diff --git a/docs/pages/config/contributors.json b/docs/pages/config/contributors.json
index 025c62f1..6f44175c 100644
--- a/docs/pages/config/contributors.json
+++ b/docs/pages/config/contributors.json
@@ -391,6 +391,21 @@
"description": "Opsek Founder",
"badges": []
},
+ "andrew-chang-gu": {
+ "slug": "andrew-chang-gu",
+ "name": "Andrew Chang-Gu",
+ "avatar": "https://ui-avatars.com/api/?name=Andrew+Chang-Gu&background=8b5cf6&color=fff&size=200",
+ "github": null,
+ "twitter": null,
+ "website": "https://www.linkedin.com/in/achanggu/",
+ "company": null,
+ "job_title": "Security Strategy Consultant",
+ "role": "contributor",
+ "description": "Web3 workforce security and operational security",
+ "badges": [
+ { "name": "First-Contribution", "assigned": "2026-02-18" }
+ ]
+ },
"Raiders0786": {
"slug": "Raiders0786",
"name": "Raiders",
diff --git a/docs/pages/opsec/index.mdx b/docs/pages/opsec/index.mdx
index fdc4eae2..56bc4ee8 100644
--- a/docs/pages/opsec/index.mdx
+++ b/docs/pages/opsec/index.mdx
@@ -13,6 +13,7 @@ title: "Opsec"
- [Operational Security](/opsec/overview)
- [Security Improvement Metrics](/opsec/continuous-improvement-metrics)
+- [Web3 Workforce Security](/opsec/web3-workforce-security)
- [Appendices](/opsec/appendices)
- [Browser](/opsec/browser)
- [Control Domains](/opsec/control-domains)
diff --git a/docs/pages/opsec/web3-workforce-security.mdx b/docs/pages/opsec/web3-workforce-security.mdx
new file mode 100644
index 00000000..30bdecbd
--- /dev/null
+++ b/docs/pages/opsec/web3-workforce-security.mdx
@@ -0,0 +1,293 @@
+---
+title: "Web3 Workforce Security | Security Alliance"
+description: "Secure your Web3 org against traditional IT attack vectors: Discord session hijacking, fake Zoom malware, BYOD risks, and DPRK IT worker infiltration. Covers Zero Trust identity, device tiers, and workforce verification."
+tags:
+ - Security Specialist
+ - Operations & Strategy
+ - HR
+ - Engineer/Developer
+contributors:
+ - role: wrote
+ users: [andrew-chang-gu, dickson]
+ - role: reviewed
+ users: []
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
+
+
+
+
+# Web3 Workforce Security
+
+
+
+
+> 🔑 **Key Takeaway**: The most dangerous attacks on Web3 organizations don't exploit smart contracts — they exploit the people running them. This guide addresses how to apply traditional IT security controls to the unique constraints of a Web3 workforce: unmanaged devices, pseudonymous contractors, and a global, remote-first operating model.
+
+The central challenge of Web3 workforce security can be summarized in a single question: **How do you secure that which you do not manage?**
+
+Most Web3 organizations are not built like traditional enterprises. There are no managed laptops handed to every employee on day one, no network perimeter enforced by firewalls, and no HR department verifying the real-world identity of every contributor. What you get instead is a distributed team of engineers, community moderators, and contractors — many of them pseudonymous — all logging into shared tools from personal devices they fully control.
+
+Attackers understand this gap. The same techniques used against enterprise organizations — session cookie theft, trojanized software, social engineering — are now being systematically applied to Web3 teams, often with devastating effect.
+
+---
+
+## The Threat Landscape: Real-World Attack Scenarios
+
+The following scenarios illustrate how traditional IT attack vectors play out in a Web3 context.
+
+### Scenario 1: Discord Session Cookie Theft
+
+A high-profile NFT project is hours from a much-anticipated mint. The Discord community is active and excited. Then a moderator posts a link — what appears to be the mint site — but the URL is slightly wrong. The team scrambles to delete the post, the mint is delayed, and "rugged" accusations flood every channel. Community trust collapses overnight, costing the project an estimated $1 million in lost revenue.
+
+The root cause wasn't a smart contract bug. It was a malicious browser extension silently running on the moderator's personal laptop. The extension harvested the moderator's Discord session cookie, which gave the attacker full authenticated access to the account — bypassing 2FA entirely, since session tokens represent an already-authenticated session.
+
+> ⚠️ **Session tokens bypass MFA.** A stolen session cookie grants full account access without needing a password or second factor. This makes browser hygiene on devices with Discord access critically important, especially for accounts with admin privileges.
+
+This attack vector is well-documented. In 2023, security researchers documented a wave of attacks against NFT and crypto Discord servers where admins were socially engineered into adding malicious JavaScript as browser bookmarks. Once clicked on Discord's own domain, the bookmark silently exfiltrated the admin's authentication token to attacker-controlled infrastructure. The attacker would then wait until late at night, post a fake "airdrop" or "NFT mint" announcement from the compromised admin account, and drain wallets that connected to the malicious site.
+
+Separately, the **Skuld** information-stealing malware — a Golang-based infostealer discovered in mid-2023 — specifically targeted Discord tokens alongside browser credentials and cookies, packaging stolen data for exfiltration within seconds of infection.
+
+### Scenario 2: Fake Software Updates as Malware Delivery
+
+An analyst takes a meeting with "Crypto Cat," introduced as the founder of a new exchange. The meeting invitation looks like a standard Zoom link. Clicking it redirects the analyst to a page prompting a "Zoom update" — seemingly routine. The analyst installs it. Nothing visible happens.
+
+Days later, Crypto Cat posts on X that their account has been hijacked. The analyst checks their own wallet: over $100,000 is gone.
+
+The Zoom link was a delivery mechanism. The "update" was a trojanized installer that silently deployed wallet-draining malware, harvesting seed phrases, private keys, and browser extension data before the victim had any indication something was wrong.
+
+> ⚠️ **Legitimate software never prompts you to install an update by clicking a meeting link.** Any software update that arrives via a meeting URL, DM, or email attachment should be treated as malware until proven otherwise.
+
+This technique is a signature tactic of **Lazarus Group**, the North Korean state-sponsored threat actor responsible for billions in crypto theft. Lazarus operatives pose as venture capitalists, exchange founders, journalists, and recruiters. They establish trust over days or weeks through legitimate-seeming communication before delivering the payload — often a trojanized version of Zoom, Telegram, or another common meeting tool. In more recent campaigns, attackers have used pre-recorded deepfake video to simulate a live call, with audio cutting out at a convenient moment to pressure victims into downloading a "fix."
+
+The connection to DPRK operations extends beyond individual theft. North Korean IT workers — thousands of whom are embedded in Web3 companies globally as remote contractors — represent a coordinated, state-directed insider threat. Their hiring represents both financial fraud (collecting salaries for the regime) and a potential supply-chain attack vector. For comprehensive coverage of DPRK IT worker tactics and mitigation, see the [DPRK IT Workers framework](/dprk-it-workers/overview).
+
+---
+
+## The Structural Problem: Web2 Controls vs. Web3 Reality
+
+Traditional enterprise security assumes a set of conditions that Web3 organizations simply don't have:
+
+| Security Domain | Traditional IT | Web3 Native Reality |
+|---|---|---|
+| **Security Perimeter** | LAN protected by firewalls and VPNs | Web app logins and SSO+MFA if lucky |
+| **Endpoints** | Fully managed corporate devices | Unmanaged BYOD |
+| **Workforce** | Trusted full-time employees | Contractors, volunteers & pseudonymous contributors |
+
+This isn't just an inconvenience — it fundamentally changes what "securing your organization" means. You cannot install an EDR agent on a contractor's personal machine. You cannot enforce full-disk encryption on a volunteer moderator's laptop. You cannot assume that the person who passed your interview is actually who they say they are.
+
+The answer is not to give up on security. It's to redesign your security model around these realities, using layered controls that provide meaningful protection without requiring full control over every endpoint.
+
+---
+
+## Identity as the Perimeter: Zero Trust for Web3
+
+In a Zero Trust architecture, no user, device, or network connection is trusted by default. Every access request is verified at the time it's made, based on the identity of the requester, the health of their device, and the sensitivity of what they're accessing.
+
+For Web3 organizations, this means **identity becomes the perimeter**. Since you don't control the network or the endpoints, control what you can: who gets access, to what, and under what conditions.
+
+### Start with a Central Identity Provider (IdP)
+
+A centralized IdP — Okta, Microsoft Entra ID, or Google Workspace — is the foundation of your Zero Trust architecture. Every application that supports SSO should be connected to it.
+
+The operational benefits are immediate:
+- **Single provisioning/deprovisioning point.** When someone leaves or is compromised, disabling their IdP account cascades across every connected application in seconds.
+- **Single set of credentials for workers.** Fewer passwords means less credential fatigue and reduced phishing surface.
+- **Centralized audit logging.** Every login, every access attempt, in one place.
+
+For small Web3 teams, Google Workspace often functions as the de facto IdP with minimal additional cost, enabling SSO across a growing ecosystem of security-conscious SaaS tools.
+
+### Enforce Phishing-Resistant MFA
+
+Standard TOTP codes (authenticator apps) and SMS-based 2FA remain vulnerable to real-time phishing attacks, where an adversary proxies login attempts and forwards OTP codes to their own session before expiry. This is the primary reason session cookie theft (as described in Scenario 1) is so effective — it bypasses MFA entirely by operating on an already-authenticated session.
+
+Phishing-resistant MFA raises the bar significantly:
+- **Built-in biometrics** (Windows Hello, macOS Touch ID, passkeys) bind authentication to the physical device using public-key cryptography. The credential cannot be phished because it never leaves the device.
+- **Hardware security keys** (YubiKey, Titan Key) require physical possession of the device for authentication. A stolen password is useless without the key.
+
+Organizations handling significant treasury or developer access should require hardware security keys for all privileged roles.
+
+### Apply Conditional Access Policies
+
+Conditional access allows you to define rules that control when and how authentication succeeds. For example:
+- Only allow logins from devices that have been registered and assessed as compliant.
+- Block access from geographic regions where you don't operate.
+- Require step-up authentication (e.g., hardware key tap) when accessing sensitive systems.
+
+Even basic conditional access — requiring that a device is enrolled in your MDM before it can access production systems — eliminates an enormous class of risk from unmanaged devices.
+
+### Securing Platforms That Don't Support SSO
+
+Discord, X (Twitter), and Telegram don't support SSO with an enterprise IdP. These platforms require a different approach:
+- **Harden platform-level settings** following the SEAL account management guides: [Discord](/guides/account_management/discord), [Twitter/X](/guides/account_management/twitter), [Telegram](/guides/account_management/telegram).
+- **Vault shared credentials.** Use a team password manager (1Password Teams, Bitwarden) to share platform credentials without exposing raw passwords.
+- **Use social media management platforms** (e.g., Sprout Social, Buffer) to mediate access to official accounts, adding an audit layer and reducing the number of humans with direct credential access.
+- **Minimize the blast radius.** Only the minimum necessary people should have admin-level access to community platforms.
+
+---
+
+## Device Security Tiers
+
+Not every role in a Web3 organization carries the same risk. A treasury custodian approving an $8 million multisig transaction warrants different security controls than a community moderator answering questions in Discord. The following tier model provides a framework for matching security investment to actual risk.
+
+### Tier 1: The Gold Standard — Managed Devices
+
+Issue organization-managed hardware to your highest-risk roles. This is the only option that provides full security stack visibility and control.
+
+**What managed devices enable:**
+- **Endpoint Detection & Response (EDR)** — CrowdStrike Falcon or SentinelOne provides real-time behavioral monitoring, malware detection, and threat hunting capability across your fleet.
+- **Mobile Device Management (MDM)** — Intune (Microsoft) or JAMF (Apple) enforces configuration policy, enables remote wipe, and ensures devices stay patched.
+- **Full Disk Encryption** — BitLocker (Windows) or FileVault (macOS) ensures that a stolen device reveals nothing.
+- **Biometric authentication** — TouchID/Hello provides phishing-resistant local authentication tied to the physical device.
+- **Comprehensive logging** — Centralized log collection enables threat hunting and incident reconstruction.
+
+**Target roles:** Developers with production access, leadership, treasury custodians, key signers, and security leads.
+
+> 💡 **Practical note:** The cost of a managed device fleet (hardware + EDR + MDM) is typically far less than a single significant security incident. For treasury-adjacent roles, this is non-negotiable.
+
+### Tier 2: Privacy-First Scale — Virtual Desktop Infrastructure (VDI)
+
+For global contractors and support staff where issuing physical hardware is impractical, a Virtual Desktop Infrastructure (VDI) provides a secure computing environment hosted in the cloud, accessible from any device.
+
+The employee's personal laptop becomes a thin client. All sensitive work — code editing, file access, system administration — happens inside the virtual machine, which is fully managed and monitored by the organization. The employee's personal device never touches corporate data directly.
+
+**What VDI provides:**
+- Complete visibility and control inside the virtual environment.
+- Corporate web proxying and traffic inspection.
+- Centralized data storage — nothing sensitive ever lands on the employee's personal device.
+- Protection of employee device privacy (the organization sees inside the VDI, not the host device).
+
+**Known limitations:**
+- Susceptible to host-level keyloggers and screen capture — if the employee's physical machine is compromised, a keylogger running on the host can capture everything typed into the VDI.
+- Performance and latency overhead, particularly for video-intensive work.
+- Hardware authentication dongle (e.g., YubiKey) compatibility issues in virtualized environments.
+
+**Target roles:** Global operations, customer support, regional teams, contractors with defined scopes.
+
+Cloud VDI providers (AWS WorkSpaces, Azure Virtual Desktop, Google Cloud's Cloud Workstations) make deployment relatively straightforward at scale, with per-hour billing models that suit contractor workflows.
+
+### Tier 3: Minimum Viable Security — Enterprise Browser
+
+For general staff and short-term contractors where neither managed hardware nor VDI is practical, an enterprise browser provides a secured, managed browsing environment on any machine.
+
+**Chrome Enterprise Core** (free with Google Workspace) and **Island Enterprise Browser** provide:
+- **Extension allowlisting** — only approved browser extensions can run, eliminating the malicious extension vector that enabled the Discord cookie theft scenario.
+- **IdP integration** — the browser enforces identity and access policies at the browsing layer.
+- **Isolated history and cookies** — work browsing is sandboxed from personal browsing, reducing session theft risk.
+- **DLP controls** — policies can prevent uploading, downloading, printing, or copying sensitive data to unapproved destinations.
+
+> 💡 **Pro tip:** If you use Google Workspace, you already have Chrome Enterprise Core at no additional cost. Enabling extension allowlisting alone eliminates one of the most common attack vectors against Discord and web-based platforms.
+
+**Known limitations:**
+- Zero protection if the host operating system is compromised. A keylogger or RAT on the underlying OS can capture everything regardless of the browser's security posture.
+- Cannot block host-level screen capture.
+- No control over physical USB/hardware access.
+
+**Target roles:** General staff, community managers, short-term contractors.
+
+---
+
+## Workforce Security: Verification, Onboarding, and Offboarding
+
+Identity verification is the other side of the device security coin. Sophisticated device controls are undermined if the person behind them isn't who they claim to be.
+
+The DPRK IT worker problem has made this concrete. North Korean operatives have successfully passed multiple rounds of video interviews, background checks, and reference checks at major companies — including a 2024 case where KnowBe4 — a security awareness training company — hired a DPRK operative who passed four video conference interviews and a background check using a stolen US identity with an AI-enhanced photo, before their EDR software detected malware loading on the corporate Mac workstation the moment it was received. Google Threat Intelligence Group (GTIG) has documented North Korean IT workers using AI-generated profile photos, deepfake video during interviews, and AI writing tools to overcome language barriers.
+
+### Tiered Verification
+
+Verification depth should scale with the sensitivity of the role being filled.
+
+**Level 1 — Pseudonymous Contributor**
+*Applies to: OSS contributors, community moderators, bounty hunters*
+
+This tier acknowledges that Web3 has a legitimate pseudonymous contributor ecosystem. The verification goal is continuity and authenticity, not real-world identity:
+- On-chain wallet history demonstrating consistent, legitimate activity over time.
+- Persistent pseudonymous identity with verifiable history (GitHub commit history, forum participation).
+- Liveness check to confirm a real human is present (see below).
+- **Scoped access only** — this tier should never have admin rights, treasury access, or access to production systems.
+
+**Level 2 — Verified Worker**
+*Applies to: Engineers, operations staff, administrative roles*
+
+At this tier, real-world identity must be established:
+- Government-issued photo ID verification.
+- Background check through a reputable provider, with verified jurisdiction.
+- Reference checks with direct contact verification (don't rely on references you can't independently validate).
+- Video interview with active liveness verification (see below).
+
+**Level 3 — Privileged Operator**
+*Applies to: Treasury signers, cloud infrastructure root access, security leadership*
+
+The highest tier requires the highest scrutiny:
+- In-person verification — mandatory final-round interviews conducted on-site or at a trusted venue.
+- Hardware wallet issuance and setup conducted in-person or via verified secure delivery.
+- Dual-authorization requirements for all privileged actions (no single person can move funds or change critical configurations alone).
+- Periodic re-verification, especially after extended remote-only periods.
+
+### Defeating Deepfakes: Liveness Verification
+
+Video interviews are now a primary vector for DPRK operative infiltration. Pre-recorded deepfake video can fool a casual interviewer, particularly when audio "technical difficulties" are used as cover to avoid interactive conversations. Standard video calls are not sufficient for identity verification at Levels 2 and 3.
+
+Incorporate unpredictable, interactive requests into video calls to break deepfake presentations:
+
+- Ask the candidate to turn their head sideways and hold the position.
+- Have them read a randomly generated phrase displayed on screen for the first time during the call.
+- Request a hand movement across the face mid-stream.
+- Ask them to screen-share and perform a live technical task that requires real-time interaction with their actual environment.
+
+The goal is to introduce enough unpredictable real-time interaction that a pre-rendered deepfake cannot keep up. Deepfakes degrade significantly when required to produce rapid, specific movements that weren't part of the training dataset.
+
+Additionally, watch for behavioral patterns: persistent, escalating excuses to avoid any in-person interaction — even for high-value roles — is a documented indicator of DPRK IT worker activity. See the [DPRK IT Workers: Techniques, Tactics and Procedures](/dprk-it-workers/techniques-tactics-and-procedures) page for a comprehensive list of behavioral indicators.
+
+### Hardened Onboarding Workflow
+
+The sequence in which access is provisioned matters. A compromised first-day experience can create security gaps that persist for months.
+
+1. **Identity first.** Provision the IdP account with phishing-resistant MFA before any other access is granted. This becomes the authentication anchor for all subsequent provisioning.
+2. **Environment setup.** Issue the managed device (Tier 1), provision VDI access (Tier 2), or configure enterprise browser policies (Tier 3) before any production system access is enabled.
+3. **Scoped access.** Apply least-privilege access from day one. Don't grant "we'll scope it later" broad permissions. Define the exact scope before provisioning.
+4. **Secrets hygiene briefing.** Ensure the new team member understands the organization's secrets management practices: where credentials are stored, how to request access, and what to do if they suspect compromise.
+
+### Instant Offboarding
+
+Offboarding is where most organizations have significant gaps. The sequence matters:
+
+1. **Disable the IdP account first.** This should be the first action, taken before any conversation or formal process. The IdP account is the authentication root — disabling it cascades across all connected SSO applications immediately.
+2. **Kill active sessions.** Force session revocation in all applications. Active sessions may persist briefly after IdP account disablement depending on session token lifetimes.
+3. **Rotate all shared secrets.** Any API keys, shared passwords, or access tokens the departing person had access to must be rotated immediately. This includes keys for external services where individual accounts don't exist.
+4. **Recover hardware.** Retrieve issued devices and remotely wipe as needed.
+5. **Audit access.** Review the access log for the offboarded account covering the 30-day period prior to offboarding for anomalous activity.
+
+> ⚠️ **Insider threat window.** The period between a decision to terminate and actual offboarding is the highest-risk window for insider data exfiltration. For sensitive roles, access revocation should happen simultaneously with or before any notification.
+
+### In-Person Verification for High-Stakes Operations
+
+For roles involving fund movements or production code deployment, in-person verification is a non-negotiable security control, not a "nice to have."
+
+- **Mandatory in-person final-round interviews** for Level 2 and Level 3 roles.
+- **Periodic team meetups** ensure that at least annually, every person with privileged access has been physically verified by colleagues.
+- **Escalate evasion patterns.** Any candidate or employee who consistently, persistently avoids in-person interaction — particularly when the role would normally require it — warrants a security review. DPRK IT workers specifically avoid video calls, in-person meetings, and situations that would reveal their true location.
+
+---
+
+## Building a Security Culture in a Small Team
+
+Web3 organizations have a structural advantage that large enterprises can only envy: they are small, fast-moving, and unburdened by legacy infrastructure. This is a security asset if used deliberately.
+
+The security controls described in this guide don't require a large security team to implement. A single security-aware operations lead, armed with Google Workspace, an MDM solution, a password manager, and clear policies, can establish a security posture that would take a Fortune 500 company years to achieve through bureaucratic processes.
+
+The key is making security frictionless. If the secure path is also the convenient path, people will follow it. SSO means one login for everything. A password manager means never having to remember or type passwords. Phishing-resistant MFA means not having to check your phone for a code. Security doesn't have to mean friction — and in Web3, where execution speed is a competitive advantage, that matters.
+
+> 💡 **The economics of prevention:** You pay for security in one of two ways — either you invest in prevention now, or you pay for the consequences later. The Discord cookie theft scenario cost a single project an estimated $1 million in lost revenue. A managed device fleet for five high-risk roles typically costs under $20,000 per year.
+
+---
+
+## Attribution
+
+This content was originally contributed by [Andrew Chang-Gu](mailto:andrew@blockchang.com) (CISSP).
+
+---
+
+
+
diff --git a/utils/fetched-tags.json b/utils/fetched-tags.json
index 8c475f51..5e35da24 100644
--- a/utils/fetched-tags.json
+++ b/utils/fetched-tags.json
@@ -716,6 +716,12 @@
"Devops",
"SRE"
],
+ "/opsec/web3-workforce-security": [
+ "Security Specialist",
+ "Operations & Strategy",
+ "HR",
+ "Engineer/Developer"
+ ],
"/privacy/data-removal-services": [
"Engineer/Developer",
"Security Specialist"
diff --git a/vocs.config.tsx b/vocs.config.tsx
index 78a1a8e3..df170991 100644
--- a/vocs.config.tsx
+++ b/vocs.config.tsx
@@ -99,6 +99,7 @@ const config = {
{ text: 'TL;DR', link: '/opsec/travel/tldr', dev: true },
]
},
+ { text: 'Web3 Workforce Security', link: '/opsec/web3-workforce-security' },
{ text: 'Appendices', link: '/opsec/appendices/overview', dev: true }
]
},