"It is still becoming increasingly difficult to prove that you are truly yourself." This observation by Federico Variola, CEO of Phemex, reflects the growing concern throughout the crypto industry – a concern that extends far beyond the errors of smart contracts or infrastructures.
In a recent panel discussion with Ian Rogers (Chief Experience Officer of Ledger) and Dmitry Budorin (founder and CEO of cybersecurity company Hacken), Variola explained how threats to the security of cryptocurrencies manifest in practice. Although AI changes the tools, the weakest link is still the human – the way communication occurs, how quickly calls are made, and decisions on whom to trust.
Many things stem from common practices. The shared understanding on exchanges and wallets is that routines affect events. For Federico Variola, this is directly visible in how exchanges build processes, increase friction, and manage user interactions with wallets, social media, and on-chain identities.
More value, greater goals.
At the start of the discussion, Federico addressed a question that troubles the crypto industry: has the security of crypto weakened, or have attackers simply become stronger?
"It can well be said that this year is the worst year for cybercrime, and next year will be even worse. This is not because we don't know how to protect ourselves – but because there is more value at stake. The more value there is, the greater the reward. And as the reward grows, more and more people try to get their share."
As crypto grows, so do the motivations of attackers. According to Variola, this creates a constant imbalance where attack capabilities often develop faster than protections, especially during bull markets.
"We are probably living in a time when attack capabilities grow faster than protections. With each bull run, sensible people would justify why it is worth cutting corners on security, self-custody, or both – and the outcome is always the same."
Rogers gave a simple example to illustrate this. Even very experienced crypto operators and wallet developers have fallen victim to scams, such as credible-looking links shared via Discord or browser wallets. Experience helps, but constant vigilance is still necessary.
When identity is a weak point.
The biggest change, in Variola's view, is in how attacks are carried out.
"These actors are very well-resourced, sometimes state-sponsored, and move at a speed that is difficult to respond to. At the same time, all the tools we use – AI and automation – are a double-edged sword. If we are able to use these, attackers can too. Social attacks become more complicated. My identity has been copied and used in video calls to defraud investors or business partners."
Ian Rogers addressed this from the perspective of hardware wallets and noted that many attacks today are aimed at the human mind, not just technical solutions. According to Variola, this aligns with the views of exchanges: convincing people is often easier than breaking the system.
Rogers summarized in the panel that "any one of us could fall into a trap." Even in teams focused entirely on crypto, familiarity, haste, and skillfully executed social manipulation are often enough to bypass normally strong security practices.
The reality of the exchange: cold, hot, and human.
From the perspective of the exchange, Federico emphasized the distinction between guarantees and assumptions.
"We must ensure users have completely untouched security, and that is a cold wallet. There is no compromise on that. Hot wallets always carry a risk because they are constantly online."
During active market conditions, these risks are heightened.
"In bull markets, users expect that hot wallets have funds. Money moves quickly, and amounts are often significant, especially in altcoins. Users' demands are high."
This pressure creates a contradiction. Users want speed and ease, but security, in turn, requires friction.
"To ensure security, more obstacles must be introduced, regardless of users' wishes. In a way, you have to fight even against your own users."
This is a difficult reality for exchanges, but according to Federico, it is essential if the goal is long-term protection rather than just momentary satisfaction.
What experience teaches.
During the panel, Variola briefly referred to the security breach that occurred at Phemex last year.
"One of the biggest lessons for us was realizing that we were a bigger target than we thought."
The main lesson related to people.
"We assessed how widespread phishing and social manipulation attacks are and how they initially target the lowest levels – interns, designers, and those who do not consider themselves critical for security – and progress towards more central roles."
Dmitry Budorin directly compared the approach to fishing. If a fish does not bite the plastic lure, attackers often succeed at the moment of routine or a small lapse in attention. He believes that it is this inevitability that makes these attacks dangerous.
This mindset aligns well with Variola's approach to security.
"It's not enough that engineers or leaders are attentive. Everyone in the organization must know what kinds of risks they are exposed to. Every intern must be fully aware of the situation."
Budorin continued that often the primary target is not the junior employee, but the CEO. Public figures, founders, and leaders are direct attack targets precisely because of their visibility and position.
After the incident, Phemex raised its cybersecurity level comprehensively, but the biggest change occurred within the organization.
Social layers and economic layers do not fit together.
"The crypto industry is very social. NFTs, social media, Telegram – all these platforms create attack targets."
Federico Variola was particularly critical of how sensitive information travels in environments that have never been designed to be secure.
"Telegram is especially one of the most poorly managed platforms in terms of security, but it has become the standard for communication in the industry."
He also mentioned that the general trend toward wallet tracking and public identification makes him uncomfortable.
"I don't like that wallets are tracked to individual people. This development feels very un-crypto-based. The fact is, the more successful you are in the industry, the more you become a target, and the more resources you need to use to improve your own protection."
Decentralization changes the economic conditions of attacks.
Looking to the future, Variola sees decentralization and self-custody as part of a broader change in the evolution of crypto security.
"As decentralization becomes more widespread, the responsibility for security is shared among more failure points. Attackers must target their attacks one by one, and they can no longer exploit a single 'vulnerable point' – a single point of failure."
Risk does not disappear; it merely reallocates.
"DEXs and decentralized platforms bring their own challenges. Code is law. The chain cannot be stopped. New risks come into play. However, I believe that overall, this is a positive change for the industry."
Exchanges must therefore adapt, not resist change.
"Centralized platforms will not disappear, but we need to evolve. The security model must change at the same pace as behavior."
Which cryptocurrency will still be fighting in five years?
Regarding the future, Federico Variola does not see the challenge as something that crypto simply "solves" and moves past.
"AI will be the biggest challenge," he said. "Even further down the line, quantum computing will bring its own layer of risk."
When asked whether AI helps defenders as much as attackers, his answer was clear: "Unfortunately, I believe it empowers attackers more than it increases people's security."
Variola sees the situation as a moment of maturity for the sector. Cryptocurrency attracts significant technical expertise, and security is becoming a part of companies' everyday operations and communications. In systems designed to limit the need for trust, the focus is now on identifying and managing the remaining trust points in a sensible manner.
