Three separate cyberattacks inside a single week made a point the sector has been slow to accept. Decentralized organizations are being targeted by sophisticated, well-funded attackers, and most of them are still defending themselves like early-stage startups.
On April 18, Kelp DAO lost around $292 million through a cross-chain bridge. The next day, Vercel, the hosting company that powers a large portion of the Web3 frontend stack, confirmed a breach that flowed in through a compromised third-party vendor. Shortly after, LayerZero, the messaging protocol underneath the Kelp bridge, attributed the attack to North Korea’s Lazarus Group.
These were not unrelated events. They were three views of the same problem.
What actually happened
In the Kelp DAO case, the attackers did not break the smart contract. They broke the infrastructure that verifies cross-chain messages. By quietly swapping software on the servers a verifier relies on, they tricked the system into approving a fraudulent transfer. The money left the bridge because the system that was supposed to check it had been compromised from underneath.
The Vercel incident started even further upstream. An employee account at an outside AI vendor was breached. That access was used to move into Vercel, where settings that had been labeled “non-sensitive” turned out to be enough to expose deployment credentials used across the Web3 frontend stack. Crypto teams spent the following day rotating keys, working on the assumption that compromise had already happened.
In both cases, the attackers did not target the part of the system that gets audited. They targeted the part of the system that gets trusted.
Treasury scale has outrun security posture
Most foundations now hold treasuries large enough to rival mid-sized asset managers. Security posture has not kept up. The most common causes of loss across the sector right now are not bugs in the code. They are compromised signing keys, social engineering against councils and signatories, attacks on the infrastructure around the protocol, and breaches at third-party vendors.
What is changing in 2026 is the market’s tolerance for this gap. Counterparties, auditors, and institutional partners should stop treating cybersecurity maturity as optional. Foundations that cannot demonstrate it will start to lose deals, not just face losses.
What we are doing about it
Today Mugen is formally launching a dedicated cybersecurity practice for foundations, token issuers, and operating companies. It is an extension of the operational discipline Mugen already provides across treasury, governance, and compliance, brought into an area that foundations have historically outsourced, ignored, or both.
The practice covers operational security reviews, managed monitoring, incident response playbooks written for foundation and DevCo structures, tabletop exercises and incident simulations for councils and signatories, vulnerability scanning, structured security testing, and blockchain forensics in support of treasury oversight and fund recovery.
A foundation is not well served by a security firm that does not understand a Gnosis safe, or by a generic IT provider that treats a multisig wallet the same as a corporate laptop. Security, treasury, and governance are the same problem. We treat them that way.
What to do if you are on a council or board right now
Three practical things.
First, assume your signers are already being studied. Councils and signatories are the preferred target now, not a secondary one. Personal devices, home networks, and social engineering exposure are treasury risks.
Second, audit the companies you depend on. The Vercel incident made clear that your hosting, deployment, and data pipelines are part of your attack surface whether you acknowledge it or not.
Third, pressure test your response before you need it. An incident response plan that has never been run is a document, not a capability. The difference between a manageable loss and a catastrophic one is almost always decided in the first two hours.
Cybersecurity is now a core part of foundation operating discipline. Not an optional extra, and not a line item to defer. Foundations that internalize this now will be the ones that outlast the cycle.
