Ten key takeaways from our conversation.

First. Crypto leaves traces. The blockchain is a public ledger. Completely "disappearing" with stolen funds is extremely difficult. Chain forensics is a real industry that catches criminals.

Second. The scale of threats is growing. $3.4 billion was stolen in 2025. State-sponsored hackers, professional criminal groups, industrial-scale fraud operations — this is not a lone hacker in a basement.

Third. The primary attack vector is not code — it's keys. 70% of thefts involve compromised private keys and seed phrases. Protecting your keys is priority number one.

Fourth. A hardware wallet is a necessity, not an option. If you have more than $1,000 in crypto, buy a hardware wallet. It's the best $79 you'll ever spend.

Fifth. Don't sign what you don't understand. Every signed transaction is a potential attack vector. If you're not sure — don't sign.

Sixth. Speed of response is everything. In the event of a theft, the first hour is critical. Have a plan of action prepared in advance.

Seventh. Diversify your storage. The 5/25/70 rule: 5% on an exchange, 25% in a hot wallet, 70% in hardware storage or multisig.

Eighth. Seed phrase on metal, not in the cloud. Never store a digital copy of your seed phrase. Write it on a metal plate and keep it in multiple physical locations.

Ninth. Verify projects before investing. Audits, bug bounty programs, multisig, timelock, Proof of Reserves — the minimum checklist for any "trustworthy" project.

Tenth. Education is the best defense. The more you know about attack mechanisms, the lower your chances of becoming a victim. That's exactly why we spent four hours on this interview — so that you are armed with knowledge.

Editor's Afterword

Our conversation with Robert Stanley lasted over four hours, and every minute was packed with practical insights. We deliberately made this material as detailed as possible, because when it comes to crypto asset security, a surface-level understanding can cost you real money.

The key takeaway running throughout the entire interview is this: cryptocurrencies represent both incredible freedom and incredible responsibility. There is no bank here to "fix everything." Here, you are your own bank, your own security team, and your own auditor. The sooner you accept that, the better protected your assets will be.

For further reading, we recommend: the Chainalysis "Crypto Crime 2025/2026" report, the TRM Labs blog on crypto forensics, the Immunefi platform for learning about bug bounties, the revoke.cash website for reviewing and revoking token approvals, and the educational resources from Binance Academy and Ledger Academy.

You can follow Alexander Mercer's analysis and expert commentary on crypto asset cybersecurity at iTrusty.io.