People Security, Pillar 01
Generic phishing awareness training teaches people to recognise last year's attacks. Our simulation campaigns replicate the exact tactics being used against Web3 teams right now, wallet drainers, fake grant portals, impersonated auditors, so your team builds real instincts against real threats.
Off-the-shelf phishing simulation platforms use generic corporate templates, fake HR emails, fake IT helpdesk notices. They do not reflect how Web3 teams are actually attacked. Our campaigns are written and deployed using the pretexts, platforms, and psychological triggers that threat actors targeting DeFi protocols, DAOs, and crypto funds use in the wild.
Phishing remains the single most common initial access vector in Web3 breaches. Every member of your team with a wallet, a seed phrase, or admin access to any system is a viable target. Security awareness training that does not simulate this specific attack surface leaves your organisation exposed. We close that gap.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
One Phished Admin. $120M Drained.
“The BadgerDAO breach in December 2021 did not start with a smart contract exploit. It started with phishing of a Cloudflare administrator account. The attacker used the Cloudflare access to inject a malicious script into the Badger frontend via a Cloudflare Worker. Every user who visited the DApp while the script was active was prompted to grant an unlimited token approval to the attacker’s address. The contracts were never touched. The interface was. Over several weeks $120M was quietly drained from users who believed they were interacting normally with the protocol.”
The Training Gap
“84% of organisations surveyed reported experiencing at least one successful phishing attack in 2023. Organisations that ran regular simulations reduced susceptibility, but only for attack patterns they had rehearsed. When attackers shift to novel pretexts, fake auditor outreach, fabricated token launch invitations, spoofed VC follow-ups, teams with no Web3-specific training return to baseline click rates immediately.”
Online threat protection starts with knowing which threats your specific team will fall for. A simulated phishing campaign gives you that data. Cybersecurity best practices built on real behavioural evidence are far more effective than training built on assumptions.
Beyond the Click
Click rates are a metric, not an outcome. What matters is what happens after the simulation: targeted, evidence-based training that closes the specific gaps your campaign exposed.
Your first campaign establishes a baseline click and surrender rate across roles. This gives you an honest starting picture of where your team sits before any training intervention.
Developers, signers, ops, and community managers face different attack vectors. Post-simulation training is tailored by role, not delivered as a one-size session that nobody applies.
Threat actors iterate constantly. Quarterly simulation campaigns track improvement over time and introduce new attack variants as the threat landscape evolves. Cyber safety is a programme, not a one-time event.
Under MiCA, DORA, and emerging Web3 regulatory frameworks, demonstrable employee security awareness training is increasingly expected as a governance standard. Our campaign reports serve as documented evidence.
