Understanding crypto security
The crypto industry is technologically complex and relatively new, whose origins can be traced back to the emergence of Bitcoin in 2009. Since then, crypto has grown into a trillion dollar industry.
As a side-effect of its own success, and with novice users and immature infrastructure, crypto has become a popular target for crime. Crypto criminals got away with a whopping $14 billion in 2021, an all time high.
In this article, we will help you navigate some of the unique challenges faced when securing your cryptocurrencies.
Caption: Crypto criminals got away with $14billion
The state of crypto crime
The relentless drumbeat of headlines about hacks, scams, and crime have prompted a renewed focus on security.
We outline some headline hacks, as well as best practices on how to protect yourself against them below.
Cross-chain bridge hacks
A cross-chain bridge is a "digital bridge" that enables users to transfer cryptocurrencies across blockchains. Typically, users will send assets to a bridge, which locks the assets into a contract on one chain. The user is then issued equivalent parallel assets or "wrapped tokens" on the receiving blockchain.
Bridges have been particularly vulnerable to attacks, as they often feature a "central storing point" that holds the assets backing the "wrapped tokens" on the receiving blockchain. Chainanalysis estimates that $2 billion in cryptocurrency has been stolen across 13 separate cross-chain bridge hacks.
Earlier in March 2022, the Ronin Network, a critical bridge chain that powers the popular play-to-earn Non-Fungible Token (NFT) game, Axie Infinity, was attacked, resulting in a loss of more than $650 million. This was one of the largest crypto hacks in history.
Caption: Axie Infinity
Hot wallet hacks
A crypto wallet isn't a wallet as such, but is instead a digital keychain allowing you to access cryptocurrencies on the blockchain. Similar to how a keychain holds your keys to your car or home, a crypto wallet holds the keys to your assets.
A crypto wallet stores 2 types of keys (public and private). A public key is comparable to an account number, and links to an address that lets you make transactions. A private key proves that you own your crypto with that address and is not shared when making transactions.
When you set up your wallet, it generates a "seed phrase" to access your private key. The purpose of the seed phrase is to recover your hard-to-memorize private key by making it easier to record and remember. The seed phrase is generally a group of 12-24 words that can regenerate your unique alpha-numeric private key if it is ever lost.
Hackers can gain access to your crypto if they obtain your private key and/or your seed phrase.
Caption: Example of a seed phrase
Hot wallets are internet-connected crypto wallets and are sometimes called "software" wallets. In the same way that pickpockets steal actual wallets, hot wallets are particularly attractive to attackers.
Earlier this month, more than 7,000 Solana wallets were hacked, with ~$8 million stolen. The hack was connected to the Slope mobile wallet application, which was a popular hot wallet on the Solana blockchain. Experts claim that a "supply chain issue" was exploited, enabling hackers to steal users' private keys, and ultimately their cryptocurrencies.
Phishing typically involves scammers duping victims into giving up personal information. The scammer usually impersonates a trusted company or person to deceive victims.
Usually this involves the scammer sending an email or text to the victim with a link. The link leads the victim to a site built for the scam and prompts the victim to enter more personal details. From there, the scammer can impersonate the victim to steal funds.
Phishing is pervasive and has even impacted industry leaders. For example, Coinbase was hit by a phishing attack between April and May 2021 that affected 6,000 customer accounts.
In this instance, scammers impersonated Coinbase customer support and sent victims an email stating their account was locked. The email contained a malicious link, and victims that clicked on the link had their login details stolen.
The scammers were then able to log into Coinbase as the user, enabling them to steal victims' funds from their Coinbase wallets.
A "rug pull" is a crypto-specific scam where founders of crypto projects run off with investors' money.
Typically, a rug pull starts with a decentralized finance (DeFi) project providing liquidity to a decentralized exchange. The DeFi project's token is paired with a leading cryptocurrency such as Ethereum in a liquidity pool.
Malicious founders would create hype around the token to pump up its price. Once the token price had sky-rocketed, the founders would withdraw everything from the liquidity pool, driving the token price to zero.
A high profile rug pull that occurred last year was Squid Game (SQUID), inspired by the popular Korean Netflix series of the same name.
Caption: The popular Netflix series, Squid Game
SQUID was marketed as a "play-to-earn" game token on the Binance Smart Chain (BSC) blockchain. According to the project's whitepaper, participants would compete in a series of survival games and winners would walk away with a juicy prize pool.
SQUID's price skyrocketed over 100,000% in less than a week from its launch. At that point, some users reported they were unable to sell their tokens, and shortly whereafter the price of SQUID fell to zero.
Best practices in security
Here are our top tips and best practices to reduce security risk:
Do your own research (DYOR)
Whenever you encounter a new crypto project, it is good practice to research it to ensure its legitimacy.
Malicious projects will have red flags such as:
little or no information on the team
outrageous marketing promotions
Doing some homework by researching the team, reading the project's whitepaper and knowing how it works would help identify fraudulent ones.
The fate of many projects also depends on the integrity of its code. If you are not familiar with reading code, ensure the project's code is audited by an industry leading player.
Use a hardware wallet, or cold wallet
Cold wallets or cold storage wallets store your private key in a physical device, keeping your keys and seed phrase offline.
Unlike a hot wallet, a cold wallet is mostly disconnected from the network and isolated from attack. No transactions can occur with that copy of your private key unless you physically confirm them with your cold wallet.
This feature can keep your private key and seed phrase secure.
Store your seed phrase safely
On top of using a hardware wallet, you should store your backup seed phrase securely - keep it completely offline and avoid making a digital copy.
Watch out for fake sites, emails, social media accounts
When you receive communications, be it via email or social media, always look at where they are coming from, even if they look legitimate. They should always be independently confirmed by browsing the official website of the company.
Always use 2 Factor Authentication (2FA)
Whenever possible, enable 2FA. It is much harder for a scammer to gain access to your account if a second authentication method is required beyond login details. The scammer needs to guess the right code at the right time, which is infinitely more difficult.
The renewed spotlight on security is a positive move for the industry, as it enables higher levels of protection for investors.
As the space eventually becomes more secure, we can expect adoption to become increasingly widespread.
Until then, a firm understanding of security risks will enable you to powerfully protect your assets.
Crypto is a high value industry that is technologically complex, and relatively new with both novice users and immature infrastructure, making it particularly vulnerable to cybercrime.
Perhaps a side-effect of its own success, cryptocurrency-based crime hit a new all-time high in 2021, where criminals received a whopping $14 billion
Managing security risks are extremely important, as it could mean that you lose your funds completely
In this article, we hope to help you navigate some of the unique challenges when it comes to crypto security
State of crypto security and types of scams
There has been a renewed focus on security, given the latest onslaught of hacks.
Some of common scams/hacks are:
Example 1 - Cross bridge hacks
Ronin bridge hack (Axie Infinity)
Nomad bridge hack
Example 2 - Software wallet hacks
Solana wallet hack
Example 3 - Phishing
Example 4 - Rug pulls
While we may not eliminate security risks fully, some best practices are:
Store your seed phrase securely
Watch out for fake sites, emails, customer support, twitter accounts, Discord
Do your own research into protocols and watch out for red flags, ensure the protocol is audited, works with industry-leading players
The spotlight on security is a positive move for the industry as regulators work towards creating frameworks for protecting investors
Until then, a firm understanding of security risks will help us powerfully protect our assets