As more money pours into digital ownership, Web3 projects are becoming a bigger target for scammers whose attacks can negatively impact valuation.
Crypto isn't dead, as a recent Coinbase video ad posited — right before it laid off 18% of its workforce — but it has been hurting.
There are a number of popular reasons cited by market experts, among them the rising interest rates and fear of stagflation that are hitting traditional markets. Yet cryptocurrency has had a number of embarrassments with projects like Terra Network and its now-infamous Luna token, causing spectacular losses for investors and shaking their trust.
Crypto lender Celsius and world-leading exchange Binance also rattled investors by freezing transactions this week.
To add more pain to the already grim crypto winter we seem to be entering, bad actors have ramped up cyberattacks on Web3 projects, proving that immutable blockchain is not a panacea against all types of attacks.
This week a massive Distributed Denial of Service (DDoS) attack was aimed at STEPN, a "move-to-earn" lifestyle app on Solana (CRYPTO: SOL).
Confiant published an article this week warning of a new threat, SeaFlower, "the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group."
Seaflower is described as "a cluster of activity" that uses backdoor code to target Metamask crypto wallets.
These interruptions in service can be destructive to a company's reputation at the best of times. In this trading climate, an interruption in service could create potentially disastrous optics.
We spoke with some of the world leaders in security for Web2 and Web3 to learn more about these attacks and how you can protect yourself and your project.
Are these attacks a Web3 phenomenon, or are they Web2 problems carried over to new targets?
Marc Wilczek, COO of Link11, a leading European IT security provider "in cyber-resilience," regards this as the evolution of an old problem that's now growing exponentially as our lives become increasingly online.
As digital ownership grows, there are, by definition, more targets and more incentives for attacks. Link11 recently released a report tracking the increase in DDoS attacks.
"More than 4.7 billion people now use the internet, and the digitalization of our lives goes far beyond that. In recent years, there has been rapid progress in the area of emerging technologies such as the industrial internet of things (IIoT), artificial intelligence (AI) and cloud computing. This has significantly increased both the attack surface for and the danger from cyberattacks. Due to more advanced attack methods and increasing firepower, the gap between attack bandwidth and line bandwidth continues to expand, keeping attackers ahead of corporate IT security in many cases," Wilczek said.
David Strauss, co-founder and CTO of Pantheon, a website operations platform, pointed out that though there is some focus on attacking Web3 projects, these attacks are not really anything new and innovative. They are just more examples of unscrupulous hackers relying partly on timeless human gullibility.
"Because Web3 projects often have one foot in the Web2 world and one foot in the Web3 world, it can be effective to trip either foot and make the system fall over. Web2 attacks are mature and cost-effective; there's no reason attackers would abandon them when they work … We're not as hard to fool as we think, and it's often easier to trick a person than to develop a technical exploit. Many cryptosystems make fraud irreversible if a human can get tricked, so social engineering is even riskier than with traditional stacks," Strauss said.
Dyma Budorin, CEO of cybersecurity company Hacken, believes that in order to follow the motivation of hackers and fraudsters, you merely need to follow the money. The hype around NFT and crypto projects is fueled by gain and enabled by a lack of regulation.
"It is not a new phenomenon. Bad actors apply a very simple selection process. They just compare potential profits and efforts required to conduct an attack. The areas with the most attractive ratio are their targets. Since the beginning of rapid blockchain growth, hackers have focused their attention on crypto and NFT projects," Budorin said.
Has the nature of these attacks changed significantly?
If you look at white papers from just a few years ago, the immutable nature of blockchain and the implied security of the technology is usually listed as one of the top features of the project. Unfortunately, hackers don't need to do a takeover attack in order to bring down and extort funds from a project. In most cases, tried-and-true Web2 attacks will do the trick just fine.
Angel Grant, VP of Security at F5, conceded that although some of the infrastructures may be new, the tactics haven't changed much. Bad actors stick to what works, and newer Web3 companies may be even more vulnerable than their more established Web2 counterparts.
"Attacks like phishing, DDoS, ATO, etc., are so effective because they are low cost to the attacker, generate high ROI, and are very difficult to detect. It is very easy for attackers to bypass traditional approaches to security using sophisticated bots and methods such as retooling attack infrastructure. Because Web3 and NFT companies are so new, they tend to be easier targets that lack the experience necessary to properly harden their defenses," Grant said.
Connor Pickering of Conquest Cyber said cyber criminals leverage traditional attacks precisely because they are so well established — and have become refined to be an even bigger threat.
"Older or traditional methods are effective for a couple of major reasons. These methods have a lot of leeway in terms of dealing with obstacles that present themselves to the person utilizing these tactics. For phishing, you have a human element that can be manipulated. DDoS and Web2 attacks have been refined through the help of communities, organizations, and security researchers worldwide and have adapted over the years to newer technology and standards," Pickering said.
Wilczek of Link11, which focuses on DDoS attacks, explained that even traditional attacks are becoming more sophisticated and harder to guard against.
"Traditional DDoS attacks have previously focused primarily on high bandwidth. Modern, more complex, and shorter attacks typically use multiple attack vectors at the same time. Attacks are becoming smaller through carpet bombing, for example, and undermine DDoS protection. Here in particular, a high level of expertise is required, as the traffic initially looks legitimate, but the entire backend collapses. Attacks move up the stack from L3/L4 to L7 (APIs). There, a breeze is enough to bring digital value chains (e.g., payment providers or logistics companies) to their knees. IT is increasingly misused as a weapon. Due to IoT and cloud adoption, firepower is increasing massively while enterprise bandwidths are increasing slowly. The gap between attack bandwidth and line bandwidth is separating more and more, giving attackers the upper hand," Wilczek said.
Are cyberattacks a major threat to the trust built with web3 users?
The events of the last week show the vulnerability of projects. This is not only because of revenue lost from interrupted services but because of the long-term damage to a project's reputation. It seems in Web3, customers are more discerning than ever, their standards are higher and they are slower to forget or forgive.
"Attacks absolutely have a negative impact on trust and project valuation. Unlike in the early days of the internet, users have become incredibly security conscious and value their privacy and protection highly. They are more likely to punish projects, DAOs, exchanges, etc., that violate that trust. Additionally, Web3 end users tend to be even more security conscious than their peers. It is part of their culture," Strauss said.
Lyle David Solomon, principal attorney at Oak View Law Group, who addresses issues related to cryptocurrency, gave a practical example of one project that suffered in reputation and pecuniary repercussions resulting from a cyberattack.
"Attacks can have severe consequences on trust and project valuations. The most important aspect of a hack on a crypto project is that these projects hold real money and life savings for people. These are hard-earned money that people invest based on their trust in the project. If there is any hack, it will have a direct negative impact on the trust and goodwill of the company. If the project is hacked and its fund, including user funds, is wiped completely clean, the retail investors stand to lose it all. This forces people to take action. That action usually entails seeking legal recourse.
"Projects that have been hacked and lost funds have faced lawsuits in the US. One instance where a project was held liable is the case of James Fabian v. Colin LeMahieu, Mica Busch, et al. (known as "Nano Defendants"). Nano (XNO), which was previously known by the ticker XRB, used to be traded on an exchange called BitGrail. BitGrail was hacked, and XRB worth $170 million was stolen. The promoters and marketers of XRB (Nano defendants) were sued by an investor on the grounds that they had promoted BitGrail and invited trading of Nano (XRB) on the BitGrail exchange by claiming it was very "safe." The Nano lawsuit clearly indicates that project founders and the teams behind Web3 projects can be held liable for hacks and other exploits," Solomon said.
Cryptocurrency projects are particularly vulnerable because the value of these projects is always, to some degree, staked on trust. This is especially true since stablecoins have fallen out of public favor following Terra's collapse.
"The digital economy and digital business models depend upon trust. However, a successful attack can erode trust within a matter of minutes and cause severe long-term damages to the brand," Wilczek said.
How can Web3 companies protect themselves?
The collective wisdom of respondents points to a few common sense things that projects can do to guard themselves against the possibility of an attack.
-
Give up the myth that being a blockchain-based or web3 project makes you somehow safer.
-
Do a threat analysis to determine the types of attacks you are most likely to face.
-
Source tools, technology, and team members that can grow as threats become more sophisticated.
-
Keep your defenses freshly updated and patched.
-
No matter how small or larger your infrastructure, constantly monitor for malign activity.
-
Don't make the mistake of releasing or using an app that isn't properly secured – even if it means extending your timeline and delaying launch.
-
Web3 is not magic — do your research on an ongoing basis to stay informed of new attacks and how to defend against them.
Summary
It may seem a bit out of sync to cover cybersecurity when we are all mourning the state of the market. Yet both topics can be regarded as a bumpy step on the road to the maturation of the technology and the projects that use it.
After all, there is not much that we, the average retail buyer, can do to impact the winds of fortune blowing unkindly on the markets today, but we can protect against unexpected disasters tomorrow. And ultimately, a more secure Web3 landscape encourages a more secure market.