Most crypto firms invest in perimeter defences: firewalls, wallets with multi-signature approval, smart contract audits. Fewer invest in understanding the adversaries who are actively planning to attack them right now. Cyber threat intelligence (CTI) fills that gap. It is not a product you can buy and install; it is an operational discipline that transforms raw information about threats into decisions that improve your security posture before an attack succeeds.
This guide explains what CTI is, who the primary threat actors targeting Web3 organisations are, what sources of intelligence are available, and how to build a CTI capability that is proportionate to your organisation's size and risk profile.
What Is Cyber Threat Intelligence
Cyber threat intelligence is the process of collecting, processing, analysing, and disseminating information about current or potential threats to an organisation, in a form that enables decision-makers to act. The key distinction from raw data is actionability: threat data becomes intelligence only when it has been contextualised, assessed for reliability, and translated into something that can inform a decision or defence.
The Four Types of CTI
CTI is typically categorised across four levels, each serving a different audience within your organisation:
- Strategic CTI is high-level intelligence about threat actor motivations, geopolitical factors, and industry-wide trends. It informs board-level risk decisions, investment in security capabilities, and organisational risk appetite. A strategic CTI report might explain why DPRK-affiliated groups have intensified attacks on DeFi protocols following changes in cryptocurrency sanctions enforcement.
- Tactical CTI describes the tactics, techniques, and procedures (TTPs) that adversaries use. It is the intelligence behind threat-informed defence: knowing that Lazarus Group typically uses fake LinkedIn job offers as an initial access vector means you can train employees and monitor for this specific pattern. Tactical CTI maps directly to the MITRE ATT&CK framework.
- Operational CTI provides intelligence about specific planned or ongoing attacks. It is the most time-sensitive category and typically requires access to threat actor communications, dark web monitoring, or law enforcement partnerships. Operational CTI might warn you that a specific threat actor has acquired your employee's credentials and is planning an intrusion in the coming days.
- Technical CTI consists of indicators of compromise (IOCs): malicious IP addresses, domain names, file hashes, email subjects, and URLs associated with known attacks. Technical CTI is the most machine-readable form and feeds directly into SIEM platforms, firewalls, and endpoint detection tools.
The Intelligence Cycle
CTI is produced through a continuous six-stage cycle:
- Direction: Define what intelligence you need and why. What are your key assets? Who are your most likely adversaries? What questions do your security and leadership teams need answered?
- Collection: Gather raw data from defined sources: threat feeds, dark web forums, OSINT, internal telemetry, industry sharing groups, and commercial platforms.
- Processing: Normalise, deduplicate, and structure the raw data so it can be analysed. This step includes filtering out noise and correlating data points across sources.
- Analysis: Apply human judgement and analytical frameworks to turn processed data into intelligence. This is where you assess reliability, identify patterns, and develop assessments.
- Dissemination: Deliver the intelligence to the right people in the right format: a technical IOC feed to the SOC, a strategic briefing to the board, an operational alert to the incident response team.
- Feedback: Collect input from consumers of the intelligence to improve collection and analysis in the next cycle. CTI without feedback loops degrades in relevance over time.
"Threat intelligence is only as valuable as the decisions it informs. Collecting data without the capacity to analyse and act on it is not a CTI programme; it is a data accumulation exercise."
Why Crypto Firms Are Prime CTI Targets
The digital asset sector has a set of structural characteristics that make it uniquely attractive to sophisticated threat actors, and uniquely vulnerable to the consequences of a successful attack.
Large, Liquid, and Accessible Treasuries
A single successful attack on a crypto firm can yield hundreds of millions of dollars in immediate, largely irreversible value. Unlike a bank robbery, there is no central counterparty to reverse the transaction, no fraud team to claw back funds, and no deposit insurance scheme. This asymmetric reward profile attracts the most sophisticated adversaries: those who would ordinarily target defence contractors, financial institutions, or critical national infrastructure.
Thin Security Teams
Many crypto firms scale their development teams faster than their security teams. It is common to find protocols managing hundreds of millions in TVL with no dedicated security engineer, no SOC, and no formal threat monitoring programme. This creates a soft target: high-value assets with comparatively low defensive capability.
Public Blockchain Data as Reconnaissance Intelligence
Everything on a public blockchain is visible. Treasury balances, transaction patterns, hot wallet addresses, and fund flows are all available to any threat actor conducting reconnaissance. Before attacking a protocol, adversaries can map exactly how much is held in which wallets, identify the signing patterns that suggest multi-sig configurations, and time their attack to coincide with high-value windows.
Pseudonymous Founders and Thin Legal Accountability
Pseudonymity, while culturally embedded in crypto, creates intelligence challenges. Threat actors know that pseudonymous founders are less likely to involve law enforcement, less willing to publicise breaches, and may have weaker corporate governance structures that make security decisions easier to circumvent.
Exploit History as Attacker Research Material
Every published post-mortem from a DeFi exploit is a research document for the next attacker. Public narratives about how Ronin Bridge, Nomad, and Euler Finance were compromised have been studied and adapted by adversaries targeting similar protocols. CTI gives defenders access to the same research and allows them to close analogous vulnerabilities before they are discovered.
The Threat Landscape for Web3 Organisations
Nation-State Actors: The Lazarus Group and DPRK
The most sophisticated and well-documented threat to the crypto sector comes from North Korea's state-sponsored hacking units, collectively referred to as the Lazarus Group. UN reports estimate that DPRK-affiliated actors stole over $3 billion in cryptocurrency between 2017 and 2023, with proceeds used to fund the country's weapons programme.
Lazarus Group attacks on crypto organisations follow recognisable TTPs: spear-phishing via fake job offers on LinkedIn and Telegram, malicious open-source packages seeded into developer communities, trojanised trading software distributed to crypto professionals, and supply chain compromises targeting software dependencies used by multiple protocols simultaneously.
For a detailed breakdown of Lazarus Group TTPs and how crypto firms can harden against them specifically, see our post on Lazarus Group tactics and crypto operational security.
Organised Cybercriminal Syndicates
Beyond nation-state actors, the crypto sector is targeted by organised cybercriminal groups motivated purely by financial gain. These groups range from sophisticated ransomware operators who have pivoted to targeting crypto firms, to exploit brokers who sell access to compromised exchange infrastructure to the highest bidder, to credential harvesting operations that systematically acquire employee login details and sell them on dark web marketplaces.
Unlike nation-state groups, criminal syndicates tend to be opportunistic: they target firms with identifiable weaknesses rather than specific strategic objectives. This means that basic hygiene improvements -- credential monitoring, patching, and access controls -- can meaningfully reduce your exposure to this category of threat.
Insider Threats
Insider threats in crypto are particularly consequential because employees and contractors often have direct access to private keys, hot wallet credentials, and administrative functions with no equivalent in traditional finance. A disgruntled developer with access to a deployment key, or a contractor with visibility of treasury wallet addresses, represents a material risk that external controls cannot fully mitigate.
CTI supports insider threat detection by monitoring for employee credentials appearing on dark web marketplaces (a potential indicator of phishing or compromise), unusual access patterns, and early signs of disengagement or behavioural change that often precede insider incidents.
Competitors and Competitive Intelligence Gathering
Not all threat actors are seeking to steal funds. In a competitive and fast-moving market, some actors conduct intelligence gathering about competitor protocols, investment plans, tokenomics decisions, and pre-announcement information. This threat category is often overlooked but can have material consequences for token prices, fundraising rounds, and partnership negotiations.
DeFi Protocol-Specific Targeting
DeFi protocols face a category of threat that is largely unique to Web3: automated and semi-automated exploit discovery. Adversaries use on-chain analytics, code review of unaudited or recently deployed contracts, and economic modelling to identify exploitable conditions in protocols. Flash loan attacks, oracle manipulation, and governance attacks are often preceded by weeks of public reconnaissance that CTI monitoring can detect.
CTI Sources for Crypto Firms
Open-Source Intelligence (OSINT)
OSINT is the foundation of any CTI programme and is available at low or no cost:
- Blockchain analytics: Tools such as Chainalysis Reactor, TRM Labs, and Etherscan allow analysts to trace fund flows, identify wallets associated with known threat actors, and detect suspicious transaction patterns. Our post on blockchain forensics covers these techniques in detail.
- Dark web monitoring: Structured monitoring of dark web forums, paste sites, and criminal marketplaces for mentions of your organisation, employee credentials, leaked code, or discussion of planned attacks.
- Threat feeds: Public and community-maintained feeds of IOCs including VirusTotal, AlienVault OTX, and the MITRE ATT&CK framework. These provide technical indicators that can be ingested into security tooling.
- Vulnerability databases: CVE and the NVD publish details of known software vulnerabilities. Monitoring for vulnerabilities in your technology stack allows pre-emptive patching before adversaries exploit them.
- ISAC membership: The Financial Services Information Sharing and Analysis Centre (FS-ISAC) and the Crypto ISAC provide sector-specific threat intelligence sharing between member organisations.
Commercial Threat Intelligence Platforms
Commercial CTI platforms such as Recorded Future, Mandiant Advantage, Flashpoint, and Chainalysis provide curated intelligence feeds, dark web access, and analyst-developed intelligence products that go beyond what free OSINT delivers. For organisations with the budget, these platforms dramatically accelerate collection and analysis capability.
Government and Law Enforcement Feeds
CISA (Cybersecurity and Infrastructure Security Agency) publishes alerts, advisories, and known exploited vulnerability (KEV) lists that are publicly available and highly actionable. Europol's EC3 and the UK's NCSC publish threat actor profiles and sector-specific advisories. FBI alerts frequently include IOCs related to crypto-specific threats including Lazarus Group campaigns.
Tactical CTI: What to Monitor
For crypto firms building a practical CTI capability, the following monitoring priorities deliver the highest signal-to-noise ratio:
Your Brand and Domain on Dark Web Forums
Monitor paste sites, dark web forums (Breach Forums, Russian-language cybercriminal marketplaces), and Telegram channels for mentions of your organisation's name, domain, key personnel names, and product names. Early detection of discussions about your organisation -- including credential databases being traded or exploit techniques being shared -- provides lead time to act.
Employee Credential Leaks
Corporate email addresses and passwords appearing in data breach compilations are a primary initial access vector. Services such as Have I Been Pwned, SpyCloud, and commercial threat intelligence platforms continuously monitor breach databases and can alert you when employee credentials are compromised. This intelligence directly informs password reset requirements and phishing awareness campaigns.
Your Protocol in Exploit Discussion Channels
Monitor Telegram groups, Discord servers, and forums known to be used by exploit researchers and adversaries for mentions of your protocol's name, contract addresses, or specific functions. A threat actor asking questions about how a specific function in your smart contract handles edge cases is an early warning signal worth investigating.
GitHub for Leaked Keys and Internal Code
Developer error remains one of the most common causes of credential exposure. Monitor GitHub and other public code repositories for accidental commits of private keys, API credentials, seed phrases, or internal code. Automated secret scanning tools can alert you within minutes of a sensitive string being pushed to a public repository.
Social Media Impersonation Accounts
Impersonation of your brand's social media accounts, founder personas, and official communication channels is a common precursor to social engineering attacks against your users or partners. Monitor Twitter/X, Telegram, and Discord for accounts impersonating your brand and take down action quickly when discovered.
Operationalising CTI: From Intelligence to Action
Collecting intelligence without integrating it into security operations creates an intelligence backlog rather than improved security. Operationalisation means connecting CTI outputs to the systems and processes that can act on them.
Integration with SIEM and SOC
Technical CTI (IOCs) should be fed directly into your Security Information and Event Management (SIEM) platform to enable automated detection and alerting when known-malicious indicators appear in your environment. Our post on building a security operations centre for crypto firms covers this integration in detail. IOC feeds should be refreshed continuously and indicators should be time-limited to avoid alert fatigue from stale data.
IOC Sharing with Peer Organisations
Threat intelligence has a network effect: the more organisations share indicators of compromise and attacker TTPs, the faster the entire sector can detect and respond to new campaigns. Participating in ISAC working groups, sharing IOCs through platforms like MISP (Malware Information Sharing Platform), and engaging in bilateral intelligence sharing with peer firms are all force multipliers for your CTI programme.
Threat-Informed Defence Using MITRE ATT&CK
The MITRE ATT&CK framework catalogues adversary TTPs drawn from real-world attacks. Mapping CTI findings about the threat actors most relevant to your organisation to ATT&CK enables you to identify gaps in your defensive controls and prioritise improvements. For example, if CTI indicates that Lazarus Group has been targeting firms using a specific phishing technique (spearphishing via service -- ATT&CK T1566.003), you can test whether your email gateway and user training would detect and prevent that specific vector.
Red Team Scenarios Built from CTI
The most advanced operationalisation of CTI is using intelligence about real adversary TTPs to construct red team scenarios that test your specific controls against your specific threat actors. This approach, sometimes called threat-informed adversary simulation, is far more realistic than generic penetration testing because it recreates the actual techniques your adversaries are known to use. Our post on red team and blue team exercises for crypto firms covers how to structure this process.
Building a CTI Programme on a Limited Budget
A full commercial CTI platform is not accessible to every organisation. The good news is that a meaningful CTI capability can be built with limited resources if priorities are set correctly.
Start with What Matters Most
Before subscribing to any tool or platform, define your top three intelligence requirements. Typically for a crypto firm these are: (1) have our employee credentials appeared in breach databases, (2) is our organisation being discussed in threat actor forums, and (3) are there known vulnerabilities in our technology stack being actively exploited? These questions can be answered using free and low-cost tools before investing in commercial platforms.
Free Tools That Deliver Real Value
- Have I Been Pwned (HIBP): Domain monitoring for employee credential leaks, available free for organisations.
- CISA KEV list: The Known Exploited Vulnerabilities catalogue is freely published and directly actionable for patching prioritisation.
- CVE feeds and NVD: Subscribe to CVE notifications for software versions in your stack.
- Blockchain analytics APIs: Etherscan, Blockchair, and Chainalysis's free tier provide on-chain intelligence for monitoring wallet activity.
- AlienVault OTX and VirusTotal: Community-maintained IOC feeds available at no cost.
- GitHub secret scanning alerts: Available free for public repositories and as part of GitHub Advanced Security for private repos.
Prioritise Monitoring for Your Own Brand and Credentials
Many organisations spend their limited CTI budget on broad threat feeds while neglecting the most directly relevant intelligence: monitoring for their own organisation's exposure. A targeted approach -- monitoring your specific domain, key personnel names, and wallet addresses -- delivers more actionable intelligence per pound spent than generic threat data subscriptions.
Leverage Community Threat Sharing
Threat sharing communities exist precisely to give smaller organisations access to intelligence that would otherwise require enterprise-level budgets. FS-ISAC membership, participation in sector-specific working groups, and relationships with peer firms in the crypto security community all provide intelligence access that would cost significantly more to produce independently.
Vulnerability management and CTI are closely linked disciplines. Our post on vulnerability management for Web3 organisations covers how to prioritise patching based on threat intelligence about active exploitation.
CTI and Regulatory Requirements
For crypto firms operating under European regulatory frameworks, CTI is not merely a best practice -- it is increasingly a regulatory expectation.
DORA Article 13: Threat Intelligence Sharing
The Digital Operational Resilience Act (DORA) Article 13 requires financial entities to exchange cyber threat information and intelligence with each other, including indicators of compromise, tactics, techniques and procedures, cybersecurity alerts, and configuration tools. Crypto asset service providers that fall within DORA's scope -- particularly those designated as significant under MiCA -- are subject to this requirement. A CTI programme that participates in regulated intelligence sharing arrangements is not optional for these firms.
Our detailed guide on DORA compliance for crypto firms covers the full scope of Article 13 obligations and how to meet them.
MiCA Operational Resilience Requirements
MiCA (Markets in Crypto-Assets Regulation) requires CASPs to maintain robust governance and operational resilience, including processes for detecting and responding to security incidents. CTI directly supports compliance with these requirements by providing the intelligence infrastructure needed to detect threats before they become reportable incidents.
NIS2 Requirements for Financial Services
NIS2 applies to entities in critical sectors including financial services and digital infrastructure. It requires proactive risk management, incident reporting within 24 hours of becoming aware of a significant incident, and participation in information sharing frameworks. Organisations subject to NIS2 that lack a CTI capability will struggle to meet the detection and reporting timelines the directive prescribes.
A well-structured CTI programme also informs the incident response planning requirements that DORA, MiCA, and NIS2 all share. Our guide on incident response planning for crypto firms explains how CTI feeds into effective response playbooks.
Frequently Asked Questions
What is cyber threat intelligence and why does it matter for crypto firms?
Cyber threat intelligence (CTI) is the practice of collecting, analysing, and acting on information about current and potential threats to your organisation. For crypto firms, it matters because sophisticated adversaries including nation-state groups and organised cybercriminal syndicates specifically target digital asset businesses. CTI gives security teams early warning of impending attacks, enabling proactive defence rather than reactive incident response.
What is the difference between strategic, tactical, operational, and technical CTI?
Strategic CTI informs senior leadership on the threat landscape and business risk. Tactical CTI focuses on adversary tactics, techniques, and procedures (TTPs) to improve defences. Operational CTI provides intelligence about specific planned or ongoing attacks. Technical CTI delivers indicators of compromise (IOCs) such as malicious IP addresses, domain names, and file hashes that can be ingested directly into security tools.
How does the Lazarus Group target crypto organisations?
The Lazarus Group uses sophisticated spear-phishing campaigns, fake job offers, malicious open-source packages, and supply chain compromises to target crypto developers, exchange employees, and DeFi protocol teams. Once inside, they move laterally to reach private keys and hot wallet infrastructure. Understanding their TTPs through threat intelligence allows organisations to specifically test and harden against these known attack patterns.
What free CTI sources are available for crypto firms?
Free CTI sources include CISA alerts and advisories, the CVE vulnerability database, OSINT tools such as Shodan and Censys for internet-facing asset monitoring, blockchain analytics APIs, threat sharing communities such as the FS-ISAC, and free tiers from platforms like VirusTotal and AlienVault OTX. Monitoring your own brand on dark web forums can be initiated at low cost using open-source tools and manual checks.
What regulations require crypto firms to engage in threat intelligence sharing?
DORA Article 13 explicitly requires financial entities, including crypto asset service providers under MiCA, to share threat intelligence and cybersecurity information with peers and regulators. NIS2 also mandates cyber incident reporting and information sharing for entities in scope. MiCA's operational resilience requirements further reinforce the need for proactive threat monitoring and intelligence-driven security programmes.