When securing Web3, remember your Web2 fundamentals

Headlines often paint a grim picture of Web3 security, suggesting that catastrophic hacks are an inevitable reality. This fear is rooted in the immutable nature of blockchains, where a single misstep can lead to irreversible losses. While breaches are a matter of "when" rather than "if," there are steps you can take to mitigate Web3 breach risks.

At Google Cloud, we see this reality firsthand. We’re invested in the growth and security of the Web3 ecosystem. Our teams contribute to projects including testnet faucets, indexed blockchain data on BigQuery, and operate validator nodes for major protocols such as Ethereum, Solana, and Polygon.

Our direct involvement in Web3 security is driven by Mandiant's frontline incident response expertise. We’ve investigated billions in Web3 heist losses, giving us a profound, practical understanding of attacker methodologies.

As the Web3 industry matures, fueled by exchange-traded funds (ETFs) and real-world assets, the stakes for security continue to rise. Yet despite rigorous smart contract audits, we still see catastrophic losses.

For Web3 to continue to thrive, security should expand beyond the blockchain to protect the entire operational infrastructure.

The blind spot: Uncovering the attacker's true path

The most critical vulnerability for most Web3 projects comes from insecurely-implemented Web2 infrastructure. 80% of the money stolen during Web3 heists originates from attacks against traditional Web2 infrastructure, according to the Hacken H1 2025 Report and the Hack3d H1 2025 Report.

Attackers know this, too, and apply a familiar playbook to cyberattacks against Web3. They use the poorly-secured bridge between your Web2 environment and on-chain assets to gain an initial foothold with phishing and Web2 exploits. Then they move laterally to escalate privileges and hunt for private keys and ways to craft and execute malicious transactions.

Your on-chain treasury (and the security of your potential customers) is only as secure as the laptops, cloud servers, and employee accounts that can access it.

A necessary shift in mindset: From checklist to counter-intelligence

Now that we’ve detailed the attacker's true path from Web2 to Web3, we need to focus on how to strengthen our defenses.

We recommend focusing on building a foundational layer of security controls, such as the checklist in Mandiant’s Securing Cryptocurrency Organizations report. From multisig wallets to access controls and code audits, this essential list can help you ensure all the necessary pieces are in place.

We also recommend developing a detailed threat model to build a deep understanding of the tactics, techniques, and procedures (TTPs) of your likely attackers. Using threat intelligence can help anticipate how your defenses could be bypassed by asking specific, scenario-based questions.

Thinking like an attacker can help shift your organization from a compliance-focused defensive mindset to one that prioritizes intelligence-led defense. Consider these two real-world example scenarios:

• The hacked developer:
  • A compliance mindset says, "My developers have multi-factor authentication (MFA) enabled on GitHub."
  • An intelligence-led defense asks, "Could someone hack one of my developers to add a backdoor to my code?”
• The deceptive User Interface (UI):
  • A compliance mindset says, "We have a multi-sig wallet for treasury operations."
  • An intelligence-led defense asks, "Can the UI that is used for verifying multi-sig transactions be tampered with to trick the signers into approving a malicious transaction?"

The solution: Building a dynamic defense flywheel

To put this proactive mindset into practice, organizations should build a continuous, dynamic-process defense system in addition to periodic static audits of Web3 smart contracts. The goal is to create a security flywheel where expertise, intelligence, and tools reinforce each other.

• Actionable threat intelligence: The flywheel is powered by real-time intelligence on attacker tactics, malware, and active threats in the Web3 space. This informs everything you do.
• Expert guidance: Threat intelligence is then interpreted by security experts who can use it to:
  • Identify systemic risks and provide guidance to enhance your environment's long-term resilience.
  • Simulate a real-world attack. Instead of just waiting for alerts, do proactive threat hunting that uses intelligence to actively search logs and network traffic for existing intruders.
• Secure tooling and processes: Based on expert guidance, the right systems are put in place. This includes Web2 tools such as endpoint detection and response (EDR) to spot anomalous behavior, identity and access management (IAM) based on least privilege, and Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms (such as Google Security Operations) to correlate alerts, as well as on-chain event monitoring and Web3 tools such as multisig wallets.

This flywheel also ensures your defenses evolve, adapting to the threat landscape.

Supercharging the flywheel: From visibility to intelligence

One of the most effective ways to start, whatever your organization’s maturity, is a complete foundational assessment that looks at both your Web2 and Web3 infrastructure. This review can help find potential attack vectors and vulnerabilities in your environment.

The assessment should provide you with the initial momentum to get your flywheel spinning. It should:

• Identify gaps and vulnerabilities that will become your first batch of actionable intelligence;
• Provide a prioritized roadmap that helps make important decisions fast;
• Make specific recommendations for controls that become the implementation plan for your secure tooling.

Next steps

The irony of Web3 security is architecting decentralized fortresses only to leave the keys under the doormat of traditional IT infrastructure.

Putting this intelligence-led approach into practice is a continuous journey. Mandiant and Google Cloud partner with Web3 organizations to help them secure their environments with services and intelligence tailored to their specific needs:

• Foundational assessments of the entire Web2 and Web3 infrastructure
• Offensive security, including simulating attacks on your environment and hunting for potential existing threats
• Threat intelligence that can provide the latest detailed techniques and attacks from the Web3 space
• Securing the full operational ecosystem for L1/L2 protocols
• Hardening defenses for critical moments like a token generation event (TGE)
• Reinforcing key areas such as custody and signing operations
• Providing emergency incident response in case something goes wrong
• Tailored security consulting and team augmentation

For more guidance on Web3 security, contact us here.