Rising crypto fraud is making companies rethink their security protocols, according to firms.
While the UK positions itself to become a leading global hub for crypto, companies are grappling more than ever with the costs and dangers of rising crypto fraud. While audacious heists of crypto exchanges have been well publicised, the bosses of these booming businesses are also squarely in criminals’ sights.
Bank of England governor Andrew Bailey controversially called the industry the “front line for scams”, and recent research by Chainalysis showed that hackers are stealing more crypto from decentralised finance (DeFi) platforms than ever before.
$3.2bn worth of cryptocurrency was stolen globally over the course of 2021, and $1.3bn has already been stolen to date in 2022, meaning that the total for this year is shaping up to reach record amounts.
The hack of DeFi platform Wormhole in February this year, exploited a weakness in the firm’s cybersecurity, resulting in the theft of sums worth almost $325m. Then the Ronin Network – a critical Ethereum-linked bridge chain powering Axie Infinity – became the largest crypto exploit ever in March, when it was hacked stealing cryptocurrency worth $625m.
It’s no wonder that the rise of DeFi has brought with it a spike in criminal activity within the crypto space. But perhaps less expected was the trend towards highly personalised and sometimes even dangerous attacks on senior individuals at crypto companies.
“I’ve had a hacker group that has targeted me for the past month or so, that has a bunch of old addresses,” says Jeff Hancock, CEO of crypto exchange Coinpass. “One of them texted me my old licence the other week, so I’m in the process of changing all my emails and phone numbers.”
This doesn’t appear out of the ordinary for Hancock. He says that he now doesn’t answer incoming phone calls for security reasons.
“The hacker group got hold of a load of hub spot data and went on a targeting spree. They set up auto diallers – I got called by 27 different numbers in Belgium the other day.”
He is not alone in being harassed by cybercriminals. Other crypto heads are regularly targeted too, due to a perception among criminals that they hold the master private keys to their companies’ crypto millions.
“It’s clearly a growing trend,” says Jason Tucker-Feltham, CEO of crypto compliance and security consultancy Venrai. “A lot of public figures in the crypto industry are becoming targets for criminal organisations and individuals.”
An expensive game
Online tactics are becoming ever-more frequent and inventive, according to Tucker-Feltham.
“The attack vectors vary,” he says. “Spoofing is, of course, used a lot, but criminals also look to mimic software widely used in the industry, like MetaMask browser extensions.”
“In some cases, crypto professionals do end up engaging with these extensions when operating in a Web3 environment – very experienced crypto professionals can end up coming a cropper.”
Email communication, given the volume of traffic, is particularly susceptible to failures in human defences, according to Venrai. Training among staff is essential, as once malicious software is installed into a private network, that’s all hackers need to start accessing sensitive account information.
Despite being head of a firm that specialises in advising other crypto businesses how to operate their security, Tucker-Feltham says he has also been targeted in the past, in attempts that smack of showmanship.
“Criminals see [breaching a security firm] as a badge of honour,” he says. “I was subject to a SIM swap attack a few years ago – criminals contacted my network provider, cancelled my SIM, and got a new one sent to their address to infiltrate a part of my dual authentication process. They still couldn’t access my crypto assets, but any attack is nonetheless concerning.”
“John McAfee was a major target when he was still alive,” he continues. “Cybercriminals see it as a game; if you’re able to breach the cybersecurity defences of a renowned expert like McAfee, you’ve just won the jackpot.”
Staying ahead of the criminals
With criminal attempts increasing in frequency and scope, crypto firms now must look at their security from every angle to avoid a breach.
One of the primary benefits of such a nascent industry is the strong level of communication and “comradery” between crypto players over security issues, according to Venrai.
“It helps people become more knowledgeable about the protections they need,” says Tucker-Feltham. “Crypto is an emerging area so there’s still lots of room for improvement.”
“It goes without saying that when you are directly transacting on the blockchain, you can’t complain to a middleman – that’s the whole point of a decentralised payment network.”
Rufus Round, CEO of GlobalBlock Digital Asset Trading, a crypto exchange, says his company has launched a new multi-signatory withdrawal process to combat fraud in the crypto space.
“If you design your tech properly, there’s no risk,” he says. “We use a multi-signature, multi-party computation custody solution, which doesn’t require private keys. A criminal would have to get all [the executives] in the same room and cut our heads off to pass the biometric recognition – and that’s just not going to happen.”
Crypto exchange behemoth owned by the Winklevoss twins, Gemini, also confirmed it operates a multiple signatory system for transferals of cryptocurrency out of its cold storage system, and “all private keys are stored offsite at high-security data centres”.
As crypto becomes more accepted within financial infrastructure globally, companies are hiking their security accordingly to meet investment grade requirements and promote trust.
Round now compares GlobalBlock’s approval processes with those of banks and says that ‘no-private-key’ solutions – such as those provided by blockchain custody solution, Qredo – are the future. He says the process scarcely requires compromise in terms of time delays either.
“If the whole world goes onto Qredo, you won’t need brokers or exchanges - [by advocating it] we are sort of doing ourselves out of a job in the long run,” he says. “But the solution is top notch - you’ve basically decentralised custody. It’s way ahead of its time.”
Round says that there is a huge diversity in levels of security employed by crypto companies, with those at the lower end of the spectrum tarnishing the reputation of the entire industry.
“There are players who have set up and grown very quickly, with little or no background in institutional finance, so they aren’t as knowledgeable about what is required in terms of security and custody,” he says. “Being publicly listed helps [to give an additional level of accountability], as you are subject to scrutiny by your shareholders.”
The challenge for crypto exchanges now will be to continue upgrading customer security safeguards, but without losing the immediacy and lack of bureaucracy that the asset type is loved for among investors. Industry players hope that finding that balance, under the scrutiny of FCA regulation, will help promote trust among consumers that firms are more than a match for the criminals that pursue them.