If you’ve been in web3 for more than five minutes, you’ve either been scammed, almost been scammed, or one bad click away from joining the club. Never mind the big rug pulls that make headlines. Consider the usual stuff like fake MetaMask pop-ups, decentralized exchange swap links that look legit but aren’t, or random bridge pages Google happily shoves to the top of your search. 

In 2024, crypto scams generated at least $9.9 billion in illicit revenue, with Chainalysis warning the total could hit a record $12.4 billion as more data comes in. Fraud in the sector is getting sharper, with scammers using more convincing phishing sites, fake decentralized finance platforms, and social engineering tactics. The sophistication makes detection harder and losses larger, eroding user trust. Even experienced traders are getting caught.

And yet, the broader crypto community often chalks this up to the cost of doing business, which is insane. Imagine if every time you logged in to online banking, there was a one-in-ten chance it was a fake site. People would riot. In web3, however, there’s a shrug; people tweet “stay safe, anon” and hope for the best.

This is a fixable problem

The tech already exists to detect phishing sites, fake smart contracts, and malicious bridges before you interact with them. The problem is that this has been treated as an optional extra instead of a core part of the stack. People are losing thousands of dollars weekly swapping tokens on what looked like a legitimate exchange interface. The only thing that saves them is often a browser-based security tool that flags the page seconds before they hit “Confirm.” 

To frame phishing as a personal security problem grossly underestimates its influence in the broader market. Retail adoption doesn’t stall because the tech isn’t scalable enough. It stalls because people don’t trust that their money is safe. While some will argue that security layers are just central points of failure, there is already a significant reliance on infrastructure providers, indexers, remote procedure call nodes, wallets, and dozens of other chokepoints. Pretending that adding robust phishing protection somehow compromises the ethos is a weak excuse, given the high stakes.

The quantum computing time bomb

There’s another issue most people aren’t thinking about enough: post-quantum security. The U.S. government has already set deadlines, in that all systems have to move to post-quantum cryptography by 2030, with old algorithms phased out entirely by 2035, which means a lot of blockchain infrastructure out there is living on borrowed time. Combine that with unchecked phishing attacks, and you’ve got a perfect storm for a trust collapse. Web3 won’t be taken seriously in a post-quantum world if it still loses billions to fake links.

The biggest cop-out is that users should just be more careful. Pedestrians should look both ways before crossing the street, but we still have traffic lights for a reason. Expecting every new wallet holder to recognize a phishing link instantly is unrealistic, especially when scammers are getting better at impersonating legitimate platforms. We’ve spent years obsessing over scaling, composability, and cross-chain liquidity. Meanwhile, the No. 1 user complaint remains: “I lost my coins.”

The stakes are higher than people think

Crypto-native scams are bleeding far beyond their original boundaries. They’re no longer limited to exchanges or flashy DeFi protocols; they’re steadily infiltrating adjacent industries and eroding confidence across entire ecosystems. Bridges and validators remain obvious targets, but they are far from the only ones. Telecom providers, energy operators, Internet of Things manufacturers, supply chains, and even defense systems that interact with blockchain-based components are now potential entry points. Each new integration creates another surface for compromise, another opening for attackers to exploit, and another risk multiplier that undermines public trust.

If you’re a project lead, you’re staring at two uncomfortable realities. First, quantum-resistant security isn’t a distant academic milestone; it’s barreling toward becoming a hard regulatory requirement in less than a decade. Second, every high-profile phishing attack or credential-harvesting campaign between now and that deadline chips away at your user base, your credibility, and your total value locked, damage that compounds silently over time and is far harder to rebuild than to prevent.

Now is the time to direct the same amount of innovation, funding, and relentless iteration into security architecture as has gone into yield farming, non-fungible token mints, and cross-chain liquidity. Web3 cannot credibly call itself the future of finance and data infrastructure while continuing to treat phishing as merely a “user error” problem. At some point, the ecosystem has to take ownership.

Looking back, we will almost certainly ask ourselves why the industry tolerated such obvious vulnerabilities for so long and why it didn’t address phishing at scale sooner. The encouraging part is that this problem is solvable with the right prioritization and design choices. The only real question left is whether the industry will take the initiative now or wait until the next billion-dollar hack forces its hand.

David Carvalho

David Carvalho is the founder, CEO, and Chief Scientist of Naoris Protocol, the world’s first decentralized security solution powered by a post-quantum blockchain and distributed AI, backed by Tim Draper and the Former Chief of Intelligence of NATO. With over 20 years of experience as a Global Chief Information Security Officer and ethical hacker, David has worked at both technical and C-suite levels in multi-billion-dollar organizations across Europe and the UK. He is a trusted advisor to nation-states and critical infrastructures under NATO, focusing on cyber-war, cyber-terrorism, and cyber-espionage. A blockchain pioneer since 2013, David has contributed to innovations in PoS/PoW mining and next-gen cybersecurity. His work emphasizes risk mitigation, ethical wealth creation, and value-driven advancements in crypto, automation, and Distributed AI.