Gabi explained that blockchain and Web3 should now be treated as a distinct branch of cybersecurity, facing many of the same challenges associated with Web2 systems.

In the past, a project could assume that a smart contract audit covered the main security risk, but that is no longer enough. According to Gabi, many recent attacks are triggered not directly through on-chain logic, but through off-chain infrastructure and operational weaknesses.

That means the relevant questions have expanded. Teams need to examine who can sign transactions, how keys were generated, what controls exist around dependencies, what protections are in place for NPM packages, how CI/CD pipelines are secured, and what safeguards exist against insider threats.

Michael connected this directly to Casper’s own work with Halborn, especially around CSPR Bridge, currently on Testnet and in audit. He noted that the security review process has gone far beyond smart contracts, covering dependencies, infrastructure, operational processes, and configuration controls, which reflects a broader industry reality: securing a Web3 application now means securing the whole stack, including Web2 infrastructure.

Michael asked Gabi to walk through the February 2025 Bybit attack, which is considered a major turning point in how many Web3 companies think about security.

Gabi described it as a combination of several techniques, involving the Lazarus Group, a North Korean state-linked hacking group. The attackers did not simply exploit a vulnerable contract but compromised multiple parts of the operational environment, including infrastructure connected to multi-signature transaction workflows.

The incident pushed Web3 companies to take broader security disciplines more seriously. Concepts that have been standard in cybersecurity, such as endpoint protection, identity and access management, workstation security, and operational monitoring, are now becoming central to blockchain security as well.

The conversation moved to AI and how it is shaping the security landscape. Gabi explained that attackers are using AI not only to search for vulnerabilities, but also for deepfakes, social engineering, identity manipulation, and bypassing hiring or background checks. In some cases, malicious actors attempt to join Web3 companies as developers or security engineers, creating insider access.

Michael shared a personal experience that illustrated the seriousness of the threat. He described being contacted through Telegram by someone who appeared to be a known business associate. A meeting was scheduled where the person appeared on video. Only later did it become clear that it had been a deepfake. During the call, a supposed connectivity issue led to a prompt that granted access to Michael’s machine. Michael later connected the incident to patterns associated with DPRK-linked attacks targeting Web3 executives.

Even seeing a familiar person on a video call is no longer enough to establish trust.

Gabi shared a similar story from Halborn’s hiring process. During an interview with a candidate, the team noticed strange voice patterns and unnatural mouth movements. Suspecting an AI-generated identity, Gabi asked fake technical questions, including one about a nonexistent “CK hamburger protocol.” The candidate continued answering, confirming the suspicion that the interaction was artificial.

He also noted that security companies are now sharing suspicious names and patterns with each other, building informal defense networks to warn one another about potential DPRK-linked operators or AI-generated applicants.

Michael and Gabi then turned to the Kelp DAO exploit, which they described as one of the more sophisticated recent attacks.

Gabi explained that the exploit involved Kelp DAO’s use of LayerZero infrastructure and a weakness in the trust model around cross-chain messaging. The attackers were able to manipulate the verification process and trigger fraudulent cross-chain activity, resulting in losses of nearly $300 million and wider disruption across DeFi.

Michael emphasized the sophistication of the execution. Based on what was discussed publicly, the attackers appeared to compromise RPC nodes used by LayerZero’s decentralized verification system, while allowing those nodes to continue returning normal data to other services and monitoring tools. The malicious infrastructure was designed to serve false information only in the specific context needed for the exploit.

The attackers also used denial-of-service tactics to force traffic away from healthy RPC nodes and toward the compromised nodes. Gabi described this as the work of an advanced persistent threat actor rather than a simple flash-loan exploit.

“This is not a script kiddie with a flash loan,” Gabi said. “This is an advanced persistent threat. This is a very organized group of malicious hackers backed by a government or a very big organization.”

Michael asked whether an attack like this could have been predicted or prevented. Gabi emphasized that major breaches rarely happen because of a single failure. When one layer fails, other layers should still be able to stop or slow the attack. That means teams need defense in depth, including endpoint security, identity and access controls, secure pipelines, detection and response systems, supply-chain security, and strong institutional security practices.

Michael asked Gabi to give practical recommendations for different audiences, beginning with retail users who interact with DeFi protocols and Web3 applications.

Gabi’s first recommendation was to follow official accounts and trusted protocol communication channels rather than relying on influencers or second-hand information. In an environment full of impersonation, phishing links, fake announcements, and compromised accounts, source verification matters.

He also advised users to reduce their approval exposure. Old token approvals can remain active after a user has forgotten about them. Retail users should regularly review which contracts can access their tokens and revoke permissions they no longer need.

Finally, he emphasized wallet separation. Hot wallets should be used for daily DeFi activity and smaller amounts, while cold or hardware wallets should hold larger balances.

“This is not paranoia,” Gabi said. “It’s basic hygiene.”

Michael added that even hardware wallet users remain targets. He mentioned phishing attempts disguised as physical mail from fake hardware wallet providers.

For developers, Gabi stressed that immutability should not be confused with security.

Smart contracts that remain deployed and accessible can still introduce risk after teams think they have moved on from them. He pointed to recent examples where old contract versions or forgotten deployments created major vulnerabilities. Developers need to maintain a live register of deployed contracts and understand what remains callable, upgradeable, or exposed.

He also highlighted the importance of treating configuration as code. Configuration changes should go through the same type of peer review and approval process as application code, because configuration mistakes can become security vulnerabilities.

Supply-chain security was another major point. Developers need to understand and monitor their dependencies, especially when using packages from ecosystems such as NPM. Package poisoning, dependency hijacking, and compromised libraries can expose projects even when their own code is sound.

Michael connected this back to recent industry incidents and to the ongoing audit work around CSPR Bridge. He noted that Halborn’s review covered not just contracts, but also configurations, processes, dependency risks, and operational safeguards. He mentioned the importance of making sure bridge configurations cannot be reduced below safe signing thresholds, even if the initial deployment uses a more secure setup.

Michael closed by thanking Gabi and Halborn for their continued support of Casper, especially on the CSPR Bridge audit. He emphasized that security conversations like this are valuable not only after major exploits, but as a public service for builders, users, and communities trying to stay safe in an increasingly complex environment.

Web3 security can no longer be reduced to smart contract audits alone, as the modern attack surface is much wider, with infrastructure, cloud services, developer machines, dependencies, AI-generated impersonation, and more being used to exploit vulnerabilities. 

Stay safe out there and see you at the next Casper X Space!