Skip to main content

Your Code Is Fine — They're Coming for Your Keys: Inside Crypto's $2.2 Billion Infrastructure Targeting Shift

· 9 min read
Dora Noda
Dora Noda
Software Engineer

The most expensive line of code in cryptocurrency history wasn't a bug. It was a phishing link.

In February 2025, a developer at Safe{Wallet} clicked on what appeared to be a routine message. Within hours, North Korean operatives had hijacked AWS session tokens, bypassed multi-factor authentication, and drained $1.5 billion from Bybit — the single largest theft in crypto history. No smart contract vulnerability was exploited. No on-chain logic failed. The code was fine. The humans were not.

TRM Labs' 2026 Crypto Crime Report confirms what that heist foreshadowed: the era of the smart contract exploit as crypto's primary threat vector is over. Adversaries have moved "up the stack," abandoning the hunt for novel code vulnerabilities in favor of compromising the operational infrastructure — keys, wallets, signers, and cloud control planes — that surrounds otherwise secure protocols.

The Numbers Tell a Stark Story

In 2025, illicit actors stole $2.87 billion across nearly 150 distinct hacks and exploits. But the distribution of those losses reveals the real shift: $2.2 billion — 76% of total stolen assets — came from infrastructure attacks, not smart contract exploits. Attackers targeted private keys, compromised cloud credentials, and exploited wallet orchestration layers at centralized entities.

The paradox is striking:

  • Incidents halved: from 410 in 2024 to roughly 200 in 2025
  • Losses climbed: from $2.01 billion to $2.94 billion
  • Average loss per event more than doubled: from approximately $5 million to nearly $15 million

Fewer attacks, bigger paydays — the hallmark of a maturing adversary class that has learned to concentrate firepower on high-value targets.

Meanwhile, total illicit crypto volume hit an all-time high of $158 billion in 2025, up 145% from the previous year. This surge was driven not by petty criminals but by state-linked actors and sophisticated financial networks, with Russia-linked sanctions evasion as the primary contributor.

Why Adversaries Moved Up the Stack

The shift makes economic sense. Smart contract auditing has matured dramatically. Between 2020 and 2025, the industry poured billions into code auditing — firms like CertiK, Trail of Bits, and OpenZeppelin built systematic methodologies, formal verification tools became standard, and bug bounty programs created economic incentives for white-hat discovery.

The result? Finding a novel smart contract vulnerability in a top-tier DeFi protocol now requires substantially more effort and expertise than it did three years ago. The low-hanging fruit has been picked.

But operational infrastructure has not received the same attention. Key management practices vary wildly across the industry. Cloud security configurations remain inconsistent. And human beings — the weakest link in any security chain — remain susceptible to social engineering attacks that no amount of code auditing can prevent.

For top-tier adversaries, the calculus is simple: why spend months searching for an obscure reentrancy bug when you can phish a developer with elevated AWS access and steal $1.5 billion in a single afternoon?

North Korea: The World's Most Dangerous Crypto Adversary

No discussion of crypto's infrastructure targeting shift is complete without North Korea. The Lazarus Group and its TraderTraitor subcluster represent the most sophisticated and well-resourced crypto adversary on the planet.

In 2025, North Korean hackers stole at least $2.02 billion in cryptocurrency — a 51% increase year-over-year and roughly 60% of all global crypto theft. This wasn't opportunistic hacking. It was a national program.

The Bybit attack exemplified their evolved methodology. TraderTraitor operatives didn't search for smart contract bugs. They identified a specific developer at Safe{Wallet} with elevated system access, executed a targeted social engineering campaign — likely involving fake job offers or investment opportunities — and convinced the developer to download malicious software. From there, they hijacked AWS session tokens, the temporary credentials that grant access to an employer's cloud infrastructure.

By stealing active session tokens rather than passwords, the attackers bypassed MFA entirely. Once inside Safe{Wallet}'s AWS environment, they manipulated the transaction signing process to redirect $1.5 billion worth of Ethereum to wallets they controlled.

This attack pattern — social engineering to gain initial access, lateral movement through cloud infrastructure, and manipulation of signing mechanisms — mirrors the playbook of advanced persistent threat (APT) groups targeting traditional financial institutions. The difference is that crypto's operational security hasn't caught up to the threat.

The program extends beyond direct hacking. DPRK operatives embed IT workers inside crypto companies under false identities, gaining privileged access from within. These insiders map internal systems, security controls, and key management practices — reconnaissance that enables the high-impact compromises that generate headlines.

The $300 Million January: Phishing's Dominance in 2026

If 2025 demonstrated the infrastructure targeting shift, early 2026 confirmed it as the new normal. According to security firms CertiK and PeckShield, phishing and social engineering attacks drained over $300 million from crypto users in January 2026 alone.

A single $284 million Trezor-impersonation attack accounted for 71% of January's losses, illustrating how social engineering campaigns can generate outsized returns with relatively low technical sophistication.

AI is accelerating this trend. Threat actors now leverage AI-generated deepfakes, tailored phishing messages, and automated scam agents to target victims at scale. Fake developer hiring tests — a favorite Lazarus Group technique — have become nearly indistinguishable from legitimate recruitment processes.

The implication is sobering: as smart contracts become more secure, the attack surface is shifting decisively toward the humans who manage, deploy, and interact with those contracts.

The Audit Paradox

The crypto industry's security spending reveals a dangerous misallocation. Billions flow into smart contract audits — and those audits have demonstrably improved code quality. But the data shows that the most expensive attacks aren't smart contract bugs anymore; they're key management failures.

Consider this statistic: the median time between a DeFi protocol passing an audit and getting exploited is 47 days. Between 2020 and 2025, over $4.2 billion was drained from protocols that had passed audits. The audits weren't the problem — they correctly validated the code. The problem was everything around the code: how keys were stored, how signing authority was distributed, how cloud environments were configured, and how employees were trained to recognize social engineering.

The most forward-thinking security firms have expanded their scope accordingly. Modern 2026 audit frameworks now include key management review, governance configuration audit, cross-chain trust boundary analysis, runtime monitoring setup, and incident response planning — a dramatic expansion from the code-review-and-static-analysis approach that defined the space just two years ago.

From Perimeter Defense to Zero Trust

Crypto security is undergoing the same architectural transition that traditional finance completed over the past decade: from perimeter defense to zero trust.

In the perimeter model, security focuses on building strong walls — rigorous smart contract audits, formal verification, and bug bounties. Everything inside the perimeter is implicitly trusted. This model fails catastrophically when an attacker bypasses the perimeter through social engineering, as the Bybit hack demonstrated.

Zero-trust architecture assumes that every access request could be malicious, regardless of its origin. Major DeFi protocols like Aave and Lido have begun integrating multi-signature wallets and zero-trust frameworks to combat phishing and account compromises.

The practical implications for crypto organizations include:

  • Multi-party computation (MPC) for key management: Eliminating single points of failure in signing authority
  • Hardware security modules (HSMs): Isolating cryptographic operations from general-purpose computing environments
  • Continuous runtime monitoring: Detecting anomalous transaction patterns in real-time rather than relying on post-deployment audits
  • Security-aware culture: Training every employee — not just engineers — to recognize social engineering attempts
  • Incident response playbooks: Preparing for breaches as inevitable rather than treating them as impossible

What This Means for DeFi's $100B+ TVL

With over $100 billion locked in DeFi protocols, the stakes of the infrastructure targeting shift are existential. Nation-state actors like North Korea's Lazarus Group now treat blockchain infrastructure as intelligence targets, not merely financial ones. Stolen source code and infrastructure blueprints from previous attacks enable future, potentially catastrophic exploits.

The industry's response will determine whether DeFi can sustain institutional capital inflows. Institutional investors evaluate operational risk differently than retail users. A protocol with flawless smart contract code but weak key management practices represents, to a sophisticated allocator, an unacceptable risk profile.

The good news is that solutions exist. Runtime monitoring, MPC-based signing, zero-trust architecture, and AI-powered threat detection are all mature technologies. The challenge is adoption — particularly among mid-tier protocols and centralized entities that lack the resources of top-tier DeFi platforms.

The Road Ahead

TRM Labs' 2026 report paints a picture of an adversary class that is evolving faster than the industry's defenses. The code is getting better. The infrastructure around it is not keeping pace.

Three developments will shape crypto security in the coming years:

  1. Regulatory pressure: As compliance frameworks like the EU's MiCA and the US GENIUS Act mandate operational security standards, protocols will be forced to invest in infrastructure hardening alongside code quality.

  2. AI-driven defense: The same AI capabilities that enable sophisticated phishing campaigns can power anomaly detection, behavioral analysis, and automated incident response. The arms race between AI-powered attack and defense will define the next chapter of crypto security.

  3. Insurance and risk markets: As crypto insurance matures, underwriters will price operational security practices into premiums, creating financial incentives for better key management, access controls, and incident response capabilities.

The TRM Labs report's central message is clear: crypto's security perimeter has expanded. Code quality is necessary but not sufficient. The next generation of crypto security must protect not just the smart contracts, but the entire operational stack that surrounds them — from cloud infrastructure to human psychology.

The adversaries have already moved up the stack. It's time for the industry's defenses to follow.

Building on secure blockchain infrastructure matters more than ever. BlockEden.xyz provides enterprise-grade RPC and API services across 20+ chains with built-in reliability and monitoring — the kind of infrastructure foundation that lets teams focus on building rather than worrying about operational risk. Explore our API marketplace to get started.

Share on Twitter