Crypto crime is much too personal

Up until recently, legendary heists rarely resulted in personal losses. 

As uninvolved and unaffected bystanders, consumers could find a certain true-crime thrill in theorizing about how a team of unknown thieves managed to whisk 13 priceless masterpieces out of the Isabella Stewart Gardner Museum in 1990, or in recounting how Saddam Hussein’s son and personal adviser walked $1 billion in cash out out the front door of Iraq’s Central Bank in 2003. 

These stories are staggering in their scale and yet utterly inconsequential to the average person; freed from any personal expense, we could freely enjoy them as a form of entertainment. 

However, modern legends are less easily swallowed. 

In 2022, two massive crypto hacks — namely the Binance Smart Chain ($566 million) hack and the Ronin bridge ($522 million) exploit — overshadowed the total value of history’s most expensive painting, the Mona Lisa ($850 million). In fact, this milestone year saw $3.8 billion stolen from DeFi protocols and exchanges, far surpassing the total combined value ($2.8 billion) of the Central Bank of Iraq heist and the Isabella Stewart Gardner Museum Art theft. 

And, unlike their predecessors, these heists siphoned money not from government entities or a museum, but ordinary people. 

In the case of the Ronin bridge hack, over 75% ($400 million) of the total stolen amount belonged to users who played Axie Infinity, a popular play-to-earn game developed by Sky Mavis. The theft occurred after hackers acquired enough validator nodes to approve their fraudulent transactions. The exploit capitalized on human error; hackers managed to achieve backdoor access because Axie DAO had given — and never rescinded — temporary proxy permission to sign off on transactions to Sky Mavis, thus creating a vulnerability. 

Sky Mavis has, to its credit, taken responsibility for the breach and its users’ losses. Shortly after the exploit, the developer announced that it would reimburse player losses even if it was unable to recover the stolen funds. Efforts to this end are already underway; in April, Sky Mavis raised $150 million in partnership with Binance and other crypto investors to this end.   

The developer’s good intentions should be acknowledged. However, compensatory efforts can’t repair the damage that this and similar exploits wreak on consumer confidence. While users might find after-the-fact promises like Sky Mavis’ reassuring, crypto theft is an emotionally-charged, even traumatic, experience for victims. 

Some might decide to take their losses as a sign to abandon Web3 — or, news of the hack could dissuade would-be adopters from buying into the technology altogether. 

It’s an issue of trust: If current and prospective Web3 users don’t feel safe navigating Web3, they will step to the side until the landscape feels more secure. This lack of confidence is already apparent; per a recent report from the Web3 development platform Alchemy, assets on centralized exchanges dropped by 45% at the close of Q4 2022, illustrating consumers’ clear lack of faith in crypto custodians. However, the same report found that developer sentiment remains optimistic and enthusiastic. 

The question remains: How can advocates bridge this gap between increasingly anxious users and blockchain’s undeniable potential? The only possible answer is to empower protocols, developers and users alike to protect themselves as they venture into the future of Web3. 

Security: an unavoidable priority

Web3’s current security woes are, in a way, inevitable. 

The decentralized and sometimes anonymous nature of cryptocurrencies provides a fertile ground for cybercriminals, who can hide their identities and exploit technological and human weaknesses. This is further compounded by the high value of assets in crypto, making them — and the companies that trade them — prime targets for hackers. Binance, for example, has a daily trading volume that extends into billions of dollars, so exploiting any vulnerability within the exchanges’ native codebase can result in stealing millions.

Moreover, the rapid evolution of blockchain technology creates perverse incentives via security gaps that can be exploited by hackers. With many protocols prioritizing functionality and product development over security, they stand to become more susceptible to attacks. Human errors, such as creating weak passwords, sharing private keys, or failing to update relevant software, can also result in additional vulnerabilities that hackers can exploit.

Given the above, it is crucial for Web3 innovators to understand that there is no easy nor quick fix to the issue at hand. 

Restoring consumer confidence and achieving a “safe” status quo will require informed and purposeful action from all Web3 denizens — from individual users and developers to large-scale decentralized financial (DeFi) protocols. 

Building a fortress

Individual users can and should take steps to protect themselves; however, the brunt of responsibility for securing crypto assets will naturally fall upon DeFi protocols. 

Innovators must recognize their limitations — “trustless” technology does not necessarily equate to perfect or inviolable technology. Cybersecurity is a $153 billion industry for a reason; given a certain risk threshold, even careful and well-meaning organizations can no longer protect themselves from bad actors without specialized support. 

In a protocol’s case, the involvement of third-party code auditing and monitoring by specialized blockchain cybersecurity firms becomes imperative. With their deep understanding of the blockchain ecosystem and sophisticated tools, these firms can help detect potential threats, anomalies and vulnerabilities in DeFi protocols, making them less susceptible to breaches. Regular, in-depth audits of the codebase can catch exploitable weak spots, reducing the opportunities for hackers.

At the institutional level, robust security measures such as transaction monitoring and emergency response protocols need to be ingrained into existing systems. 

Transaction monitoring can help detect suspicious activities early, allowing for swift intervention. Automated emergency response measures — such as circuit breakers — are another valuable security measure that can help, as they can slow down suspicious transactions and halt protocol operations when suspicious activity is detected.

In addition, adopting innovative technologies like automated threat detection systems can be instrumental in preventing attacks. 

These systems, often powered by advanced machine learning algorithms, can detect and neutralize suspicious activities before they cause significant damage. They provide a vital layer of security by instantly responding to threats, making DeFi protocols more resilient against sophisticated hacking attempts.

Read more from our opinion section: Web3’s promised metropolis just isn’t fun yet

Engaging in continual user education is also a must. 

Informing users about safe practices and potential threats can significantly reduce the risk of successful phishing attempts or other user-targeted attacks. Moreover, because informed users are less likely to fall prey to scams, user education can enhance overall security. And for individual users, embracing the newest and best practices in digital security is a total non-negotiable; this includes using strong and unique passwords, leveraging multi-factor authentication and maintaining up-to-date software.

Of course, such protections cannot be put into place overnight. Developing a robust security strategy requires careful planning, consideration and financial investment. 

Some in the industry might wonder if the return is worth the lift; but to me, the only possible answer is a resounding yes. 

It falls to today’s innovators to reassure and protect aspiring Web3 users — and to ensure that crypto’s legendary heists don’t become cautionary tales. 

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.