“It is becoming increasingly difficult to prove that you are truly yourself.” This observation by Federico Variola, CEO of Phemex, highlights the growing concerns in the crypto industry – and that anxiety does not stop at the issues of smart contracts or infrastructure failures.
In a recent panel discussion with Ian Rogers, Chief Experience Officer at Ledger, and Dmitry Budorin, co-founder and CEO of the cybersecurity company Hacken, Variola shared insights about the reality of security threats in the crypto space. AI is changing the tools, but the weakness remains human – how they communicate with each other, make hasty decisions, and choose whom to trust.
It all lies in daily habits. On exchanges and wallets, everyone understands that each person's habits will affect how incidents occur. According to Federico Variola, this directly influences how exchanges design processes, create difficulties, and control how users interact with wallets, social networks, or on-chain identities.
More value, bigger goals
From the beginning, Federico answered a question that the whole industry always asks: is crypto security becoming weaker, or are hackers getting stronger?
“It can be said that this year is the most fierce year for cybercrime attacks, and next year will be even worse. But not because we are securing less, but because the values are becoming greater. As the value increases, the rewards become larger. And when the rewards are big, many will seek to seize them.”
As the crypto market grows, the incentives for attackers also increase. According to Variola, this always creates an imbalance, as the attack capabilities often develop faster than prevention measures, especially during a booming market.
“We are probably in the middle stage, where the attack capabilities are increasing faster than protective measures. With each market growth cycle, there will be someone very rational persuading you to cut back on security or self-custody, or both, and then everything ends up the same.”
Rogers simplified the issue with a real-life example. Even experienced people in crypto, including wallet development teams, have been deceived by fake links on Discord or wallet browsers. His point is: even with experience, one must always remain highly vigilant.
When identity becomes a vulnerability
According to Variola, the biggest change currently is in how attacks are carried out.
“Many attackers are well-backed, sometimes by the state, moving at a speed that is hard for anyone to keep up with. At the same time, AI and automation are a double-edged sword – what is beneficial for users is also available to hackers. Social engineering attacks are becoming increasingly sophisticated. There was a time when my image was faked in a video call to deceive investors or partners.”
Ian Rogers added, from the perspective of hardware wallets, that many attacks now focus more on psychological factors than technology. For Variola, this is similar to what happens on exchanges: convincing people is always easier than hacking the technology system.
Rogers also commented during the discussion: “Anyone of us can be deceived.” Even in teams that are accustomed to crypto, the combination of subjective psychology, a sense of urgency, and sophisticated fraud techniques can overcome even the strictest security processes.
The reality of exchanges: Cold, hot, and the human factor
From the perspective of an exchange, Federico distinguishes very clearly between commitment and assumption.
“What we commit to protecting for users must be absolutely safe, and that is the cold wallet. There can be no negotiation on this. Hot wallets, by being always connected to the internet, inherently carry risks.”
As the market operates actively, this level of risk increases.
“When the market rises, retail investors often expect hot wallets to always be well-stocked. They move quickly, make large trades, especially with altcoins. User demand is very pressing.”
At this point, tension arises. Users want to act quickly and conveniently. But security requires certain barriers.
“No matter what users request, you still have to add layers of precautions to protect assets. This means sometimes you have to 'go against the wishes' of users a little.”
This is an uncomfortable reality for exchanges, but Federico believes it is necessary if they want long-term protection, rather than just temporarily appeasing users.
The things experience teaches you
During the discussion, Variola also recalled a security incident that Phemex experienced last year.
“One of the biggest lessons is realizing that we have become a much larger target than we think.”
And the most important lesson is about people.
“We underestimate the prevalence of phishing and scams, as well as the fact that bad actors often target the lowest positions first – interns, designers, those who do not consider themselves core personnel – before trying to climb to higher positions.”
Dmitry Budorin provides a very relatable analogy: phishing is like fishing. Even though fish are not foolish enough to bite plastic bait, just a moment of carelessness, stress, or working by habit is enough for hackers to achieve their goal. According to him, the danger is the 'certainty that it will happen.'
This way of thinking is completely aligned with Variola's security approach.
“Not only engineers or leaders need to be careful. Everyone in the organization must clearly understand the risks they face. Even interns need to be aware of this.”
Budorin also emphasized that in many cases, the main target of hackers is not new employees, but CEOs. Public faces, founders, executives – because they are so prominent, they are even easier to attack directly.
After the incident, Phemex upgraded its security comprehensively, but the bigger change was in the awareness of each member of the company.
Social layers and financial layers should not be mixed
“Crypto is a very social industry. NFTs, social networks, Telegram – all these platforms become targets for hackers to attack.”
Federico Variola particularly criticizes the fact that sensitive activities occur too comfortably in environments that do not prioritize security.
“Telegram is really one of the worst platforms in terms of security, but it is the standard communication tool for the entire industry.”
He also expressed concern about the growing trend related to wallet tracking and publicly disclosing the identities of holders.
“I don't like linking wallets to specific users. This goes against the spirit of crypto. However, in reality, the greater the success in this industry, the easier you become a target, and you will need to invest more to protect yourself.”
Decentralization changes the economics of attacks
Looking to the future, Variola believes that decentralization and self-managing personal assets will play an important role in changing how the crypto industry enhances security.
“As decentralization becomes more popular, the responsibility for security is also distributed across many different points. Hackers will have to target individuals rather than attacking a 'single point of weakness.'”
This does not eliminate risks, but merely shifts them to different positions.
“DEXs and decentralized platforms also have their own challenges. Code is law. You cannot stop a chain if there is an incident. There will be new risks, but overall, I think this is a positive direction for the industry.”
For centralized exchanges, this means adapting; one cannot go against the trend.
“Centralized platforms will not disappear, but we need to develop further. Security methods must also change along with user habits.”
Which crypto assets will still be competing five years from now
Looking ahead, Federico Variola does not view the security challenge as a problem that crypto can 'solve definitively' and then ignore.
“AI will be the biggest challenge,” he said. “In the further future, quantum computing will add another layer of risk.”
When asked whether AI can support 'defenders' as well as 'attackers', he answered very clearly: “Unfortunately, I think AI empowers hackers much more than it helps users stay safe.”
Variola believes this is a maturation moment for the industry. Crypto is attracting a lot of talent in technology, and security is gradually becoming an essential part of how companies operate and communicate daily. In a system that maximally limits trust in the outside, it is now crucial to understand where trust still needs to be placed, and how to manage it effectively.
