The rapid adoption of Web3 infrastructures has led to a growing number of security incidents affecting cryptocurrency exchanges, custody services and blockchain-based platforms. While existing research predominantly focuses on vulnerabilities in smart contracts and blockchain protocols, a substantial portion of real-world losses originates from off-chain systems, organizational processes and human-centered operational workflows. This paper presents a qualitative, incident-based analysis of publicly documented, high-impact security breaches in the Web3 ecosystem, including the Bybit exchange incident (2025), the Ronin Network bridge compromise (2022), and the DMM Bitcoin exchange breach (2024). The selected cases are systematically analysed and mapped to established Web2 security reference frameworks, including OWASP-based vulnerability categories and organizational security control domains. The results indicate that dominant failure patterns in Web3 environments are insufficiently addressed by generic security control catalogues, particularly with respect to cryptographic key management, transaction approval governance, signer and validator infrastructure, third-party tooling dependencies, and human-in-the-loop processes. Based on these findings, this paper argues for the adoption of established information security management systems (ISMS) in Web3 organizations and derives a structured set of blockchain-specific cybersecurity control categories to operationalize existing ISMS frameworks for blockchain-based systems. The proposed categories aim to bridge the gap between generic security governance frameworks and domain-specific risks inherent to Web3 infrastructures.

翻译：Web3基础设施的快速普及导致加密货币交易所、托管服务和区块链平台面临日益增多的安全事件。尽管现有研究主要聚焦于智能合约和区块链协议的漏洞，但实际损失中很大一部分源自链下系统、组织流程和以人为中心的操作工作流。本文对Web3生态系统中公开记录的高影响安全漏洞（包括2025年Bybit交易所事件、2022年Ronin网络桥攻击和2024年DMM比特币交易所入侵）进行了定性的事件分析。所选案例被系统分析并映射到成熟的Web2安全参考框架，包括基于OWASP的漏洞类别和组织安全控制域。结果表明，通用安全控制目录未能充分应对Web3环境中的主要失效模式，特别是在加密密钥管理、交易审批治理、签名者与验证者基础设施、第三方工具依赖以及人在环流程方面。基于这些发现，本文主张在Web3组织中采用已建立的信息安全管理体系（ISMS），并推导出一套针对区块链的网络安全控制类别，以将现有ISMS框架应用于基于区块链的系统。所提出的类别旨在弥合通用安全治理框架与Web3基础设施固有的领域特定风险之间的鸿沟。