As Web3 evolves, so do its exploit vectors. What began as a code-hardening arms race has metastasized into a multifront battlefield, smart contract vulnerabilities now duel with psychologically sophisticated phishing schemes and systemic economic attack surfaces. The attack surface has fractal complexity.
The stakes have never been higher, with the recent Bybit hack of $1.5 billion — the largest cryptocurrency heist to date — being a prime example. The hack exposed critical gaps in infrastructure security, showing how a single vulnerability can unravel entire ecosystems and put billions of dollars at risk.
“It’s crucial to realize: until Web3 firms hire dedicated security leadership and mandate monthly phishing drills, we’ll keep seeing the same billion-dollar headlines. People remain the biggest vulnerability in cybersecurity. Essentially, no matter how much we improve crypto, we can’t simply patch or override the inherent flaws of human nature,” says Hartej Sawhney, founder and CEO of Zokyo and creator of Hosho, the first blockchain cybersecurity company. An 11-year veteran of blockchain cybersecurity, his team has bulletproofed over $42B in digital assets.
Phishing, impersonation, and social engineering remain highly effective because they exploit trust, not code. A single careless click or compromised account can lead to multimillion-dollar losses. With AI-powered attacks and enterprise-grade laundering tools on the rise, Hartej argues that security teams must match the speed and sophistication of threat actors.
CEXs Remain Prime Targets
Over the past few years, centralized exchanges (CEXs) have seen a resurgence in large-scale attacks by criminal hackers and nation-states alike, largely due to their high amounts of liquidity and central points of failure.
Two of the most damaging incidents in 2024, the WazirX and DMM Bitcoin breaches, resulted in over $540 million in combined losses, representing nearly a quarter of all crypto stolen that year.
Sawhney believes these high-profile exploits should prompt a fundamental re-evaluation of key management practices and architectural design. Private key compromises alone accounted for approximately $963.6 million in stolen funds, a staggering 43.8% of total crypto theft in 2024.
Beyond CEXs: The Expanding Attack Surface
Centralized exchanges may dominate headlines, but they’re only one piece of a larger puzzle. Zokyo has been operating at the intersection of trust and technology since 2018. It is eyeing a wave of emerging sectors becoming prime targets.
Zokyo has spent years securing some of Web3’s most complex protocols and infrastructure. Its seasoned engineers recognize how restaking protocols, modular Layer 2s, and DePIN ecosystems introduce new and poorly understood risks. These systems are often complex, under-audited, and evolving too fast for traditional security practices to keep up.
A striking example is the real-world asset (RWA) restaking protocol Zoth, which suffered two separate exploits in March 2025. The first targeted a Uniswap V3 liquidity pool, leading to a loss of $285,000. Then, two weeks later, a compromise of admin privileges allowed an attacker to tamper with the protocol’s proxy contract, resulting in the theft of $8.4 million in staked assets.
A Track Record Rooted in Trust
Zokyo’s clients range from blockchain foundations to DeFi protocols, L1s, L2s, wallets, and cross-chain infrastructure, many of whom trust Zokyo for its nuanced understanding of both code and threat vectors.
The company’s methodology is rooted in offensive security principles, leveraging white-hat hacking, reverse engineering, and cryptography. But what sets them apart is not just technical capability, it’s the operational discipline of Zokyo’s staff.
The team is composed of white-hat hackers and veteran engineers, many of whom are active participants in top-tier bug bounty programs and hackathons or serve as mentors in security communities.
Engineering-First Approach to Web3 Threats
Zokyo’s technical staff reads more like a war room than a consultancy. Engineers rotate across projects ranging from Solana to EVM, Cosmos, TON, and emerging Move-based chains. Each engagement is tailored, beginning with risk modeling and protocol comprehension before simulating adversarial behaviors.
This approach has yielded positive results. In one recent audit, Zokyo helped uncover a critical vulnerability in a bridging protocol that could have exposed over $40M in user funds. Rather than disclose the client’s identity, Hartej Sawhney focuses on what can be learned:
“The threats facing cross-chain infrastructure are becoming more abstract and composable. We’re no longer looking for one big flaw — we’re looking at how multiple modules interact and can be abused over time.”
This engineering-first mindset has led Zokyo to develop proprietary tooling and process automations that speed up and deepen audit depth.
Economic Simulation Meets Cybersecurity
Poor tokenomics can be just as damaging as bad code. In fact, strong tokenomics and a well-executed token launch strategy are critical to a project’s success, and Hyperliquid stands out as a prime example of how to get it right.
That is why Zokyo operates a dedicated arm, Zokyo Labs, to work on tokenomics and simulation. This interdisciplinary team includes game theorists and economists who simulate behaviors such as liquidity incentives, governance attacks, and validator collusion.
In addition to modeling incentive structures and attack scenarios, Zokyo Labs has played a key role in helping high-profile clients navigate complex regulatory frameworks, ensuring alignment with the 2023 Distributed Ledger Technology (DLT) Foundations Regulations of the Abu Dhabi Global Market (ADGM).
Trust Forged in the Field
Since its inception, Zokyo has built a client base that includes blockchain foundations, venture-backed startups, and high-profile DeFi projects. The firm has conducted security reviews for LayerZero, 1inch, and World Liberty Financial (Donald Trump’s DeFi initiative), among others. The ability to work under NDA and within stealth-mode launches has made Zokyo a preferred partner for projects requiring operational discretion.
Zokyo’s findings have also helped expose security blind spots in some of the most widely used wallets, prompting codebase updates. All while supporting developers through fix reviews and remediation.
The Next Chapter
Zokyo is expanding its infrastructure audit capabilities, with new engagements focused on L1 consensus design, validator systems, and zk-based rollups.
“We’ve seen an uptick in requests for zero-knowledge systems and privacy-focused protocols. As zero-knowledge primitives mature, the attack surface changes. That’s where we’ll be,” says Hartej.
The team is also preparing to launch a dedicated bug bounty program, supporting the ecosystem with continuous, real-world testing. On the community front, Zokyo will be present at major industry events like Token2049 and ETHCC, meeting builders, sharing research, and staying ahead of emerging threats.
In a field where exploits are measured in minutes and reputations built over years, Zokyo’s quiet efficiency speaks volumes. As Hartej puts it, “We’re not in this for clout. We’re in this because people’s money is on the line. That deserves respect.”
