People Security, Pillar 01
Most Web3 teams have strong technical security controls on their contracts and infrastructure. Far fewer have clear, enforced data security standards governing how sensitive information moves through their organisation every day. That gap is where breaches begin.
Web3 organisations operate differently from traditional businesses. Teams are remote-first, pseudonymous, spread across time zones, and communicate primarily through Telegram, Discord, and Notion. Sensitive information, seed phrases, private keys, deployment credentials, investor terms, governance proposals, flows through channels that were never designed with data security in mind.
We review your actual information flows, classify your data by sensitivity and blast radius, identify where your operational security (OPSEC) breaks down, and deliver clear data security standards and handling procedures your team can follow. The output is a practical information hygiene framework, not a compliance document that gathers dust.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
The LastPass Cascade: $35M in Crypto.
“When LastPass was breached in August 2022, attackers stole encrypted customer vaults. Many users had stored crypto seed phrases in LastPass, it felt like secure storage. It was not the right tool for that category of secret. Blockchain investigator ZachXBT linked at least $35M in cryptocurrency thefts directly to the LastPass breach, as attackers methodically decrypted vaults and drained wallets. The seed phrases were stored. They were stored in the wrong place, with no policy to prevent it.”
The Home Computer in the Attack Chain
“The LastPass breach was completed when attackers compromised a LastPass DevOps engineer’s home computer, via a vulnerability in a media player application. The engineer had cloud backup credentials cached locally. The home computer was not a corporate device subject to any endpoint security policy. That single unmanaged machine was the final link in the chain that exposed the encrypted vaults of millions of customers. Operational security failures in Web3 are almost never about broken cryptography. They are about the devices, channels, and habits that exist outside the security perimeter.”
Data security protection in Web3 is not primarily a software problem. It is a behaviour and policy problem. The right information security architecture defines clear rules for how sensitive data is created, shared, stored, and destroyed, and makes following those rules the path of least resistance for your team.
Where It Goes Wrong
These are not exotic attack scenarios. They are the patterns we find in almost every Web3 team we review, regardless of how technically sophisticated the core protocol is.
Notion pages, Google Docs, and GitHub wikis containing wallet addresses, API keys, deployment credentials, or seed phrase fragments, often set to public or accessible to former team members.
Sensitive governance decisions, treasury movements, and private key co-ordination discussed over Telegram groups or Discord DMs that lack end-to-end encryption or access controls.
Team members operating without full-disk encryption, no screen-lock policies, or using personal devices with no separation between sensitive work data and general use, creating silent data security gaps.
Sharing more information than necessary with contributors, advisors, and partners. Violating the principle of least privilege at the data level long before any formal access control review catches it.
