Crypto losses to bad actors have significantly increased in the last two years, but cybersecurity experts believe there is no cause for concern, as most new tech is exploited during the early days of its use.
According to blockchain security firm CertiK’s annual Web3 security report for 2022, malicious actors drained over $3.7 billion in value from Web3 protocols last year, representing a 189% increase over the $1.8 billion lost in 2021.
CertiK’s report for the first quarter of 2023 also revealed that hackers accessed over $320 million in the first three months of the year.
Kang Li, the chief security officer at CertiK, told Cointelegraph that new technology is often a target for exploitation and the crypto industry is just the latest to suffer from its own success.
“As new technologies emerge, they often become targets for malicious activities, simply because they present new vulnerabilities and possibilities for exploitation,” Li said.
“This has been seen throughout history, from the early days of the internet to the rise of email and, more recently, with the advent of blockchain and cryptocurrency,” he added.
According to Li, because the industry is still relatively new and rapidly evolving, some players are more focused on growth and innovation than on security, making them vulnerable to attacks and potentially contributing to the large number of losses recorded.
Data gathering platform Statista predicts that the crypto industry, which has seen massive growth since 2017, will keep expanding, with revenue projected to reach $64.87 billion and total global users expected to hit 994 million by 2027.
Li says this rapid rise in users and revenue, combined with some of the industry’s innovations, could also contribute to protocols being exploited.
“Blockchain technology and the smart contracts that underpin many cryptocurrencies are highly complex; this complexity can create security vulnerabilities that skilled hackers can exploit,” he said, adding, “Cryptocurrencies also hold real value and can be exchanged for traditional currency in many places around the world; this makes them an attractive target for hackers who can transfer and potentially liquidate stolen cryptocurrencies quickly.”
In the long run, Li says, as security around the crypto space improves and Web3 matures, we will see a decrease in successful hacks, exploits and scams.
However, he thinks it will always be a continuous battle between bad actors and blockchain security experts as they both fight to achieve their goals in an ever-changing industry.
“It’s essential to note that while hacks and exploits pose serious risks, they should not deter us from appreciating the enormous potential and innovative capabilities of blockchain and cryptocurrency technology,” Li said.
“Rather than a cause for retreat, they should serve as a clarion call for us to redouble our efforts to ensure that these transformative technologies can be used securely and responsibly.”
Artificial intelligence could be next
Artificial intelligence (AI) has become a hot topic in the last year, with some pointing out its potential implications for the workforce, while others, including tech entrepreneur Elon Musk, advise caution around its development.
Li believes it’s likely that as AI becomes more widely used, it will experience its own security issues, just like Web3 and other forms of transformative technology.
According to Li, as AI becomes more ingrained in our daily lives, especially in security-sensitive areas such as autonomous vehicles or financial systems, the potential for hacks, exploits and scams will likely increase.
“AI systems can be exploited in several ways, from manipulating machine learning algorithms to data poisoning and adversarial attacks,” he said.
“There are also discussions happening around sensitive data leaking out of large language models, as humans interact and share information with AI chat platforms like ChatGPT,” he added.
Omer Greisman, head of security services at blockchain cybersecurity firm OpenZeppelin, told Cointelegraph that it’s still early to judge if bad actors will flock to exploit AI.
He says there is no immediate financial incentive at this stage, with most malicious activity focused on direct financial gain and no clear payoff yet for exploiting an AI.
“However, certain AI capabilities may facilitate a more sophisticated suite of attack vectors,” Greisman said.
“It’s also true that machine learning can be leveraged by security researchers to scan smart contracts to find vulnerabilities more efficiently,” he added.
Growing pains are unavoidable for crypto as it grows
Greisman believes the crypto industry can still be considered nascent, so some “growing pains” are unavoidable.
He says that the rapidly evolving nature of the crypto industry means that security measures and best practices are still being developed and implemented, and users are still learning how to use the tech safely, which makes them easy targets for exploitation.
“The nature of smart contracts, in that they are open and visible for anyone to interact with, also means that the blockchain can be an attractive target for attackers,” Greisman said.
“Whereas traditional financial systems can rely on additional layers of security via centralized servers, a smart contract’s sensitive functions are potentially visible to any user. If there is a bug in a deployed contract, it can be called by anyone at any time,” he added.
Greisman says with time and experience, and as security measures in the crypto space continue to improve, hacks and exploits will likely decrease, especially if a conscious security-first approach becomes the new standard.
He notes decentralized finance (DeFi), in particular, has become more cautious and rigorous in its security approaches, with some platforms now implementing multisignature wallets and time locks for contract upgrades, reducing the risk of unauthorized access and malicious modifications.
“The industry has already witnessed significant advancements in security practices, such as the widespread adoption of security audits for smart contracts,” Greisman said.
“Also, bug bounty programs encourage ethical hackers to find and report vulnerabilities rather than exploiting them,” he added.
In addition to these technical advancements, Greisman believes increased regulatory scrutiny and user education will play vital roles in reducing future scams, exploits and hacks.
“Regulatory measures help establish standards and guidelines for security practices while educating users about potential risks and best security practices helps enhance their ability to protect themselves,” he said.
Crypto losses receive more attention than fiat currencies
Speaking to Cointelegraph, crypto exchange Kraken’s chief security officer Nick Percoco said that, in his experience, criminals target anything of value to turn a quick profit, and crypto is just one of many assets of value in the world today.
He believes crypto receives undue attention for its losses, while the fiat currency system still sets records yearly for losses through malicious actions.
“Crypto is often referenced in the news for theft and fraud, but in reality, the total losses are a fraction of the total payment card, ACH [automated clearing house] and wire fraud worldwide,” he said.
According to the Global Anti Scam Alliance — a nonprofit organization dedicated to protecting consumers from financial crime and scams — fiat money lost to scams has increased, with $47.8 billion lost in 2020 and $55.3 billion in 2021.
The United Nations estimates that the amount of money illegally laundered globally in one year is 2% to 5% of the global gross domestic product, equaling around $800 billion to $2 trillion.
Percoco says that, unlike other methods of theft and fraud, crypto transactions occur on-chain and in plain view of everyone in the world, which he believes is a major strength for the industry because the stolen funds can then be tracked.
It might also factor in the increased scrutiny and attention that losses in the crypto space receive.
“When a large compromise does happen, the entire world is able to help track the funds to see exactly where they flow to,” Percoco said.
“This isn’t possible in the traditional financial systems where the movement of funds happens behind closed doors and over private networks,” he added.
BNB Chain has identified the Allbridge attacker following on-chain analysis. We are actively supporting the Allbridge team on the fund recovery. The Allbridge team has offered the hacker a bounty.— BNB Chain (@BNBCHAIN) April 2, 2023
We'd like to recognize the effort of AvengerDAO in this recovery effort.
Overall, Percoco expects that as global crypto adoption expands, total losses will likely grow proportionately.
“Although, improved education and understanding of the asset class will ensure this rise is not disproportionate to other payment channels,” he said.