Beware Web3 – The Wild West Has Gone Online
“Ice phishing” and “bridge attacks” are the latest in the depth and breadth of cyberattacks, joining Ponzi schemes and ransomware attacks. Emerging business models will increase trust in blockchain, crypto, NFT, and new Web3 assets and application-based business models.
Web3, the third-generation Internet, is shifting existing paradigms. It combines thought processes and economic approaches with computing technologies, creating a decentralized computing network that looks to return the internet back to users. This may take the shape of a cloud of infrastructure, activities, and new business logic. It enables free collaboration among entities, with economic incentives, and without a centralized controlling body or organization.
Compared to older generations of the internet which saw corporations close off their source code and develop top-down products, Web3 encompasses a new approach to privacy, ownership, and value sharing. Entrepreneurs of this online era seek to decentralize almost every type of asset, data, community, service, or application, with blockchain technologies and NFT applications as only two of many examples.
The absence of a centralized entity that oversees and supervises cryptocurrencies, for example, is an advantage to those who operate using cryptocurrencies and smart contracts. Yet this same decentralized freedom presents a challenge of third-generation applications that operate within legal entities that demand fiat currency. What’s more, these decentralized platforms and currencies have attracted hackers for the “traditional” reason – a slim chance of getting caught; however, they are also lured by new features such as unidentified digital wallets and the ability to create anonymous transactions, as well as the multiplicity of computerized platforms containing weaknesses and vulnerabilities. Moreover, the absence of banks or credit companies makes it difficult to handle complaints, cancel retrospective actions, or compensate the victims.
According to the World Bank Group, thousands of digital currencies have been created, whose cumulative value already reaches almost US$2.8 trillion. With $144 billion transferred every 24 hours, this realm has become a true paradise for black-hat hackers. Fraud, theft, and ransomware attacks using cryptocurrencies are growing with an estimated $30 billion stolen overall, with 2021 seeing a 70% year over year jump to $14 billion. Whether through deceit or exploiting vulnerabilities within open code source, the world of blockchain transactions is quickly earning its bad reputation.
Governments aren’t sitting idle either: In April, the U.S. FBI announced that North Korea is behind the second largest crypto theft in the history. It’s alleged that the more than $600 million stolen by exploiting Axie Infinity’s Ronin Network was orchestrated by North Korea’s elite “Lazarus” hacker group (APT38) to fund North Korea’s weapons program.
Although the decentralized approach for data management and processes lowers the possibility for a “central point of attack,” many different surface attacks are still exposed – both traditional and new.
Fraud, Attacks, & Instability in the New Era
The recent turmoil in the world economy has dispelled any belief that cryptocurrencies can operate as a safe haven store of value during times of volatility. This is apparent in Bitcoin’s 70% drop in value from November 2021 to the end of June 2022. This is in comparison to the S&P 500’s loss of 19% during the same time frame.
The crypto market’s sensitivity can be attributed to its immaturity resulting from, among other things, size, liquidity shortage, and trust. However, we must understand that the crypto market and the web3 technology on which it is based, are here to stay. As cryptocurrencies begin to build long-term resilience, market concerns will shift from those of store of value, to issues of security and trust.
Smart contract business logic attacks – New infrastructure includes code that activates the business logic at the network’s base, for example, a code that manages financial transactions such as interest payments against loans. In cases where the code isn’t secure enough or has vulnerabilities, the attacker can locate a path and exploit it, stealing coins from the network.
Bridge attack – Connections among different blockchains are highly sensitive. Damages have amounted to more than a billion dollars, including two thefts of approximately half a billion dollars each – the theft that caused the collapse of the Bitcoin exchange Mt. Gox and theft that took place in February 2022 from the Wormhole platform that connects Solana and Ethereum cryptocurrencies.
Ice phishing – Hacking into a centralized exchange or private computer and stealing from a user’s wallet or replacing it with the attacker’s wallet as the designated wallet within the transaction.
Rug pull – When developers of a cryptography currency embed a “back door” within the code, using it to steal investors’ money from the database and then abandon the project.
Private key theft – Once the private key is stolen, the attacker gains instant control over the user’s wallet, with almost no chance of stopping it.
The exploitation of a security breach within the exchange – The threat actor gains remote control over crypto wallets or NFTs. The attacker gains full access to the victim’s wallet and can steal its contents. This April, Check Point investigators located a severe security breach in Rarible, the second largest NFT trading platform in the world.
All these risks are joined by “classic” fraud risks where money is raised from the public toward a false venture, such as traditional pyramid/Ponzi schemes. They have already amounted to billions of dollars within the crypto world.
Here Come the Heroes
Though we have become used to ransomware where threat actors hack servers to hold data hostage, the world of cryptocurrency opens a direct path: data = money. The good news is that something can be done about it. Along with the ever-increasing fraud and breach efforts, new defense solutions are gaining momentum, with impressive dominance from the start-up nation.
According to PitchBook’s market research, 350 companies already deal with blockchain fraud and cyber security. In 2021, investment reached $2.85 billion – 10 times more than the whole first half of the previous decade. These solutions focus on protecting Web3 applications and business models, reducing some of the risk barriers to participation.
The evolving Web3 security space includes B2C solutions, which allow end-users to protect themselves, as well as B2B solutions aimed at assisting financial institutions, exchanges, and other players in fulfilling the role of “responsible adult” in the absence of formal governmental or regulatory supervision, allowing them to protect their own interests as well as their customers.
The number of groundbreaking developments within Israel are too long to list. Here are merely a few examples:
- ZenGo – An Elron Ventures portfolio company, they have developed a technology that splits and encrypts a wallet’s private key.
- Unicorn company, Fireblocks, has developed a secured platform for financial institutions for the transfer, storage, and issuance of digital assets using multiparty computation (MPC) technology.
- Certora analyzes smart contract codes to find vulnerabilities before activation.
Web3 technologies are based on transparency, open-source code, and available unchangeable information in the Blockchain network. The transparency principle allows for tracking money routes using advanced solutions. These solutions combine collecting and processing information with massive artificial intelligence to detect suspicious activity patterns and create alerts. For hackers looking to cover their tracks, it is a serious challenge.
CyVers, also part of Elron Ventures’ investment portfolio, identifies attempts to exploit stock exchanges, smart contracts, and bridge vulnerabilities in real-time. The company analyzes the structure of the blockchain network (spatial geometry) and processing the dynamics of transactions among wallets across different crypto networks.
Web3 applications drive a new technological, economic, and business world with much to be learned – and built – regarding its operational, legal, and regulatory aspects.
Like previous generations, where – in parallel to their development – the cyber and fraud protection infrastructure has evolved, so will new technological solutions come to the market that aim to protect Web 3.0 applications, reduce risk, and increase trust. There’s no doubt that Israeli startups play a key role, but it is for companies to implement these measures to ensure trust in these systems if they wish to move out of the realm of a speculative market to the arena of trusted financial assets.
However, it is also important to keep in mind that much of damage prevention has to do with market, business, and consumer education, with an emphasis on day-to-day operations and user discretion.
Kobi Katz is partner and CTO at Elron Ventures and former CIO at Rafael. He’s an expert in software development management, information systems, IT infrastructure, and cyber defense.