A former IRS cyber crimes investigator argues that as geopolitical conflict moves into cyberspace, the digital asset industry is protecting the wrong layer.
As nation-state cyberattacks grow more sophisticated and artificial intelligence lowers the barriers for malicious actors, a cybersecurity researcher warns that the digital asset industry has been focused on the wrong problem.
Dr. David Utzke, a former investigator with the Internal Revenue Service’s Cyber Crimes Unit and author of “The Digital Asset Technology Guidebook,” argues that blockchain networks — however technically robust — are largely beside the point. The real vulnerabilities, he says, lie in the human behavior, device management, and access controls that surround them.
“The weak point in cybersecurity is still human behavior,” Dr. Utzke said. “The industry keeps asking whether the answer is better software, better AI, or better tools. But if the person, device, or access point is compromised, blockchain alone won’t save the asset.”
Attackers, he notes, rarely need to break cryptographic consensus to steal digital assets. More often, they exploit far simpler entry points — phishing a personal device, stealing login credentials, or compromising an administrative account with broad system access. Once inside, the damage can spread quickly. “If your device is compromised and connected to a company, the company can get attacked,” Dr. Utzke said. “And that can cascade into your personal device, your contacts, your financial information — everything connected to it becomes exposed.”
That risk is compounded in digital asset environments, where value moves fast and transactions are frequently irreversible. Bring-your-own-device policies, expansive access permissions, and convenience-first system design have widened the attack surface at precisely the moment, Dr. Utzke argues, that organizations should be narrowing it.
He is also critical of how the industry has handled complexity. More integrations, automation layers, and third-party dependencies may add flexibility, but they also multiply the points of potential failure. Stronger security, in his view, may require a deliberate retreat from that complexity — stricter access boundaries, more controlled operating environments, and tighter limits on what systems can connect to sensitive infrastructure.
“Organizations are going to have to be the grown-ups in the room,” he said. “If we’re facing geopolitical cyberwarfare in this environment, it’s not getting any better. It’s getting worse.”
His concerns are sharpest around stablecoins. Unlike funds held at a traditional bank, stablecoin transactions offer limited recourse once a private key is compromised. Recovery depends on whether the issuer can identify and freeze stolen assets in time — an outcome far from guaranteed. “With stablecoins, if they get the key, they don’t have to go through a bank,” Dr. Utzke said. “And boom, it’s gone.”
Also Read: By the Time Your Credentials Appear in a Dump, You’re Already Behind
He also flags an underappreciated technical risk: many projects, he says, are securing cryptographic keys inside wallets while largely ignoring the digital signature algorithms and transaction-authorization applications that sit between sender and receiver — a gap that quantum-era computing could eventually exploit.
Major centralized exchanges and leading token issuers have offered little public clarity on how they are addressing either quantum-related risk or the broader geopolitical threat landscape, Dr. Utzke said, raising questions about whether the ecosystem is adequately prepared.
For policymakers, institutions, and individual investors, his message is blunt: digital asset security cannot be assessed by blockchain marketing alone. Resilience, he argues, will ultimately depend on whether the human and operational systems surrounding the technology are built to withstand real-world compromise.
