This is Part 1 of a two-part series distilling a recent Merkle Science discussion between Dr. Justus Delp, VP of Business Solutions at Merkle Science, and Channi Greenwall, Founder and CEO of Olympix, a proactive, enterprise-grade DevSecOps platform. In this first article, you will learn how AI is changing attacker and defender workflows, why smart contract audits are not sufficient on their own, where Web2 and Web3 exposures intersect, and how institutional adoption is reshaping crypto compliance expectations. You can watch the full conversation on our YouTube channel here. Part 2 will focus on 2025’s most important attack vectors and a practical defense checklist.
AI is not a standalone threat or a magical fix. It amplifies capable people on both sides. Attackers use AI to scan code, generate inputs, and surface patterns faster than manual analysis. Defenders can apply AI to strengthen code analysis, data querying, and incident triage when it is anchored to proven security controls. As Channi put it, “AI accelerates top people. It is allowing you to do 10x what you could do.” The practical takeaway for 2025 is to invest in AI that enhances static and dynamic analysis, behavior analytics, and response workflows, rather than chasing wrappers that promise to find everything with minimal rigor.
Audits remain important, but they cannot be the only safeguard in an environment where dependencies shift and exploits happen in seconds. The discussion highlighted how exploited contracts often passed audits before failing under real conditions. Channi captured the problem succinctly: “Ninety percent of exploited contracts were audited.” The solution is a layered approach that starts with proactive developer tooling, adds disciplined testing and multiple audit passes, and continues with on-chain behavior monitoring and rehearsed incident response. The goal is a Swiss cheese model where overlapping layers reduce the chance that a single oversight becomes a treasury-draining event.
Several high-profile incidents that end on chain begin with classic Web2 intrusions. Justus put it plainly: “Social engineering remains one of the largest reasons our customers suffer exploits on both decentralized and centralized sides.” The critical risk is initial access, which keeps recurring. He noted the growing role of deepfakes and fake job interviews, as well as supply chain intrusions where attackers persuade contractors to install malware and gain a foothold. These pathways are often more dominant than novel AI-only attacks, with AI mostly reinforcing traditional vectors that continue to work. In a fast-moving, remote environment, social engineering is hard to detect, and many teams only realize it when it is too late. Once attackers have credentials or internal access, they pivot quickly into on-chain swaps and bridges. Security programs need to cover Web2 and Web3 from day one and avoid blind spots as teams add new components.
Immutable code, transparent state, and direct access to treasuries mean mistakes cost more in Web3. The contrast is stark. As Channi noted, “Web2 drains data. Web3 drains treasuries.” Deploying smart contracts is rigorous, yet a single missed guard or misconfiguration can still cause catastrophic outcomes. Teams should think adversarially and validate continuously. That includes modeling how an attacker could chain Web2 weaknesses, dependency bugs, and contract behaviors, then shipping the specific tests and controls that block those paths before launch and throughout the lifecycle.
Institutions are entering Web3 with established risk mandates, which is setting de facto standards across DeFi. Requirements around sanctions exposure, counterparty risk, and operational resilience are raising the bar for protocols and service providers. Justus summed it up: “Institutions are driving standards because they are mandated to put protections in place for themselves.” In practice, this means behavior-based monitoring, robust address attribution, and automated AML screening are becoming prerequisites for partnerships. Sanctions exposure, including contact with designated entities such as Lazarus, is a board-level concern that can be very costly if mishandled. Teams that want institutional liquidity should build these controls early.
Security outcomes are organizational, not only technical. Executive accountability is essential. Channi’s view was direct: “The person responsible for everything is always the CEO. Security rolls up to leadership.” Boards and backers should require security baselines just as they require insurance and financial controls. Foundations and L2 ecosystems can reinforce these expectations by educating builders and offering resources that lift security standards across their developer communities. When leadership treats security as a measured, funded priority, the entire posture improves.
Fast-moving incidents demand real-time telemetry and programmatic brakes. The conversation described a workflow where behavior analytics detect new addresses that suddenly receive significant inflows and attempt rapid swaps or bridges. Justus explained that Merkle Science can identify patterns such as a newly created address receiving more than one hundred thousand dollars in crypto assets and immediately trying to swap or bridge, then block activity through an API. Controls like these buy time, reduce contact with designated entities, and give incident responders space to make sound decisions.
Preparation changes outcomes. Teams need runbooks for triage, cross-chain tracing, partner coordination, and user communications, and they need to rehearse them. Channi emphasized that “Teams need an instant response strategy in place ahead of launch,” because the first minutes of an attack often decide the outcome. Establish contacts at exchanges and bridges, define thresholds for pausing services, and make clear decisions in advance about steps like reimbursements. A prepared team can contain a breach and protect trust.
AI is compressing attacker timelines while Web2 and Web3 surfaces are tightly coupled. Institutions expect stronger crypto compliance and operational controls. Successful teams will use AI to strengthen proven defenses, treat audits as one layer in a broader program, deploy behavior-based on-chain monitoring with automated enforcement, and make security a leadership responsibility with clear budgets and metrics.
Merkle Science helps organizations operationalize this approach with address attribution, sanctions and risk screening, and real-time behavior analytics that can block suspicious activity through APIs. For a deep dive into specific attack vectors and a practical defense checklist, read Part 2 of this series next. You can also watch the full exchange here to explore the nuances behind these takeaways.
