OpenAI on May 11 introduced Daybreak, a new cybersecurity initiative designed to find, validate, and help fix software vulnerabilities before attackers can exploit them—an approach with clear implications for cryptocurrency, where a single software failure can translate into immediate capital loss within a block.
AI Integration
The company frames Daybreak around making software “resilient by design,” shifting defenses earlier into the build process and embedding them across the development lifecycle. According to OpenAI, that means applying AI to routine but critical security work: code review that reasons across entire repositories, threat modeling that evaluates how systems interconnect and evolve, patch validation that tests whether a proposed fix closes the underlying flaw, and dependency analysis that flags weaknesses introduced by third-party components.
In crypto, this orientation maps directly onto the places where risk concentrates. Decentralized protocols and exchanges rely on complex interactions among smart contracts, oracles, front ends, multisig signers, and cloud infrastructure. Pushing security upstream—before deployment and throughout subsequent upgrades—aims to reduce the window in which adversaries can act and in which defenders have the least context to respond.
Risk Landscape
The urgency for a proactive model is visible in recent data. TRM Labs’ 2026 Crypto Crime Report found that illicit actors stole $2.87 billion across nearly 150 hacks and exploits in 2025, with infrastructure attacks—compromised keys, wallet and privileged-access systems, front-end surfaces, and control planes—accounting for $2.2 billion of that sum. Code exploits, which traditional audits most directly target, represented $350 million, or 12.1%.
Separate first-quarter figures from Hacken reinforce the limitations of an audit-centric posture: Web3 lost $482 million across 44 incidents in a single quarter. Six of those incidents involved audited protocols, including one with 18 separate audits. One theft totaling $282 million bypassed the contract layer entirely, pointing to operational and social vectors rather than a bug in code.
CertiK’s most recent wrench-attack overview recorded 34 verified incidents of physical coercion worldwide between January and April 2026, up 41% from the same period in 2025, with estimated losses of about $101 million in four months. At that pace, the firm estimates 2026 could close with around 130 incidents—evidence that the person with signing authority, the multisig participant, or the engineer with cloud-console access can become the primary attack surface.
Taken together, these datasets indicate that crypto’s risk has moved well above the smart contract itself. The places where users interact, where upgrades are authorized, and where credentials are stored or used have become primary targets, often outpacing the issues an audit alone is designed to catch.
Technology Use Case
Applied to crypto operations, Daybreak’s logic implies continuous security validations at each layer where losses now cluster. AI-assisted secure code review running before and throughout deployment can surface logic errors, access-control gaps, and unsafe assumptions before they reach mainnet. Ongoing threat modeling across protocol upgrades can assess how an architecture adjustment, a new bridge, an updated governance mechanism, or an added oracle changes the attack surface.
Dependency and oracle risk analysis can help identify whether a third-party library, middleware component, or external data source weakens the protocol that relies on it. Patch validation prior to governance execution can verify that a proposed fix resolves the vulnerability and remains safe under adversarial conditions. Regular privileged-access reviews for multisigs, signers, front-end deployments, and custody systems can reduce exposure from misconfiguration or key sprawl. And monitoring tuned to detect abnormal behavior before funds leave can compress the time between detection and response, when seconds matter.
| Security function | What it checks | Why it matters in crypto |
|---|---|---|
| AI-assisted secure code review | Contract logic, access controls, assumptions, and upgrade-related issues pre- and mid-deployment | Surfaces exploitable flaws before they reach mainnet, where failure can become immediate capital loss |
| Continuous threat modeling | How upgrades, architecture choices, governance, oracles, and bridge designs introduce new surfaces | Keeps defenses aligned with a protocol as it evolves, rather than freezing risk at launch |
| Dependency and oracle risk analysis | Third-party libraries, oracle providers, middleware, and bridge components that alter trust assumptions | Major failures increasingly emerge from the surrounding stack, not only from contract code |
| Patch validation before governance execution | Whether a fix closes the root cause and remains robust under adversarial testing | Prevents approvals for patches that appear correct but leave an exploit path—or create a new one |
| Privileged-access review | Multisigs, signers, admin keys, custody, cloud-console rights, and front-end deployment permissions | Infrastructure attacks increasingly target entities that can move funds or change protocol behavior |
| Monitoring before funds leave | Suspicious transactions, unusual signer behavior, front-end anomalies, or withdrawal outliers | Reduces detection-to-response time, improving chances to intervene before losses escalate |
Even protocols with extensive audit histories can carry exposure through unmonitored front-end deployments or misconfigured multisigs. Those operational blind spots overlap with where many of 2025’s largest losses occurred.
Dual-Use Reality
OpenAI acknowledges that expanded cyber capabilities can be misused. Daybreak is paired with verification, scoped access, safeguards, misuse monitoring, and stronger account controls. The same AI that helps defenders review code, validate patches, and model threats can also assist attackers in scaling phishing, generating convincing fake front ends, cloning legitimate protocols, analyzing dependency chains for exploitable weaknesses, and conducting broader social engineering against custodians, signers, and support channels.
Hacken’s dataset ranks phishing among leading vectors, while CertiK’s findings on physical coercion show attackers targeting people directly. Both categories depend on social and operational manipulation, and AI can operate at scale in both.
Industry Response
Two paths emerge for crypto security. In the more constructive scenario, “resilient by design” becomes a competitive baseline. Teams treat continuous code review, signer-policy audits, dependency checks, front-end integrity monitoring, and governance-execution validation as ongoing requirements. Audit certification then gives way to a broader operational proof of resilience across signers, upgrades, dependencies, and access controls.
OpenAI’s model—pairing more capable tooling with stronger verification and process controls—offers an external template. And if 76% of losses stem from infrastructure, as TRM’s data implies, that is where the next security standard must operate. Protocols able to demonstrate continuous operational resilience may find a more receptive audience among insurers, regulators, and institutional allocators than those presenting only a stack of audit reports.
The less favorable outcome is that AI-assisted security remains a marketing layer. Protocols add AI language to documentation while keeping the underlying model centered on pre-launch audits and post-exploit post-mortems. Meanwhile, attackers use the same tools to accelerate phishing, clone interfaces faster, and compromise support channels more effectively than defenders improve their workflows.
Hacken’s finding that one attacker stole $282 million without touching a single line of contract code underscores how far beyond the contract layer the attack surface now extends, and how much of today’s security framework addresses only a portion of that terrain.
For an industry long oriented around point-in-time audits and post-incident response, the lesson in OpenAI’s Daybreak is straightforward: move defenses earlier, keep them continuous, and align them with where losses actually occur.
