Notifications
Clear all
Topic starter
25/06/2026 2:57 pm
TL;DR: Web 3 shifts trust toward decentralization, blockchain transparency, and user-controlled keys, according to DigiCert, but attackers still target passwords, exchange platforms, phishing, and especially private keys, with almost $3 billion stolen from crypto exchanges since 2012. That means digital trust now depends as much on identity and key governance as on protocol design.
NHIMG editorial — based on content published by DigiCert: The Importance of Digital Trust in the Era of Web 3
By the numbers:
- Since 2012, almost $3 billion has been stolen from crypto exchanges.
Questions worth separating out
Q: How should security teams govern private keys in Web 3 environments?
A: Treat private keys as governed non-human identities rather than as ordinary technical secrets.
Q: Why do decentralised systems still need identity governance?
A: Decentralisation removes some central dependency, but it does not remove the need to control who can sign, recover, rotate, or revoke trusted credentials.
Q: What breaks when a private key is stolen in a blockchain workflow?
A: The attacker can often act as a legitimate signer, which means theft can look like valid activity to the network.
Practitioner guidance
- Classify blockchain signing keys as governed identities Inventory wallets, custodial keys, API credentials, and service accounts that can initiate blockchain actions, then assign ownership, lifecycle review, and revocation responsibility to each one.
- Protect private keys like production secrets Store keys in hardened vaults or hardware-backed controls, restrict export, and separate signing from general-purpose developer or operator access.
- Map recovery and offboarding before adoption Define what happens when a wallet owner leaves, a key is lost, or an exchange relationship changes, including who can revoke access and how replacement authority is established.
What's in the full article
DigiCert's full blog covers the explanatory detail this post intentionally leaves at the framework level:
- DigiCert's Web 3 examples of how blockchain, decentralisation, and smart contracts are expected to improve trust
- The vendor's explanation of why private key protection becomes central to user responsibility in decentralised systems
- Its supporting examples of crypto theft patterns, including exchange compromise and phishing-based credential loss
- The article's own comparison of Web 1, Web 2, and Web 3 trust assumptions
👉 Read DigiCert's blog on digital trust in the era of Web 3 →
Web 3 digital trust: what it means for identity teams?
Explore further
25/06/2026 4:13 pm
Digital trust in Web 3 is an identity problem before it is a blockchain problem. The article frames decentralisation as the answer to central trust failure, but the operational risk still sits with keys, credentials, wallets, and the entities that can sign. In NHI terms, the hard part is not ledger integrity alone, but the governance of the identities that interact with it. Practitioners should read Web 3 as a shift in trust location, not a removal of trust work.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: What is the difference between wallet custody and access governance?
A: Wallet custody is about who physically or technically holds the signing material. Access governance is about who is allowed to use that material, under what conditions, and how it is reviewed or revoked over time. Both matter, but governance fails fastest when custody exists without a lifecycle model around it.
👉 Read our full editorial: Digital trust in Web 3: why identity control still matters
