Cyberattacks are escalating fast – with a 500% surge in scam-related logs this year, according to Fortinet, and 1.7 billion passwords leaked on the dark web. Now, platforms are rethinking how they secure identity.
“Infostealers are increasingly used to target wallet credentials stored in browsers or unsecured environments,” Terence Kwok, CEO and Founder of Humanity Protocol, told The Crypto Radio.
“Their success is driven by the widespread use of static keys and passwords.”
In 2024 alone, 97 billion exploitation attempts were logged globally, and stolen credentials on the darknet rose by 42 percent compared to the year before, according to Fortinet’s 2025 Global Threat Landscape Report.
IBM X-Force reported a surge in phishing emails carrying infostealers, with early 2025 data showing phishing activity up 180 percent from 2023. Nearly half of all cyberattacks resulted in stolen data or credentials.
2FA, ‘the biggest loophole’
With phishing and credential theft surging, some experts say it’s time to move beyond traditional login methods. Robert Mofrad, Co-founder and CPO of Serenity, thinks “two-factor authentication is a loophole in today’s web2 and web3.”
He argues it’s outdated and ineffective because both authentication factors are often stored on the same device.
Instead, Mofrad points to biometrics and encryption as more effective defenses against cyberattacks. “The core of decentralization involves encryption,” he told The Crypto Radio. “When information is fragmented across the internet, it’s difficult to get hold of it, unlike when it sits plainly in one storage space.”
To address these risks, Serenity launched the sAxess App – a biometric-only access tool that uses a physical card. “It’s external hardware you can carry in your pocket, but it doesn’t live inside your mobile,” Mofrad explained. “So if your phone or computer is compromised, your biometric data stays protected.”
Centralized vs decentralized
But not everyone sees decentralization as the answer. Robert Gourley, author of The Cyber Threat and CTO of OODA LLC, highlighted the advantage of single-pointed platforms: one entity holds the keys. “They have visibility, control, and staff who can respond in real-time,” he said.
User credentials are stored and managed in a centralized database, often with backup systems and incident response teams actively monitoring for breach attempts.
Gourley emphasized the importance of centralized systems during phishing attacks, pointing out that platforms with full oversight can act quickly to contain threats – something decentralized systems struggle with.
“There’s no central party to call if something goes wrong,” he said. “The only layer of detection might come from on-chain analysis tools or third-party security services watching.”
That lack of visibility, Kwok added, is what makes decentralized identity so vulnerable to abuse by bots and AI agents. “Web3 systems are also left blind to who is actually using a credential,” he said. “Nearly a third of users reported daily contact with suspected AI-driven scams, underscoring the need for systems that can distinguish between real users and AI.”
Despite the speed advantage of centralized models, Kwok argued that decentralized platforms with embedded human validation are proving more resilient over time. He pointed to biometric authentication methods, like palm recognition, as a promising approach.
“By integrating non-invasive biometric methods directly into the user authentication layer, decentralized systems can verify the presence of a real and singular human at critical points of interaction,” he explained. “This not only prevents automated attacks, but also enables proactive detection of unusual activity without requiring centralized control.”
AI, ‘a double-edged sword’
As AI-driven attacks rise, some experts believe the same tools can be repurposed for defense. Gourley sees potential in AI agents that detect and respond to threats – provided they’re used with caution.
“The more power you give an agent, the more attractive it becomes to attackers,” he warned.
Kwok agreed that AI is a double-edged sword. While it has fueled a surge in phishing attempts, it can also be used to spot abnormal behavior faster than human teams.
“AI increases phishing attempts but can also be used to defend against them by analyzing behaviour and identifying unusual activity,” he said.
But for AI to be effective in security, it needs something it often lacks: reliable identity data. “The real challenge lies in giving these agents accurate signals about who the user is,” said Kwok. “Without trustworthy identity data, detection tools are vulnerable to being fooled.”
“Identity needs to be rooted in verifiable human traits for AI defense systems to be truly effective.”
Not everyone is convinced. Mofrad questioned the idea of AI as a protective force. “AI has no morality,” he cautioned. “The more information it has about you, the more access it gets. So it needs to be governed.”
He warned that the pace of change is accelerating, and emerging technologies could bring new threats. One of his biggest concerns is quantum computing – and what it might mean for Bitcoin.
“If someone creates an ultra-powerful quantum computer, could they break Bitcoin codes? If they do, what happens? Bitcoin goes to zero?”
That’s why, he said, staying ahead is essential.
“If you don’t anticipate, not only will you fall behind – you could lose everything.”
Leave a Reply