“It is becoming increasingly difficult to prove that you are really you.” That remark, shared by Federico Variola, CEO of Phemex, reflects a growing concern in the crypto market – one that goes far beyond smart contracts or infrastructure issues.
During a recent panel discussion, along with Ian Rogers (Chief Experience Officer at Ledger) and Dmitry Budorin (co-founder and CEO of cybersecurity company Hacken), Variola explained how crypto security threats manifest in practice. AI is changing the tools, but the weak point remains the human – how people communicate, make quick decisions, and determine whom to trust.
A lot of this comes down to daily behavior. At exchanges and wallets, there is a shared awareness that habits determine how incidents occur. For Federico Variola, this directly means that exchanges must think carefully about their processes, intentionally build in friction, and manage how people interact with wallets, social platforms, and on-chain identities.
More value, bigger targets
At the beginning of the conversation, Federico answered a question that the industry often asks itself: is crypto getting worse at security, or are attackers just getting better?
“You can probably say that this year is the worst year so far for cybercrime, and next year will be even worse. And that's not because we are getting worse at security. It’s because there’s more value. When there is more value, the reward is greater. And as the reward becomes greater, more people try to acquire that value.”
As crypto grows, the rewards for attackers also become larger. Variola says this creates a constant imbalance, where attackers develop faster than protection, especially during bull markets.
“We are probably in a period where the capabilities of attackers are growing faster than our protection. And in every bull market, there are very rational people explaining why you should compromise on security, or on self-custody, or on both – and it always ends badly.”
Rogers gave a simple example to underline this. Even very experienced people in crypto, including those working on wallet development, have sometimes fallen into the trap of convincing links via, for example, Discord or browser extensions. His point was: experience helps, but caution is always necessary.
When identity becomes the weak point
According to Variola, the biggest shift can be seen in the way attacks are carried out.
“These attackers are well-funded, sometimes even governments, and they move at a speed that is hard to keep up with. At the same time, the tools we all use, such as AI and automation, are a double-edged sword. If we can use these tools, attackers can too. Social engineering attacks are becoming more complex. People have used my likeness in video calls to scam investors or business partners.”
Ian Rogers confirmed this from the hardware wallet perspective. Many attacks are now more psychological than technical. For Variola, this aligns with what exchanges see daily: convincing people is often easier than hacking systems.
As Rogers said during the panel: “Each of us can fall for it.” Even in teams that are fully crypto-minded, a combination of recognition, haste, and clever social engineering is often enough to bypass strong security.
The exchange reality: cold, hot, and human
From the perspective of an exchange, Federico was clear about the difference between guarantees and assumptions.
“What we guarantee users must be completely untouchable, and that is the cold wallet. There can be no negotiation on that. Hot wallets always carry risks because they are always online.”
During periods of high market activity, those risks increase.
“In a bull market, users expect the hot wallets to be full. They trade quickly, often with large amounts, especially in altcoins. The pressure from users is high.”
This pressure creates tensions. Users want speed and convenience. However, security often requires more steps and delays.
“You need to add extra steps to keep money safe, which users also want. So sometimes you even have to go against your own users a bit.”
It is an uncomfortable truth for exchanges, but Federico finds it necessary for platforms to choose long-term protection over short-term convenience.
What experience teaches you
During the panel, Variola briefly referred to a security incident that Phemex experienced last year.
“One of the most important lessons for us was that we were more of a target than we thought.”
The most important insight was about people.
“We underestimate how widespread phishing and social engineering attacks are, and how they first target the lowest levels within your organization – interns, designers, people who do not see themselves as security-critical – and then work their way up to more important roles.”
Dmitry Budorin made a clear comparison: phishing is like fishing. Even if the fish is not dumb enough to bite, routine or distraction can be enough for attackers to succeed. According to him, inevitability is the biggest danger.
That way of thinking fits well with how Variola approaches security.
“It's not enough if only engineers or managers pay attention. Everyone in the company must understand what the risks are. Even the intern must be fully aware.”
Budorin went even further and said that in many cases it is not even the junior employee who is the primary target, but the CEO. Well-known individuals, founders, and executives are directly attacked because of their visibility and influence in the industry.
After the incident, Phemex tightened security everywhere, but the biggest change was internal.
Social layers and financial layers do not mix
“Crypto is a very social sector. NFTs, social media, Telegram – all these platforms make people targets for attackers.”
Federico Variola was particularly critical of how sensitive contact often occurs in environments that are not designed for security at all.
“Telegram is especially one of the worst-managed platforms in terms of security, but it is the standard on which the sector communicates.”
He also said that he feels uncomfortable with the growing trend of wallet tracking and public linking.
“I don’t like the trend of linking wallets to certain people. That feels very anti-crypto. But the reality is: the more successful you are in this sector, the larger the target, and the more effort you have to put in to protect yourself.”
Decentralization changes the economy of attacks
Looking ahead, Variola sees decentralization and self-custody as part of a larger change in the way crypto security evolves.
“If decentralization becomes the norm, we distribute the security risk over more places. Hackers will then have to hit people one by one instead of finding a single weak spot – a single point of failure.”
That does not mean that there are no longer any risks. The risk is just distributed differently.
“DEXs and decentralized platforms have their own challenges. Code is law. You cannot just stop a chain. So new risks come into play. But I think this is ultimately positive for the sector.”
For exchanges, this means adapting, not stopping.
“Centralized platforms are not disappearing, but we need to grow with them. The security model must change along with user behavior.”
Which crypto will still be fighting in five years
Looking ahead, Federico Variola does not say that crypto will just ‘solve’ this problem and then move on.
“AI will be the biggest challenge,” he said. “Furthermore, quantum computing brings an additional risk.”
When asked whether AI helps defenders as much as attackers, his answer was immediate: “Unfortunately, I think it helps attackers more than it makes people safer.”
Variola sees this as a sign of maturation for the sector. Crypto attracts a lot of technical talent, and security is increasingly becoming part of the daily work and communication of companies. In a system where you build as little trust as possible, the focus is now on where there is still trust – and how to manage it.
