Adrian Ludwig of Tools for Humanity argues that the cryptocurrency sector needs to shift from placing security burdens solely on users to designing systems resilient against real-world threats like phishing and physical attacks. As the ecosystem grows to trillions in value, he calls for treating breaches as design feedback rather than user errors. Innovations in wallets and authentication methods offer promising paths forward.
The foundational bitcoin principle 'Your keys, your coins' promised user control without intermediaries, but Adrian Ludwig contends this mindset assumes security issues are solely the holder's responsibility. In a CoinDesk opinion piece, Ludwig, from Tools for Humanity, warns that with crypto now a trillion-dollar ecosystem involving apps, protocols, exchanges, stablecoins, and token standards, such an approach no longer suffices.
Security risks have escalated beyond digital threats to include social engineering, human error, and physical coercion. Ludwig highlights data showing crypto phishing attacks rose 40% in early 2025, causing $410 million in losses, per CoinLaw. AI-powered deepfakes surged over 450% from mid-2024 to mid-2025, worsening the issue. Chainalysis reports over 30 'wrench attacks'—physical assaults on holders—in 2024, with 2025 projected to double that figure.
Ludwig urges the industry to view these as predictable challenges, akin to building earthquake-resistant structures in seismic zones like San Francisco or Japan. 'Security issues like data breaches and phishing attacks are a type of feedback for Web3 designers,' he writes.
Progress includes wallet innovations such as split keys, delegation, and multi-wallet accounts, though balancing usability and security remains challenging. Ludwig advocates incorporating non-Web3 successes like multifactor authentication, behavioral signals, and proof-of-human methods to verify legitimate users without constant vigilance.
Physical threats, including assaults on executives and wealthy holders, demand systems accounting for brute force coercion, not just cryptographic vulnerabilities. 'If we design systems that don’t incorporate the possibility of physical abuse, we are not doing our job as designers,' Ludwig states. As Cybersecurity Awareness Month concludes, he emphasizes building for real people, not ideal users, to protect lives and assets in this maturing field.