Recent incidents across the crypto ecosystem, including supply-chain attacks and credential-based breaches, point to a deeper structural shift in how attacks are executed. On-chain exploits are no longer the primary threat. Instead, attackers are increasingly targeting the execution layer, where systems, credentials, and infrastructure enable capital to move.
To understand this shift, it’s important to look at how the threat landscape has evolved. In the past, smart contracts were the primary attack vector. Over time, the industry responded with audits, formal verification, and bug bounty programs. These efforts significantly raised the cost and difficulty of exploiting on-chain code. As these defenses improved, attackers shifted toward areas where access can be gained more easily, through credentials, infrastructure, and operational systems.
This shift is reflected in recent data. According to zeroShadow research, out of 146 hacks tracked in 2025, 53 involved supply chain attacks, malware, private key compromise, or a combination of these vectors. These incidents originate from weaknesses across infrastructure, credentials, and execution systems, reinforcing that many exploits begin outside of on-chain environments.
Crypto infrastructure has become significantly more complex. Managing digital assets now requires coordinating across exchanges, custody providers, signing infrastructure, API integrations, developer credentials, and internal systems operating across both on-chain and off-chain environments. Attackers take advantage of this complexity - rather than targeting cryptography or smart contracts directly, they exploit the systems around them.
Compromised API keys, infrastructure access, or developer credentials can provide direct or indirect paths to funds. As a result, security risk has expanded beyond private keys into the execution layer, where automated systems move capital in real time.
This reflects how custody has evolved in modern crypto operations. It is no longer limited to safeguarding private keys or smart contracts, but now spans API keys, deployment credentials, validator keys, and the infrastructure that orchestrates transactions across multiple venues. Many of these credentials are stored in systems that return full keys to authenticated processes. While this model supports operational efficiency, it introduces structural risk. If the execution environment is compromised, an attacker can gain full access at the moment capital is in motion.
Execution risk has therefore emerged as a primary attack vector. In modern trading environments, capital moves continuously across interconnected systems. Credentials authorize real-time actions, and those credentials are often embedded directly into infrastructure to minimize latency. Over time, this has normalized a model where full key access exists inside live systems. Authority is concentrated where execution happens, making it a predictable point of failure.
The lesson the industry learned from private key security still applies. Eliminating full key exposure and enforcing strict policy controls were critical to securing key storage. Those same principles must now extend across every credential capable of authorizing value movement. What is required is a shift toward zero-exposure architecture, combined with programmable, context-aware policies that govern how systems operate across vendors and environments.
This is where Sodot and zeroShadow address complementary layers of the problem.
Sodot focuses on securing the execution layer itself. It provides infrastructure that allows asset managers to govern keys, control transaction execution, and orchestrate permissions across their operational stack. Its architecture is built on MPC, hardware-based security, and policy controls that extend across both on-chain and off-chain environments. By eliminating full key exposure and enabling programmable key governance, Sodot allows institutions to secure the systems that actually move capital. Its infrastructure is self-hosted, reducing dependency on third parties, and is trusted by leading crypto institutions including Flow Traders, BitGo, eToro, and Exodus.
zeroShadow operates on the security readiness and response side. Before incidents occur, it works with organizations on threat intelligence and operational security readiness. When incidents do happen, zeroShadow acts as a first responder. Its team investigates breaches, coordinates incident war rooms, traces stolen funds across chains, and works with exchanges to freeze assets where possible. To date, zeroShadow has helped freeze over $300 million in funds through coordinated response efforts. In high-pressure situations, its role is immediate and operational: analyze, contain, coordinate, and recover.
Taken together, this reflects a broader shift in how crypto security must be approached. The challenge is no longer limited to protecting keys or validating transactions. It is about securing operations across complex, interconnected systems, while maintaining the ability to respond quickly when something goes wrong.
As infrastructure continues to scale and interconnect, the attack surface will continue to expand. Addressing this requires not only stronger infrastructure controls, but also operational readiness and coordinated response. This is the next phase of digital asset security, and it is where both Sodot and zeroShadow are focused.
