When investigators examine the root causes of major crypto losses, a consistent pattern emerges: the initial breach almost never originated in a smart contract vulnerability. It originated with a person. A developer who clicked a malicious link. A finance manager deceived by a fake recruiter. An operations lead who used the same password across three platforms. The technology underlying blockchain is, by design, robust. The humans operating it are not automatically so.
For CISOs and security directors at crypto and Web3 firms, this creates a specific and urgent challenge. Technical controls, regardless of their sophistication, cannot fully compensate for a workforce that lacks the security knowledge to recognise and resist the social engineering campaigns that threat actors deploy every day. Security awareness training is the foundational operational control that changes this. It is not optional, and it is not a checkbox exercise. Implemented correctly, it is one of the highest-return security investments available to an organisation.
Why Security Awareness Training Matters in Web3
Across the broader cybersecurity landscape, human error and social engineering account for the majority of successful breaches. In the crypto sector, the problem is even more acute. Research and incident analysis consistently show that approximately 75% of significant crypto losses can be traced to operational security failures rather than protocol-level vulnerabilities. The most common attack vector is social engineering in one form or another.
The Lazarus Group, the North Korean state-sponsored threat actor responsible for billions of dollars in crypto theft, has demonstrated with clinical precision how human targeting works. Their methodology is not to break cryptographic algorithms. Instead, they research targets on professional networks, identify developers, operations staff, and executives, and then approach them with carefully constructed pretexts. Fake job offers, fraudulent investment opportunities, and impersonation of trusted contacts are all documented tactics. Once an employee is deceived into executing malware or surrendering credentials, the technical sophistication of the underlying blockchain infrastructure becomes largely irrelevant.
The Bybit hack in early 2025, which resulted in the loss of approximately $1.5 billion, illustrated this dynamic at scale. The attack vector involved the compromise of a third-party infrastructure provider and the social engineering of signers, not a flaw in the Bybit platform itself. Even with multisig controls in place, human behaviour under targeted social pressure remained the decisive factor.
Beyond state-sponsored actors, crypto firms face a constant barrage of opportunistic phishing campaigns, Discord and Telegram impersonation attacks, and SIM swapping attempts. Many of these can be defeated entirely by a workforce that has been properly trained to recognise the warning signs. For a deeper examination of Lazarus Group tactics specifically, see our analysis in Lazarus Group and Crypto OpSec.
"The most sophisticated blockchain infrastructure in the world offers no protection against an employee who has been trained to believe that a fake recruiter's link is a job opportunity. Security awareness training is the control that closes this gap."
What a Security Awareness Training Programme Covers
A security awareness programme for a crypto or Web3 firm should be substantially different from the generic corporate security training sold to financial services or retail businesses. The threat landscape is distinct, the technology is distinct, and the attack tactics are distinct. A well-designed programme will address the following areas.
Phishing Recognition
This is the core of any security awareness programme, and for good reason: phishing remains the most prevalent initial access vector across all sectors. Training should cover email phishing, spear-phishing (targeted and personalised), smishing (SMS-based phishing), and voice phishing (vishing). Staff need to be able to identify spoofed sender addresses, malicious URLs disguised with legitimate-looking domains, urgent language designed to bypass critical thinking, and unexpected requests for credentials or sensitive data.
Social Engineering Tactics
Beyond phishing, staff should understand the full range of social engineering methods. Pretexting involves constructing a plausible false scenario to extract information or action. Baiting uses physical media or attractive offers to lure targets. Quid pro quo attacks offer something of apparent value in exchange for information. In the crypto context, fake job offers, fake investment opportunities, and impersonation of exchange or wallet support staff are all well-documented tactics that employees need to be able to identify.
Key Management Hygiene
For staff who handle any aspect of wallet infrastructure or key management, specific training on secure key handling is essential. This includes proper storage of seed phrases (offline, never in cloud storage or email), recognition of wallet drainer links, understanding the risks associated with browser extensions, and correct procedures for hardware wallet use and transaction signing.
Device Security
Full disk encryption, screen lock policies, mobile device management compliance, and the prohibition of installing unapproved software are all areas that training should reinforce. For remote-first teams, which are the norm in Web3, training on secure home network configuration, the use of VPNs on public networks, and the risks of shared devices is particularly relevant.
Secure Communications
Staff should understand which communication channels are appropriate for which types of information. Sensitive operational discussions should not take place on unencrypted channels. Verification procedures for requests received via messaging platforms should be clearly defined and trained, because impersonation of executives or colleagues over Telegram or Discord is a common attack vector in crypto firms.
Insider Threat Awareness
Insider threats, whether malicious or negligent, represent a significant risk in small, fast-moving crypto firms where informal access controls are common. Training should help staff understand the warning signs of insider activity, their responsibility to report concerns, and how to do so through appropriate channels without creating a culture of paranoia.
Password and MFA Policies
Password reuse, weak passwords, and the absence of multi-factor authentication remain astonishingly prevalent root causes in crypto incidents. Training must cover the use of password managers, the construction of strong unique credentials, and the specific risks associated with SMS-based MFA versus hardware security keys or authenticator applications.
Physical Security at Events
Crypto conferences and events represent a specific social engineering risk. Adversaries attend industry events to network with targets, gather intelligence, and create the personal relationships that make future spear-phishing attacks more credible. Staff attending events should be trained on what information is safe to share, the risks of unsolicited USB devices or charging cables, and how to handle approaches from unknown individuals showing unusual interest in their work.
Phishing Simulation: Testing What Staff Have Learned
Training alone is insufficient. Knowledge must be tested under realistic conditions to identify gaps, reinforce learning, and generate the data that security leaders need to manage the programme effectively. Phishing simulation is the primary tool for achieving this.
How Phishing Simulations Work
A phishing simulation involves sending carefully crafted fake phishing emails to staff without prior notice. The emails are designed to mimic real-world attack patterns: they may impersonate an internal colleague, a partner organisation, a popular SaaS tool, or a crypto exchange. When a staff member clicks a link, opens an attachment, or submits credentials, the action is recorded and the individual receives immediate contextual training explaining what they missed and why it mattered.
Modern simulation platforms allow security teams to vary the difficulty level of scenarios, target specific departments with relevant pretexts, and build a library of historical results over time. The simulation should be integrated with the broader training programme rather than used as a standalone tool.
Frequency and Targeting
Monthly simulations are the minimum for an effective programme. At this cadence, results begin to show statistically meaningful trends within a quarter, and staff remain sufficiently alert without being desensitised by excessive frequency. Higher-risk roles such as finance, operations, and executive assistants should receive more frequent and more sophisticated simulations, reflecting the fact that they are the most likely targets in a spear-phishing campaign.
Metrics to Track
The primary metric is the click rate: the percentage of staff who interact with a simulated phishing email in a way that would, in a real attack, represent a compromise. A secondary and equally important metric is the report rate: the percentage of staff who correctly identify the simulation as a phishing attempt and report it through the designated channel. A high report rate indicates not just vigilance but an active security culture. Additional metrics include the time to report, the rate of credential submission (a more serious indicator than a simple click), and repeat offenders who have been targeted multiple times without improvement.
What Good Looks Like
A mature programme will show a declining click rate over time, typically reaching below 5% within six to twelve months of consistent simulation and remedial training. Simultaneously, the report rate should climb as staff become more confident in identifying and flagging suspicious communications. Organisations that reach a state where employees actively compete to be the first to report a new simulation have achieved a meaningfully different security posture than those treating training as an annual compliance event.
Red Flags in Results
A persistent high click rate in a specific department warrants targeted intervention. A low or zero report rate across the organisation suggests that the reporting culture or the reporting mechanism is broken. If the same individuals repeatedly fail simulations, a separate risk-based review of their access rights may be warranted.
Security Awareness for Crypto-Specific Threats
Generic security awareness training will not adequately address the threat landscape that crypto and Web3 firms face. The following categories require dedicated training modules tailored to the sector. For a broader treatment of social engineering tactics specific to crypto, see our guide on social engineering attacks in crypto.
SIM Swapping
SIM swapping involves an attacker convincing a mobile network operator to transfer a target's phone number to a SIM card under the attacker's control. Once accomplished, this bypasses SMS-based two-factor authentication and can enable account takeover across multiple platforms. Staff should understand how SIM swapping works, why SMS-based MFA is insufficient for high-value accounts, and what steps to take with their mobile provider to add additional account security, such as a PIN or port-out freeze.
Fake Recruiter Attacks
This is a documented Lazarus Group tactic. A threat actor constructs a convincing fake identity as a recruiter at a prestigious firm, approaches a developer or senior employee on a professional network, and eventually delivers malware disguised as an assessment task, a job offer document, or an interview scheduling link. Staff should be trained to verify the identity of recruiters through independent channels before engaging with any materials they provide, and to treat any request to download or execute code as a high-risk action regardless of context.
Wallet Drainer Links
Wallet drainers are malicious smart contracts that, when a user connects their wallet and signs a transaction, transfer the contents of the wallet to the attacker. They are typically delivered via links in Discord messages, Telegram channels, or phishing emails that impersonate legitimate platforms, NFT drops, or airdrop campaigns. Staff responsible for community management, marketing, or any function involving public wallet interactions need specific training on verifying contract addresses and understanding transaction signing risks.
Discord and Telegram Impersonation
Impersonation of executives, colleagues, or partner organisations on Discord and Telegram is pervasive in the crypto space. Attackers create accounts with near-identical usernames, profile pictures, and bios to those of real individuals, then approach targets with requests for urgent action, credential submission, or fund transfers. Training should cover verification protocols for any sensitive request received via these channels: out-of-band verification by voice or video call should be mandatory before acting on any request involving access, funds, or sensitive systems.
Supply Chain Attacks on Developer Tools
The compromise of widely-used developer tools, npm packages, and open-source libraries to deliver malicious code is an increasingly common attack vector against crypto firms. Developers in particular need to be trained to scrutinise their dependency chains, verify package integrity, and maintain awareness of published security advisories for the tools they use.
Building a Security Awareness Culture
Training programmes deliver their greatest value when they sit within a broader security culture rather than standing alone as a compliance exercise. Culture is the multiplier that converts individual knowledge into collective organisational resilience. For a comprehensive treatment of this topic, see our post on building a security culture in Web3 organisations.
Tone from the Top
Leadership behaviour has a disproportionate influence on how seriously the broader organisation takes security. If executives are seen to circumvent security controls, ignore phishing simulation feedback, or treat security training as an inconvenience, this signal propagates rapidly through the organisation. Conversely, when senior leaders visibly engage with training, discuss security in team meetings, and publicly acknowledge their own mistakes or near-misses, the message that security is everyone's responsibility becomes credible.
Blameless Reporting Culture
One of the most valuable outcomes of a good security awareness programme is an increase in staff reporting of suspicious activity. This can only happen if people feel safe reporting without fear of blame or punishment. A blameless reporting culture, where the discovery of a potential incident is treated as a positive outcome rather than an admission of wrongdoing, dramatically increases the speed at which the security team receives information about active threats.
If staff who report incidents face criticism or ridicule, they will simply stop reporting. The organisation will then be relying on automated detection systems alone, losing the significant intelligence advantage that human observation provides.
Rewarding Vigilance
Small, visible recognitions of good security behaviour are a highly cost-effective way to reinforce the desired culture. Calling out in a team meeting the individual who was the first to report a phishing simulation, establishing a small reward for staff who identify genuine security incidents, or simply acknowledging security-conscious behaviour creates positive reinforcement loops that no amount of training content can replicate on its own.
Measuring Training Effectiveness
Security awareness training must be measurable to be defensible to leadership and to drive continuous improvement. A CISO who cannot quantify the impact of their training programme will struggle to secure budget for it. The following metrics form a robust measurement framework.
Phishing Simulation Click Rate
Track click rate by month, by department, by seniority level, and by scenario type. The trend over time is more important than any single data point. A declining click rate across the organisation over a twelve-month period is strong evidence of programme effectiveness.
Incident Report Rate
The number of security incidents reported by staff, normalised by headcount, is a leading indicator of security culture health. An increase in reported incidents following the launch of a training programme does not necessarily mean security is getting worse; it often means staff are becoming more alert and more willing to report. Distinguish between reports that turn out to be genuine threats and those that are false alarms, but do not penalise false alarms, as discouraging reporting is a far greater risk than managing a small volume of false positives.
Knowledge Assessment Scores
Formal knowledge assessments before and after training delivery provide a baseline measurement of learning. More usefully, repeat assessments over time reveal whether knowledge retention is occurring or whether training is being forgotten. Assessments should be tailored to the specific threats relevant to each role rather than using generic content.
Reduction in Security Incidents Over Time
The ultimate measure of training effectiveness is a reduction in security incidents attributable to human error. This is a lagging indicator, taking twelve to twenty-four months to manifest clearly, but it is the metric that matters most to the business and to auditors. Track the number of credential compromise events, phishing-related incidents, and social engineering successes over time and correlate with training programme milestones.
Mean Time to Report
How quickly staff report a suspicious email or incident is a practical measure of both vigilance and the accessibility of the reporting mechanism. A reduction in mean time to report over the course of the programme indicates that staff are becoming more alert and that the reporting process is not a barrier to action.
Compliance Drivers: DORA, MiCA, and ISO 27001
For crypto firms operating in regulated or regulated-adjacent environments, security awareness training is not merely a best practice. It is a regulatory requirement under several frameworks.
DORA (Digital Operational Resilience Act)
The Digital Operational Resilience Act, which applies to financial entities across the European Union, explicitly requires organisations to implement ICT risk management frameworks that include staff training and awareness. Article 13 of DORA requires firms to ensure that their staff and contractors are adequately trained in digital operational resilience, including the ability to recognise ICT-related threats. Failure to demonstrate an adequate training programme exposes firms to supervisory action and potential financial penalties. Our detailed guide on DORA compliance for crypto firms covers the full range of requirements.
MiCA (Markets in Crypto-Assets Regulation)
MiCA's operational resilience requirements for crypto-asset service providers include the expectation that staff understand and can fulfil their security responsibilities. While MiCA does not prescribe the exact format of training programmes, the combination of MiCA's operational requirements and the European Banking Authority's implementing technical standards makes a documented, measurable security awareness programme a practical necessity for any CASP seeking authorisation.
ISO 27001
ISO 27001 Annex A.6.3 (formerly A.7.2.2 in the 2013 version) mandates information security awareness, education, and training for all personnel and relevant contractors. This control is not optional under the standard; auditors will check for evidence of a structured programme, assessment records, and coverage across the workforce. Our full guide to ISO 27001 certification for crypto firms addresses all Annex A controls in detail.
Beyond these three frameworks, the NIST Cybersecurity Framework, SOC 2 Type II, and various national cyber essentials schemes all include security awareness training requirements, making this one of the most universally required controls in the security landscape.
Frequently Asked Questions
How often should crypto firms run security awareness training?
At a minimum, all staff should complete a foundational security awareness programme on joining and then annually thereafter. For higher-risk roles such as engineers, finance, and operations, quarterly refreshers are advisable. Phishing simulations should run at least monthly to maintain vigilance and generate meaningful trend data.
What is a good phishing simulation click rate for a crypto firm?
Industry benchmarks suggest that a well-trained organisation should achieve a click rate below 5% on phishing simulations. For crypto firms, where spear-phishing campaigns are highly targeted and sophisticated, aiming for sub-3% is a reasonable and achievable goal after six to twelve months of consistent simulation and training.
Does security awareness training cover hardware wallet and key management?
A programme designed specifically for crypto and Web3 firms should absolutely cover key management hygiene. This includes safe storage of seed phrases, recognising wallet drainer links, understanding the risks of browser-based wallets, and the correct procedures for signing transactions with hardware wallets. Generic corporate security training typically does not cover these topics.
Is security awareness training required under DORA or MiCA?
Yes. DORA explicitly requires ICT risk management frameworks that include staff training and awareness. MiCA's operational resilience requirements for crypto-asset service providers similarly demand that staff understand their security responsibilities. ISO 27001 Annex A.6.3 mandates information security awareness, education and training for all staff.
How do you build a security awareness programme from scratch at a small crypto firm?
Start with a risk assessment to identify the highest-priority threats for your organisation: social engineering, phishing, and key management are almost always at the top. Build a short foundational module covering these topics, deliver it to all staff, and immediately begin monthly phishing simulations. Layer in role-specific content over the following months, establish a clear reporting channel for suspicious activity, and track metrics from the outset so you can demonstrate improvement over time. Firms that need structured guidance on establishing the incident response component of this should also review our incident response planning guide.