People Security, Pillar 01
Your smart contracts can be perfectly audited and your infrastructure hardened, and a single manipulated team member can still hand over the keys. Social engineering penetration testing is ethical hacking aimed at your biggest attack surface: the humans in your organisation.
Social engineering is the art of manipulating people into performing actions or disclosing information. In Web3, where a single signature can move nine figures, it is the dominant attack vector. Our social engineering penetration testing service uses the same psychological and technical techniques as real-world attackers, executed ethically, under a scoped engagement, to expose where your team is vulnerable before an adversary does.
This is not a phishing awareness course. It is a live security test against your actual people, in your actual environment, using the pretexts and delivery mechanisms your real threat actors use. The output is an actionable assessment of your human attack surface, not a generic report.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
A Fake Job Offer. A $625M Bridge.
“The Ronin Bridge breach did not begin with a smart contract exploit. It began with a fraudulent LinkedIn recruitment PDF sent to a Sky Mavis engineer. The engineer opened it. Malware gave Lazarus Group persistent access to the developer’s machine and, through it, to four Ronin validator private keys. A fifth key was obtained via a Sky Mavis RPC node that the Axie DAO had emergency access to, access that was never revoked after the original emergency passed. With five of nine validator keys, the attackers forged withdrawal signatures and drained $625M across two transactions. The breach went undetected for six days.”
The Pattern
“The most sophisticated attacks on Web3 protocols in 2025–2026 did not break any cryptography. They broke people. The technical security was irrelevant because the social engineering was already complete.”
Chainalysis estimates that DPRK-affiliated groups stole over $1.3 billion in the first half of 2025 alone, the majority via social engineering, not code exploits. No smart contract audit protects against this. A dedicated penetration testing service for your people does.
Who Needs This
Any role that touches keys, approves transactions, manages treasury, hires contractors, or has admin access to protocol infrastructure is a target. Security testing that ignores this is incomplete.
Multi-sig signers are high-value targets. A single compromised signer who approves a malicious transaction is game over. We test your approval workflows under realistic adversarial pretexts.
Developers with deployer keys, ops staff with admin access, and founders with treasury control are all viable entry points. Our cyber security assessment maps every person-shaped gap in your architecture.
Institutional crypto funds face sophisticated counterparty impersonation. Attackers study your real relationships and replicate them. Our pentesting services simulate exactly this, safely, with your knowledge.
Pseudonymous contributors, contractor pipelines, and global distributed teams are prime targets for DPRK-style infiltration. We test your hiring and onboarding security as part of a full engagement.
The Engagement
A structured, scoped engagement. Nothing is launched without your explicit sign-off on targets, vectors, and timing. The goal is a real picture of your exposure, not a gotcha exercise.
We map your org structure, public social profiles, GitHub activity, conference appearances, and on-chain roles, exactly what a sophisticated attacker would research first.
Agreed attack vectors are executed against real targets using realistic pretexts. Spear-phishing, impersonation calls, fake contractor applications, each vector is tracked for response and outcome.
A full penetration test report details every finding, the exposure chain, and ranked remediation steps. We debrief with your team and can deliver targeted awareness training based on real gaps uncovered.
