Anecdotally, blackhats start seriously paying attention once your project crosses $100M in TVL (or an equivalent metric).

This is especially true for non-EVM chains. Ethereum has painfully endured many hacks, so its security posture has matured over time. But non-EVM ecosystems often have a false sense of safety simply because they haven’t yet crossed that critical threshold.

It’s fine to move fast and break things early. But once you hit $25M in value at risk, it's time to get paranoid. At $100M, blackhats are guaranteed to be watching.

You’ll also attract extra Blackhat attention:

1. At launch, when folks hunt for low-hanging bugs (these stories rarely go public).

2. During integrations: devs poke around, and it only takes one bad actor to trigger an exploit.

If I could offer one piece of advice: rethink your security posture around the $25M mark, especially if you moved fast or were lax early on (totally normal for startups and nothing to be ashamed of).