As North Korea’s cybercrime efforts evolve, its latest campaign—dubbed “ClickFake”—has exposed a growing concern within the crypto industry: the human element. According to security expert Jan Philipp Fritsche of Oak Security, Web3’s weakest link isn’t its smart contracts—it’s operational security (OPSEC) and the people behind the protocols.
ClickFake and the Lazarus Group
The campaign, orchestrated by North Korea’s infamous Lazarus Group, targeted cryptocurrency professionals under the guise of job recruiters. Victims were contacted via platforms like LinkedIn and X (formerly Twitter), then lured into fake interviews designed to infect their systems with malware.
The malware, known as ClickFix, granted attackers remote access to steal sensitive data such as crypto wallet credentials. The elaborate nature of the operation—complete with convincing documents and multi-stage interview dialogues—caught many off guard and highlighted the growing sophistication of state-sponsored attacks.
Expert: Web3 Ignores Basic Cyber Hygiene
Jan Philipp Fritsche, Managing Director at Oak Security and a former European Central Bank analyst, says the real problem isn’t complex exploits—it’s that Web3 teams often neglect even the most basic OPSEC standards.
“The ClickFake campaign shows just how easily teams can be compromised,” Fritsche said in a note to crypto.news. “Web3 projects have to assume that most of your employees are exposed to cyber threats outside their work environment.”
He explains that most DAOs and early-stage projects still rely on personal devices for development, operations, and even Discord communications. This makes them highly vulnerable to nation-state-level attacks.
Lack of Oversight, Lack of Control
Unlike traditional corporations with rigorous IT protocols, many decentralized crypto projects lack the infrastructure to enforce security standards.
“There’s no way to enforce security hygiene,” Fritsche emphasized. “Too many teams, especially smaller ones, ignore this and hope for the best.”
Even the assumption that a developer’s device is clean may be flawed, he warns. For high-value Web3 projects, developers should never be allowed to push code directly to production without oversight.
“Company-issued devices with limited privileges are a good start,” he said. “But you also need fail-safes—no single user should have that kind of control.”
Lessons from Traditional Finance
Fritsche believes Web3 can borrow critical lessons from traditional finance (TradFi), where rigorous access controls are the norm.
“In TradFi, you need a keycard just to check your inbox,” he noted. “That standard exists for a reason. Web3 needs to catch up.”
A Wake-Up Call for Web3
With cyber threats escalating and state-sponsored actors targeting the crypto space, the ClickFake incident is a stark reminder that blockchain security must extend beyond code audits and smart contract testing.
Web3’s future depends not only on technological innovation but also on building strong security cultures—ones that treat every risk as real until proven otherwise.
