Crypto hacks are now making the headlines on a regular basis, as illustrated by the $620 million heist of blockchain game Axie Infinity in March or last week’s $160 million hack of crypto market maker Wintermute. With criminal activity involving cryptocurrencies on track to reach a new record after the 2021 peak ($14 billion, up from $7.8 billion in 2020), it’s obvious that crypto security is not keeping pace with the value of assets that blockchains hold.
Those numbers are indeed massive for a technology that touts transaction security and immutability as some of its key features. Even if it’s not the blockchain itself but the interface (e.g., wallets or crypto exchanges) and applications built on it (e.g., smart contracts, DeFi protocols) that present risks, securing the digital assets’ environment now appears as a priority to foster blockchain adoption and Web3/Metaverse take-off.
The list of illegal activities that can be linked to cryptocurrencies is quite long. For instance, specialized malwares or scams are being designed from the ground up with the sole objective to steal identification credentials, trick people to send funds to an incorrect address, or simply to strip imprudent investors from their assets in a “pull the rug” or “pump and dump” scam. Crypto crime also includes all criminal activities that are facilitated by the technology. Money laundering, collecting funds from a ransomware attack, financing terrorist activity or selling illegal products or services on the dark web are all simplified by the anonymity and fund mobility of cryptocurrencies.
When it comes to hacking, hacks on crypto bridges (the software that allows users to transfer tokens from one blockchain to another) accounted for more than two-thirds of the total value stolen in the first seven months of 2022, according to Chainalysis estimates. Crypto bridges are operating their own security mechanism in terms of transactions’ validation and in most cases, security is clearly not up to date: in Axie Infinity’s case, the cybercriminals had to hack only five out of nine validator nodes in order to obtain the required minimum number of needed (crypto) signatures to validate and process withdrawals. In Harmony’s Horizon hack, they hacked two out of a total of five accounts to obtain the necessary passwords…
The main source of code weakness emerges when smart contracts developers are working with and/or for open-source communities. Open-source development allows hackers to scan the code for vulnerabilities and to plan attacks sometimes months ahead. That said, vulnerability registers like the SWC registry or secure coding frameworks like SCSVS (Secure Smart Contracts Development), SEI CERT or OWASP are providing resources and settings to developers. In addition, code auditing proposed by Tokenguard or Consensys for instance are services that test codes for vulnerabilities and can certify (to a certain extent) the soundness of a smart contract.
For criminals, the crypto ecosystem is double-sided. As the blockchain is a distributed ledger that publicly records all the transactions approved by a decentralized surveillance mechanism (consensus protocol) based on cryptographic algorithms, every transaction, while being totally anonymous, is fully transparent unlike the traditional banking system. This feature allows for addresses that have been tagged as illicit, to be tracked and to follow the funds from and to this address, which is extensively convenient, even if no individual name is tied to it. For instance, the US DOJ was able to recover $2.3 million out of a total $4.4 million from the Colonial Pipeline ransomware that greatly disrupted gas supply on US east coast in May 2021.
Digital forensics companies like Chainalysis or Elliptic are specialized in tracking funds that are suspicious or known to be unduly collected. The challenge lies in the tagging of blockchain addresses, but also in the ever-increasing complexity of fund movements through numerous transactions within the same and across different blockchains. Indeed, techniques such as mixing (services that conduct many transactions to scramble and obfuscate funds provenance or destination such as Tornado Cash), deposits in pools where lawful users are also present like DeFi projects or even centralized crypto exchanges are adding a layer of complexity to the task. In addition, cryptocurrencies like Monero and Zcash are designed to provide a complete anonymity even at the public ledger level and are making it incrementally harder to recover stolen tokens.
To handle these challenges, regulations are emerging. Certain types of cryptocurrencies are already being delisted from exchanges and governments are pushing for clearer definitions and laws around crypto assets. Also, a substantial share of the work can be done upfront, by reinforcing compliance and audit of crypto bridges and DeFi protocols.
In conclusion, crypto security appears as a secular theme and a new wave of IPOs will probably hit the market when conditions improve. As an illustration, Chainalysis reached an $8.6 billion valuation in a recent funding round. As for the listed cybersecurity companies, they are currently indirect beneficiaries of rising crypto crime as they handle crypto-related attacks such as crypto jacking malwares (computer viruses infecting hosts to mine cryptocurrencies). But it’s likely they will soon try to up their game and strengthen notably their blockchain code audit and/or crypto tracking capabilities by acquiring or investing in pure play start-ups.