When an exploit hits, publish a holding statement within sixty minutes, even if you know almost nothing yet. Acknowledge the incident, confirm you are investigating, tell users what to do right now, and promise a timeline for the next update. That single action separates teams that control the story from teams that spend a week chasing it. Everything else in crisis comms, the technical postmortem, the compensation plan, the rebuild narrative, flows from whether you moved first in that opening hour.

I run fractional PR for Web3, DePIN and cybersecurity founders, and I have been in the room, or on the call, when exploits land. The pattern that decides outcomes is almost always the same: teams that treat the first hour as a communications problem, not just a technical one, keep their communities and their media relationships intact. Teams that go dark for four hours, or issue a legalistic non-statement, hand the story to on-chain sleuths, anonymous Twitter accounts and, increasingly, AI-powered news aggregators that write their own version of what happened. That version is rarely kind. This playbook is the field guide I give every founder who retains me on a Web3 PR campaigns basis, updated for the speed and reach of the 2026 media environment.

Why the first sixty minutes matter more than anything that follows

Crypto media and on-chain analytics have closed to near real-time. By the time an exploit is large enough to register on Etherscan or a chain explorer, Lookonchain, Arkham and similar services have already begun surfacing wallet movements. In parallel, reporters at CoinDesk, The Block, Decrypt and Cointelegraph monitor those same feeds. In 2026, a nine-figure exploit can be reported within twenty minutes of the first anomalous transaction, often before the protocol team has even finished an internal triage call.

If your first public statement arrives two hours after a reporter's first article, you are not setting the record straight. You are reacting to someone else's framing, and that framing is already being indexed, cited and amplified. The first public source becomes the reference point for everything that follows, including the AI-generated summaries that will surface in search and answer engines for months. Your window to be that source is narrow.

The sixty-minute rulePost a holding statement within sixty minutes of internal confirmation that an incident is real. It does not have to contain all the facts. It has to demonstrate that you know about it, you are taking it seriously, and users have a clear next step. Post it on your official Twitter/X account and Discord simultaneously, then link to a live incident page if you have one. Lock down all other comms channels so no team member speaks publicly ahead of the official statement.

The holding statement: what to say when you know almost nothing

The holding statement is the most misunderstood asset in crypto crisis comms. Most teams either skip it entirely, waiting until they have the full picture, or publish something so hedged it says nothing. Both are mistakes. The holding statement exists to accomplish three things in the fewest possible words: confirm awareness, tell users what to do right now, and give a time by which you will say more.

Template you can adapt in ten minutes

Holding statement template

We are aware of an incident affecting [PROTOCOL/CONTRACT NAME] that was reported at approximately [TIME UTC]. We have [paused the protocol / alerted our security team / engaged our auditor] and are actively investigating. If you have funds in [AFFECTED POOL/CONTRACT], [do not make further deposits / bridge out via [LINK] / take no action until further notice]. We will provide a full update by [TIME + 2 HOURS]. Our team is on this now.

No legal disclaimers. No passive voice. No "we take security extremely seriously." Those phrases cost you credibility with every reader who has seen them before.

Notice what the template does not include: apologies for something you cannot yet verify, speculation about the attacker or root cause, dollar figures before you have confirmed them, or any promise about compensation before legal and technical review. You will address all of those things, but not in hour one. The holding statement is about information control, not liability management. Your lawyers will want to add language. Resist it. A statement that reads like a legal brief tells the community exactly who you were thinking about when you wrote it, and it is not them.

Field ruleSilence in a crypto crisis is not caution. It is a narrative vacancy that someone else will fill, usually an on-chain sleuth with no obligation to be accurate and every incentive to be dramatic.

The full crisis comms timeline: hour by hour

Window What to do What not to do
0 to 15 min Internal triage: confirm incident is real, pause contracts if possible, loop in CEO, CTO, legal counsel and your PR contact Post anything publicly, share on community Discord without a coordinated statement
15 to 60 min Draft and post holding statement; assign single spokesperson; alert your PR operator Speculate on cause or attacker; publish partial dollar figures; let team members post independently
1 to 4 hrs Second update with more detail on scope; confirm which contracts / chains are affected; post AMA time if warranted Go silent; delete earlier posts; fight with critics on-chain Twitter
4 to 24 hrs Publish detailed incident report draft; brief tier-1 reporters (CoinDesk, The Block) for accurate coverage; open community AMA Promise repayment timelines you cannot confirm; speculate on the attacker's identity
24 to 72 hrs Publish full post-mortem with root cause, remediation steps and compensation framework; proactive outreach to affected users Treat the post-mortem as a legal document rather than a trust document
Week 2 and beyond Begin rebuild narrative: re-audit, re-launch comms, founder op-ed on lessons learned; brief key outlets on recovery progress Return to normal marketing as if nothing happened; skip the public audit results

The do-and-don't list that separates teams

Every crisis I have watched unfold has a version of the same set of mistakes. Some are tactical. Some are instinctive. All of them make recovery harder.

Do

  • Move fast on the holding statement, even with incomplete information. Speed signals control. Silence signals panic.
  • Designate a single spokesperson before the first public post. Every additional voice is a surface for inconsistency.
  • Brief your top-tier reporters directly before they publish from secondary sources. CoinDesk, The Block and Decrypt all have beat reporters who will write the story with or without you. A direct briefing gives you a chance at accurate framing rather than a reconstruction from on-chain data alone.
  • Keep your community channels active even when you have nothing new to say. A pinned message that says "our team is working on this and we will update at [TIME]" costs almost nothing and prevents the vacuum that feeds speculation.
  • Publish a real post-mortem. Not a PR document. A technical account of what happened, what failed, what you are changing, and what affected users can expect. The protocols that recovered fastest after major exploits, including those that subsequently raised again, published post-mortems that read like engineering reports, not press releases.

Don't

  • Don't go dark. Four hours of silence after an exploit is four hours of someone else's narrative becoming the default record.
  • Don't delete posts. Deletions are screenshotted immediately and read as evidence of cover-up, even when the intent is correction.
  • Don't speculate publicly about the attacker. Attribution takes time and technical analysis. A premature accusation that turns out to be wrong compounds the original damage.
  • Don't let legal counsel write the public statement. Legal teams are optimised for liability minimisation. Your community is reading for honesty and accountability, which are different things. The legal review should happen, but the public voice should be human.
  • Don't conflate the depeg playbook with the exploit playbook. A depeg or liquidity crisis needs different messaging: the emphasis is on market mechanics and protocol design, not security. Mixing the two confuses users and compounds the credibility problem.

Depegs and liquidity crises: what is different

A depeg is not a hack. The comms architecture is different in two important ways, and running an exploit playbook on a depeg is a common mistake that accelerates the spiral.

First, a depeg often has no single culpable party. The framing cannot be "we were attacked." The framing has to explain market mechanics honestly: what conditions triggered the peg deviation, what the protocol's design assumptions were, and what the path back to stability looks like. Any attempt to make a liquidity crisis sound like an external attack gets dismantled in real time by on-chain analysts, and the resulting credibility loss is worse than the original incident.

Second, the user action in a depeg is usually urgent and specific. "Exit via this route before this time" is sometimes the right message, and publishing that message clearly and early is not capitulation, it is responsible comms. The teams that handled depeg events well in the 2023 to 2025 cycle were the ones that gave users clear, actionable information rather than defending the peg's stability while it continued to unwind.

Depeg messaging frameSeparate three things in your public communications: (1) what is happening mechanically, in plain language; (2) what users can do right now to protect their positions; (3) what the protocol's plan is, with honest timelines. Conflating these three produces the corporate non-statement that destroys trust faster than the depeg itself.

Media relations during a crisis: briefing not blasting

The instinct under pressure is to send a blast to every journalist contact at once. Resist it. In a crisis, the right media strategy is the opposite of a launch: targeted, personal, fast, and honest about what you do not yet know.

Identify the three to five reporters who cover your specific beat most seriously. For a DeFi protocol, that is likely the DeFi reporters at CoinDesk and The Block, the security beat at Decrypt, and the analyst at Blockworks who has written about your ecosystem. For a cybersecurity or infrastructure play, add Dark Reading, SC Magazine and the relevant beat at Forbes or TechCrunch. Reach out to each of them individually, acknowledge they may already have the story, and offer a direct briefing with your CEO or CTO within the hour.

What you offer a reporter in this briefing: an honest account of what you know, a named technical contact for follow-up questions, and the clearest possible statement of what you are doing about it. What you do not offer: exclusives that create resentment with other reporters, speculation that you cannot stand behind, or off-the-record comments that contradict your public statement. The goal is accurate coverage, not favourable coverage. Accurate coverage in a crisis is the best you can do, and it is far better than the alternative. This is the core of what I mean when I talk about cybersecurity PR as a discipline distinct from standard launch comms.

Field ruleCrisis media relations is not about spin. It is about being the most reliable, fastest source of accurate information. Reporters who trust you as a source in a crisis will cite you accurately. Reporters who cannot reach you will reconstruct events from secondary sources, and the reconstruction is almost always worse than the truth.

Rebuilding trust after the incident: the sequence most teams skip

Most crisis comms guides stop at the post-mortem. That is the beginning of the recovery, not the end. The protocols that returned from serious exploits, and several have, did so because they treated the post-crisis period as a distinct PR campaign with its own narrative arc, not a return to business as usual.

The rebuild sequence has four beats, and they need to happen in order.

  1. The re-audit announcement. Before you relaunch anything, announce the security audit engagement, name the auditor and publish the scope publicly. This is not optional. It is the signal that separates teams who learned from teams who are pretending.
  2. The audit results, published in full. Including the findings you did not like. A clean bill of health from a named auditor with the report link is the single highest-credibility asset in post-exploit recovery. Partial publication or summary-only defeats the purpose.
  3. The founder op-ed or interview. Not a puff piece. A direct, first-person account of what the team learned, what changed in how they think about security, and where the protocol is going. The best examples of this I have seen run in CoinDesk Opinion or as a long-form interview with a reporter who covered the original incident. This is how you turn an incident into a chapter in a larger story, rather than the final chapter.
  4. The re-launch comms. Once the above three are in place, the relaunch narrative has something to stand on. Without them, a relaunch looks like a pivot and reads as an attempt to change the subject. This is where a retained Web3 PR campaigns relationship pays for itself: the relaunch lands inside a media relationship where context already exists, rather than cold.

The proof points here are real. Protocols that went through the full rebuild sequence, including named re-audit, published results and founder-level narrative, rebuilt TVL and community trust on timescales measured in months. Those that skipped to the relaunch without the rebuild infrastructure tended to find that the media and community memory of the incident was still the dominant narrative at the moment they most needed a clean slate. The patterns I referenced in building out crypto exchange PR in 2026 apply directly: credibility is harder to rebuild than to build, but it is not impossible if the sequence is right.

The common mistakes that make a recoverable crisis permanent

Three specific behaviours turn a survivable incident into a reputational write-off. I have watched each of them play out, more than once.

Blaming the victim. Any suggestion that users should have read the docs more carefully, that the vulnerability was edge-case, or that sophisticated users would have known better is the fastest way to destroy community loyalty permanently. It does not matter if it is technically true. It reads as cruel, and it will be screenshotted and circulated indefinitely.

The compensation promise you cannot keep. Announcing a compensation plan without legal, treasury and technical confirmation is worse than saying nothing. A broken promise in a crisis compounds the original trust damage by a factor that is genuinely hard to recover from. If you do not know what the compensation framework will be, say so honestly and give a timeline for when you will.

The pivot without the acknowledgment. Relaunching with a new brand, new contract address or new product line without a clear public acknowledgment of the incident history reads as an attempt to escape accountability. Sophisticated users and reporters notice. The incident history follows you in on-chain records regardless of what the new brand says. The only functional approach is to carry the history forward honestly, as a chapter you have learned from, not one you are hiding.

The Web3 PR agency mistakes that hurt founders in normal times are amplified in a crisis. The agency that pitches press releases when you need a holding statement, or that goes quiet because crises are not in the retainer scope, is not a crisis comms partner. Know before an incident happens whether your PR operator has done this before.

What to have ready before anything happens

The teams that move fastest in the first sixty minutes are the ones that prepared before the incident. That does not mean predicting an attack. It means having a small set of things agreed and accessible so that the first-hour decisions are about facts, not process.

  • A single comms lead with authority to post on behalf of the protocol, reachable at any hour.
  • A holding statement draft with the variables left blank, reviewed in advance by legal so the format is cleared even if the content changes.
  • A media contact list of the five reporters you would call first, with personal contact details, not just press inquiry emails.
  • An incident page URL, even if it is blank, so you have somewhere to point users beyond Twitter.
  • A clear internal escalation path: who decides to pause contracts, who approves the public statement, who speaks to press.

None of this is exotic. All of it is genuinely rare in protocols under $500M TVL. The preparation gap is real, and it is exactly what a fractional PR operator covers as part of a retained relationship, not a crisis retainer that costs five times as much once the incident is already in motion. Fractional senior operators in this space run $5,000 to $12,000 per month, compared to $15,000 to $45,000 for a full agency. The delta is meaningful when you are trying to justify a PR budget to a board that considers it overhead until the day it is not.

SJ
Shilika Jain

Fractional PR and crisis comms for Web3, DePIN, AI and cybersecurity founders. 50+ protocols placed across Forbes, CoinDesk, Cointelegraph, Decrypt, The Block and Blockworks, with crisis comms engagements across exploit, depeg and regulatory incidents. View full profile → · Book a 30-min teardown →

Frequently asked questions

What should a crypto protocol post in the first hour of a hack?
A holding statement, published within sixty minutes of internal confirmation. It should confirm you are aware of the incident, tell users the one thing they need to do right now (pause deposits, bridge out, take no action), and give a specific time by which you will provide a fuller update. It does not need root cause, attribution or compensation details. Speed and clarity matter more than completeness at this stage. Post it on your official Twitter/X and Discord simultaneously.
How is crisis comms for a depeg different from an exploit?
A depeg is not a security incident, so the messaging frame is different. You cannot frame it as an attack. The communication needs to explain market mechanics honestly, give users specific actions to protect their positions, and lay out the protocol's path back to stability with realistic timelines. Teams that run an exploit playbook on a depeg, emphasising investigation and attacker speculation, confuse users and compound the credibility damage. See the Web3 PR campaigns page for how retained crisis preparedness differs from reactive retainers.
Should you brief journalists before publishing a public statement?
No. The public statement comes first, always, so your community hears from you directly rather than reading a reporter's reconstruction. After the holding statement is live, brief three to five beat reporters personally, offer a direct technical briefing, and provide your named spokesperson. The goal is accurate coverage, not favourable coverage. Reporters who can reach you in a crisis write better stories than those who cannot.
What does trust rebuilding after an exploit actually look like?
Four things in sequence: a re-audit engagement announcement naming the auditor, full publication of the audit results including any findings, a founder-led account of what the team learned (op-ed or long-form interview), and then the relaunch narrative. Skipping to the relaunch without the preceding three steps leaves the incident as the dominant narrative at exactly the moment you need a fresh start. The sequence matters as much as the individual pieces.
How much does crisis PR cost in crypto?
A retained fractional PR operator who covers crisis preparedness runs $5,000 to $12,000 per month, and that relationship is in place before anything happens. A reactive crisis retainer, engaged after an incident is already in motion, costs significantly more and starts from zero context. A full agency runs $15,000 to $45,000 per month. The preparation gap is the most expensive thing most protocols overlook in their comms budget.

Running a protocol that needs crisis-ready comms? Start with cybersecurity PR for security-sector positioning, then Web3 PR campaigns for the retained relationship that covers both launch and crisis. Related reading: crypto exchange PR in 2026 and Web3 PR agency mistakes. The full playbook library covers pitching, pricing and narrative architecture across the stack.