Your keys, your coins. That’s one of the foundational promises of bitcoin and other cryptocurrencies, which remove the intermediaries standing between you and your money. But the phrase also carries a latent assumption Web3 companies would be wise to move on from: that any security problems are the holder’s problem, not theirs. That mindset may have worked when crypto was experimental. It doesn’t work when trillions of dollars and millions of people are involved. The design space for crypto has expanded enormously since Bitcoin was created over 15 years ago. There are apps and protocols, cryptocurrency exchanges, stablecoins, and dozens of token standards, all connecting with each other. It’s not just decentralized money anymore, it’s a trillion-dollar ecosystem. The security risks have gotten more complicated, and the stakes have gotten higher. Self-custody still has a role to play, yes – but Web3 designers shouldn’t put most of the security burden on users. To succeed as a mainstream technology, the crypto industry must evolve to match real-world security risks — social engineering, human error, and physical coercion — without compromising other core values like anonymity and pseudonymity. What the numbers tell us Multiple decades of personal computing have given us plenty of data about people’s cyber hygiene. In short: it’s not perfect. Educational campaigns like Cybersecurity Awareness Month, going on right now, help, but threats like phishing, bogus QR codes, and malware remain consistently effective. These aren’t going away. In fact, they’re evolving faster than our defenses. According to data compiled by CoinLaw, crypto phishing attacks are on the rise, increasing by 40% in early 2025 and leading to user losses valued at $410 million. Some more bad news: AI-powered deepfakes are exacerbating the problem; those increased over 450% between mid-2024 and mid-2025, according to CoinLaw’s data. Even more alarming: the uptick in violent crypto-related attacks, as organized crime groups physically force high-net-worth holders to give up their credentials. According to blockchain tracking company Chainalysis, there were over 30 reported “wrench attacks” in 2024, and 2025 is on pace to double that amount. In short, security issues aren’t anomalies. They are predictable. We don’t shrug at earthquakes in San Francisco or Japan; we build earthquake-resistant buildings. The same logic should apply to crypto security. What needs to change The good news: there’s lots of work being done in the Web3 space to make users safer and products more secure. Just look at wallets. Security considerations have historically made the wallet user experience horrible, but things are improving thanks to innovations like split wallets with different keys, delegation, and multi-wallet accounts. But, in my experience, balancing usability and security continues to be tricky. So how do we do better by users? First, we need to take security issues as feedback. Every breach tells us something about design, not just behavior. Take a stolen password. One response could be, “It’s the user’s fault for getting phished; they shouldn't fall for that.” Maybe that’s true, maybe it isn’t. But what is true is that when it's happening millions of times per year on your customer base, it’s an indication that your system isn’t designed for actual people. Adjust accordingly. Second, we need to incorporate successful examples from the non-web3 space. Consider the problem of authentication. Using a cryptographic key for access is powerful, but doesn’t confirm that the user is the legitimate owner. That’s why the broader internet long ago adopted layers like multifactor authentication and behavioral signals, and more recently proof-of-human — methods that protect people automatically, without relying on constant vigilance. Crypto can and should follow that lead. Finally, we have to recognize that the security risks are no longer limited to social engineering tricks. Cryptocurrency executives and deep-pocketed holders have been hit by a rash of physical assaults, with thieves looking to gain access through not brute force decryption, but plain old brute force. If we design systems that don’t incorporate the possibility of physical abuse, we are not doing our job as designers of those systems. The attack vectors will evolve, and we will have to evolve as well. What’s next Crypto’s rugged ethos of individual responsibility made sense when it was an experiment. However, now that trillions in assets — and human livelihoods — are at stake, we need systems designed for real-world risk rather than for early adopters. There are no panaceas: cryptographic keys will remain vulnerable to phishing, biometrics will render holders vulnerable to physical attacks, and humans will continue being imperfect. But as we close Cybersecurity Awareness Month, let’s remember who we’re building for. When we design for real people, not ideal users, our products can strengthen lives while protecting against their weaknesses. Security isn’t a user problem anymore; it’s an industry problem.