According to data from the Rekt leaderboard, cybercriminals have stolen as much as $3 billion of investor funds through 141 different cryptocurrency exploits since January, putting 2022 on track to peak 2021 in digital currency abuse. Comparitech’s tracking of cryptocurrency heists indicates that since 2011, hackers have stolen $7.9 billion in cryptocurrency worth about $45.5 billion in today’s value.
Along with the increased dollar amounts of cryptocurrency thefts, the scams, hacks and exploits of cryptocurrency, Web3 (a decentralized view of the web incorporating blockchain technologies and token-based economy), and blockchain-related organizations are becoming bolder and more lucrative for malicious hackers even as the value of cryptocurrencies stagnates . This month alone, Binance saw its BNB chain tapped for $586 million, close to the most significant cryptocurrency theft of $624 million from the Ronin Network in March 2022.
The threat actors in these and other cases likely did not keep all or even most of the astonishing sums stolen, but in many cases they are increasingly awarded handsome “bounties” in exchange for the repayment of some or most of the missing funds . Avraham Eisenberg, the man behind a $114 million exploit on Mango Markets in mid-October, got to keep $47 million of his allegedly ill-gotten gains in exchange for returning $67 million to the project.
A new crop of cyber security companies have emerged
The staggering amount of money generated from crimes against a variety of digital financial segments has no real parallels in the traditional cyber security world, which has yet to gather the expertise needed to detect, track and remediate security incidents in the blockchain space. Part of the reason conventional cybersecurity professionals are reluctant to commit resources to the digital currency arena is the belief among many top experts that cryptocurrencies are little more than financial fraud, a belief they feel is borne out by the current collapse in the cryptocurrency market.
Against this backdrop, a new crop of security companies have emerged to help Web3 firms tackle the chronic crime rate and help police track stolen currencies and currencies paid to ransomware attackers. And these companies are raising increasing amounts of venture funding despite the crypto crash.
Chainalysis, for example, which offers real-time anti-money laundering and compliance software for cryptocurrencies, has raised hundreds of millions in venture capital through six funding rounds to reach a valuation of $8.6 million. Another top firm, cryptocurrency protection company FireBlocks, has raised nearly $1 billion in five funding rounds for a valuation of $8 billion. Blockchain security company CertiK has raised over $300 million over eight funding rounds to reach a $2 billion valuation.
“This proliferation of blockchain technology is the continued expansion of the overall attack surface and environment from which attackers will continue to manipulate and extract data,” Richard Seewald, founder and managing partner of Evolution Equity Partners, a significant investor in both cybersecurity and blockchain security companies, said. says the CSO.
Despite their departure from traditional cyber security companies, the new crop of Web3 security companies still rely on the tried and true strategies of the conventional sector. “While we are in the early days of developing native blockchain platforms, the enterprise blockchain security strategy includes the use of traditional security controls and technology-unique controls including identity and access management, key management, data protection, secure communications, smart contract security, transaction monitoring, threat intelligence, among others , says Seewald.
Blockchain security requires different skills
Yet the nature of the Web3 world, which only partially overlaps with the skills used by traditional cybersecurity companies, requires new approaches to protect against malicious actions. Standard cybersecurity tools are essential in the blockchain world because “you need to understand code, you need to understand malicious code,” Chen Arad, co-founder and COO of crypto-native risk monitoring and market monitoring company Solidus Labs, a recipient of Evolution’s funding, tells CSO.
“You also have to understand a token, a smart contract on a blockchain, which at the end of the day is just code, and if it’s malicious, you have to be able to detect it at scale,” adds Arad. “You need to know if it has the characteristics of a blanket pool [where a developer creates a cryptocurrency or NFT project and then absconds with the funds]which is a combination of cyber and, let’s call it, crypto-economics.”
Arad also points to a new collection of crypto-specific threats his company is seeing, “things like laundering [where a trader buys and sells the same security] and spoofing and phishing attacks, which we know from traditional finance, but which can take place in new sophisticated ways in crypto, all the way to the most bleeding edges of the fully decentralized part, things like block-level front-running [manipulating the process to gain knowledge of upcoming transactions]carpet pools and composition attacks [exploits of Web3’s ability to combine existing components and reassemble them to create new products].”
Mircea Mihaescu, CEO of cryptocurrency risk management firm Coinfirm, tells CSO that he believes blockchain security and cybersecurity share the common trait of being technically complex. “Traditional cybersecurity versus blockchain cybersecurity, they’re very similar in their fundamentals in the sense that they’re both very complicated, technically.”
“People who work in the blockchain field have to understand a lot of things, have a very solid computer science background and learn a lot,” says Mihaescu. “The number of talented people working in cryptocurrencies, and lately what’s called Web3, has skyrocketed.”
Tracking ill-gotten cryptocurrency is a new focus
Web3 security firms are also emerging as critical players in helping law enforcement track currencies paid to ransom attackers. In 2021, the US Department of Justice traced $2.3 million of the $4.3 million paid by Colonial Pipeline as it moved through at least 23 different electronic accounts belonging to the DarkSide ransomware gang. However, the DOJ provided few details on how it accomplished this feat.
Elliptic, which pioneered the use of blockchain analytics for financial crime compliance and received investment from Evolution, recently launched a product called Holistic Screening, which allows the proceeds of crime to be automatically tracked across all blockchains and cryptocurrency assets simultaneously.
“Blockchain analytics companies like Elliptic are following the money when cybercriminals exploit cryptocurrencies,” Dr. Tom Robinson, co-founder and chief scientist at Elliptic, told CSO. “Our holistic screening and investigation tools are used to track the proceeds of hacks carried out by North Korea or ransomware attacks by Russia-linked cybercrime groups as they are laundered through various cryptoassets and blockchains.”
The same type of tracking can apply to stolen cryptocurrencies. Mihaescu says his firm’s technology can “start from a transaction hash of stolen crypto and take it all the way across blockchains, sometimes tens of thousands of addresses created for the purpose of obscuring the path of movement of stolen crypto to where it stands. We can show that it’s at this address, and either law enforcement or the attorneys representing the victim can go and make legal efforts to retrieve the money because we prove exactly where it ended up.”
Blockchain is here to stay
Contrary to the notion that blockchain and cryptocurrencies are today’s equivalents of a Ponzi scheme, investors and companies working in the Web3 arena believe that these technologies are here to stay. “There is no doubt that crypto is here to stay in one way or another,” says Arad. “We, like most people in this industry, believe that it presents an incredible opportunity to make financing fairer, more transparent, more accessible.”
Blockchain has the potential to benefit the unbanked, including “a lot of people in places like America and Europe who still have access problems,” Arad adds. It’s still easier to access a phone than a bank for many people.” But, “it has become very clear that all this potential will not be realized if we do not find ways to reduce the new risks without taking away the prowess of the technology.”
“There is, at last count, about a trillion dollars in fiat currency in digital assets,” says Mihaescu. “There are 30,000 entities active on blockchains. There are 200 million people who have bought or sold cryptocurrency. So they need protection, and the protection has to go beyond, ‘Oh, it’s a scam.’
As for the billions of uses in cryptocurrency the market has seen in recent years, Mihaescu, who comes from a banking background, including a stint as head of capital markets for the Bank of Montreal, says the traditional financial marketplace is also rife with theft and fraud, but is more closed and hidden about this activity.
“If a hacker successfully breaks into a bank and steals a lot of money from it, you won’t see it anywhere,” he says. “This information has not been seen. There is this discrepancy in the level of transparency between the two worlds. You don’t want to see bank robbery statistics. You don’t want to see bank hacking statistics, not publicly anyway. Maybe the FBI and the Met [police in the UK], they know them. Most likely they do. They are not known to the general public.”