“If You Think Crypto Security Is a Tech Problem, You’re Missing the Point,” Says Phemex CEO Federico Variola

“It’s becoming harder and harder to prove that you are actually you.” That observation, shared by Federico Variola, CEO of Phemex, captures a growing concern across the crypto industry – one that goes far beyond smart contracts or infrastructure bugs.

Speaking during a recent panel discussion alongside Ian Rogers, Chief Experience Officer at Ledger, and Dmitry Budorin, co-founder and CEO of cybersecurity firm Hacken, Variola explained how crypto security threats are showing up in practice. AI changes the tools, but the weak point is still people – how they talk to each other, make calls quickly, and decide who to trust.

Much of this comes down to everyday behavior. Across exchanges and wallets, there’s a shared understanding that routine habits shape how incidents happen. For Federico Variola, that translates directly into how exchanges design processes, introduce friction, and manage how people interact with wallets, social platforms, and on-chain identities.

More Value, Bigger Targets

Early in the discussion, Federico addressed a question the industry keeps asking itself: is crypto getting worse at security, or are attackers simply getting better?

“You can probably say that this year is the worst year for cybercrime, and next year will be worse again. And that’s not because we’re getting worse at security. It’s because there’s more value. When you have more value, the size of the prize gets bigger. And when the prize gets bigger, you get more people trying to extract that value.”

As crypto grows, so do the incentives for attackers. Variola says this creates a constant imbalance, with attack capabilities often moving faster than protections, especially during bull markets.

“We’re probably in this middle period where capabilities grow faster than protections. And every bull run, you have very rational people telling you why you should take shortcuts on security, or on self-custody, or on both, and it always ends in the same place.”

Rogers shared a simple example to underline the point. Even very experienced people in crypto, including those closely involved in wallet development, have found themselves caught out by convincing links shared through platforms like Discord or browser wallets. His point was that experience helps, but it doesn’t remove the need for constant care.

When Identity Becomes the Weak Point

Where Variola sees the biggest shift is in how attacks are executed. 

“These actors are well-funded, sometimes state actors, and they’re moving at a speed that’s very difficult to catch up with. At the same time, the tools we’re all using, like AI and automation, are all double-edged swords. If we can use these tools, attackers can use them too. Social attacks become more complex. People have taken my likeness and used it in video calls to try to scam investors or business partners.”

Ian Rogers echoed this from the hardware wallet perspective, noting that many attacks today are more about psychology than technology. For Variola, that matches what exchanges see in practice: convincing people is often easier than breaking systems.

As Rogers put it during the panel, “any of us could fall for it.” Even within crypto-native teams, the combination of familiarity, urgency, and well-crafted social engineering is often enough to bypass otherwise strong security practices.

The Exchange Reality: Cold, Hot, and Human

From an exchange standpoint, Federico was careful to separate guarantees from assumptions.

“What we guarantee to users has to be completely untouchable, and that’s the cold wallet. That’s non-negotiable. Hot wallets, by definition, present an inherent risk because they’re always online.”

During periods of high market activity, those risks intensify.

“When there’s a bull market, users expect hot wallets to be full. They’re moving quickly, often with large amounts, especially in altcoins. The demands from users are very pressing.”

This pressure creates tension. Users want speed and convenience. Security, however, often requires friction.

“You have to add layers of friction in order to keep funds safe, regardless of what users are asking for. In a way, you end up having to fight back a little bit against your own users.”

It’s an uncomfortable reality for exchanges, but one Federico believes is unavoidable if platforms are serious about long-term protection rather than short-term satisfaction.

What Experience Teaches You

During the panel, Variola briefly referenced a security incident Phemex experienced last year.

“One of the biggest lessons for us was realizing that we were more of a target than we thought.”

The most important takeaway was about people.

“We underestimated how pervasive phishing and social engineering attacks are, and how they target the lowest levels of your structure first, interns, designers, people who don’t think of themselves as security-critical, and then work their way up to more meaningful roles.”

Dmitry Budorin offered a blunt analogy for how these attacks work, comparing phishing to fishing. Even if the fish isn’t stupid enough to bite the plastic lure, he explained, moments of routine or distraction are often enough for attackers to succeed. In his words, inevitability is the danger.

That way of thinking lines up closely with how Variola approaches security.

“It’s not enough for engineers or executives to be careful. Every single person in the organization has to understand the risks they’re exposed to. Even the lowest intern needs to be fully aware of the situation.”

Budorin went further, arguing that in many cases the primary target isn’t a junior employee at all, but the CEO. Public figures, founders, and executives are often attacked directly, precisely because of their visibility and authority within the industry.

Following the incident, Phemex increased security across the board, but the bigger change was internal.

Social Layers and Financial Layers Don’t Mix

“Crypto is a very social industry. NFTs, social media, Telegram – all of these platforms create targets for attackers.”

Federico Variola was particularly critical of how casually sensitive interactions take place in environments never designed for security.

“Telegram, especially, is one of the worst-run platforms in terms of security, but it’s the standard for how the industry communicates.”

He also expressed discomfort with growing trends around wallet tracking and public attribution.

“I don’t like this trend of tracking wallets to specific people. It feels very anti-crypto. But the reality is, the more successful you are in this industry, the bigger of a target you become, and the more resources you need to allocate to protecting yourself.”

Decentralization Changes the Economics of Attacks

Looking ahead, Variola sees decentralization and self-custody as part of a broader change in how crypto security plays out. 

“As decentralization becomes more standard, we’re distributing the burden of security across more points of failure. Hackers will have to target individuals one by one instead of finding that sweet spot – a single point of failure.”

That doesn’t eliminate risk. It redistributes it.

“DEXs and decentralized platforms present their own challenges. Code is law. You can’t halt a chain. There will be new risks. But overall, I think this is a positive outcome for the industry.”

For exchanges, that means adaptation, not resistance.

“Centralized platforms aren’t going away, but we have to evolve. The security model has to change along with user behavior.”

What Crypto Will Still Be Fighting in Five Years

Looking ahead, Federico Variola doesn’t frame the challenge as something crypto will simply “solve” and move past.

“AI is going to be the biggest challenge,” he said. “Further down the road, quantum computing adds another layer of risk.”

Asked whether AI helps defenders as much as attackers, his answer was straightforward: “Unfortunately, I think it enhances attackers more than it makes people secure.”

Variola sees this as a moment of maturity for the industry. Crypto draws strong technical talent, and security is becoming part of how companies operate and communicate day to day. In systems built to limit reliance on trust, the focus now turns to understanding where trust still exists and managing it thoughtfully.