[00:00:08] Zoltan Vardai: Hello, and welcome back to another episode of Decentralize with Cointelegraph. I’m Zoltan Vardai, and today, I’m speaking with Michael Pearl, the vice president of strategy at Cyvers, a Web3 security firm. During this episode, we discuss how Bitcoin ETFs could be the next major target for North Korean hackers, as well as how Cyvers managed to discover the smart contract that led to the $230 million WazirX hack eight days before the incident occurred. During the later parts of the episode, we speak more about what led to the WazirX hack and how institutions are becoming more aware of the importance of cybersecurity following the incident. Without further ado, here is my conversation with Michael Pearl.
As a brief introduction for the audience members who haven’t heard of you, I’d like to have an overview of what you’re doing at Cyvers, what Cyvers is doing, and basically, about how Cyvers is making Web3 safer for us.
[00:01:03] Michael Pearl: Zoltan, thank you so much for having me. First of all, it’s a pleasure to be here. Two words about myself: I’m Michael Pearl. I’m the VP go to market of Cyvers. I’m in the industry for more than a decade, so I’ve seen all the ups and downs and everything in between. So, I have some reference and perhaps we’ll talk about that as well as to what was in the prior cycles, especially for the listeners who are perhaps not familiar with the history. Cyvers is a leader in Web3 cybersecurity and also in risk mitigation and threat mitigation. And we’ll talk about what it means in a second. What we’re doing, very simply put, is we’re helping various companies, starting from DeFi projects to centralized exchanges, custodians, blockchains, insurance companies, any type of Web3 company basically that holds funds, we’re helping them to secure their assets, whether it’s in smart contracts or wallets. We’re also helping them in mitigating risks like compliance risks, scams, frauds, and basically any malicious activity in Web3. We’re the go-to place to address that, and oftentimes, even preemptively. And I guess we’ll talk about this in a second.
[00:02:18] Zoltan Vardai: We’ll definitely get back to that. So, I guess our listeners are already having a sense of why we’re having you on, Michael, because I think the industry is still kind of in shock following the WazirX hack, following all the hacks in August. One thing, actually, that’s really a pressing concern — I’ll have to add some data for context here — but in 2024, leading up to August, crypto hackers stole over $1.2 billion worth of crypto assets, which is 15% more year-to-date compared to 2023. I’m citing Immunefi’s numbers. This is not from Cyvers, per se. But considering that up until August, there’s a 15% increase in stolen crypto hacks, do you feel like hackers are on track to surpass 2023 by the year’s end? How do you think this will play out?
[00:02:59] Michael Pearl: So, I have a scoop for you, Zoltan. They have already surpassed. Coincidentally, about 10 minutes before we started the recording, I received the numbers. It’s still the raw numbers for Q3, and obviously, we’re not done with the quarter yet, but I can already see that year-to-date, until now, 2024 has already more than $2 billion stolen in crypto. So, the answer is, unfortunately, yes. And I think that, you know, it is yet to be seen what we’re going to see in Q4, but at the pace of things, we’re going to see record numbers in terms of funds lost and also in terms of the amount of incidents that took place.
[00:03:42] Zoltan Vardai: Would you say that the issue is that it’s the number of incidents that are growing, or it’s more of the magnitude of incidents and the amount being stolen that’s the main issue?
[00:03:51] Michael Pearl: I think the main issue is the awareness of the founders that is still not there, unfortunately. I talked to you about the prior waves of bull runs and winters. You know, when in 2017, people were setting up projects and doing ICOs and not caring about security, I think that it’s very surprising to see that 2024 is not very different. You do have some founders that are more aware and more mature, and they are talking to us constantly. Sometimes we’re having conversations with people that have not even launched their platform yet, and they are already aware of the security, but unfortunately, it’s a minority.
Just to address your question, it’s not the amount of hacks because it can be very arbitrary. It can be random. Because every once in a while, a hacker can land on WazirX and steal $235 million in one bit, and in other times, they have to work much harder to steal half a million. So, it’s very much an issue of luck. But as money keeps flowing into crypto from retail and also from institutionals, obviously, these numbers will only grow. And only recently, the FBI has issued a warning that North Korean hackers are going to try to infiltrate and to steal money from ETFs. So, all those ETFs that you’re reading about, at the end of the day, they’re storing the base Bitcoins somewhere. And you can be certain that somebody is already planning and thinking of how they’re going to steal it.
[00:05:21] Zoltan Vardai: Just before we move on to the WazirX story, this is something really interesting you touched on regarding the ETFs. I’ve actually read some reports that suggest that hackers will be targeting these ETFs because a lot of these ETFs are managed by TradFi people who aren’t really as crypto-savvy as some of degens have been in the industry for 15 years. So, this could potentially make these ETF issuers an easier target for crypto hackers. Is this something you would agree with? Do you feel like this could be a threat for the ETF issuers?
[00:05:50] Michael Pearl: Yes. So, we’re in talks with quite a few institutional companies. And while they are geniuses when it comes to trading strategies and yield strategies, and they have plenty of experience from Wall Street, and they also know their way with regulation because otherwise, they wouldn’t have those ETFs approved. By the way, it’s not only the ETF providers, it’s also the periphery. You know, all the adjacent companies that are working with them. So, while they are geniuses in that, they are quite clueless about the Web3 industry because they view — again, I’m generalizing here — but some of them view Bitcoin or other coins only just an asset, right? Just a commodity or a security that they’re trading. But there are plenty of unique features when it comes to crypto, and especially with respect to security. So, this gap of knowledge of resources, it is exactly where hackers fit in. And that’s something that we need to address very fast, because if not, we’re going to see mega hacks. And then the regulators are going to kick in. And I think it’s going to be bad for the industry.
[00:07:00] Zoltan Vardai: I completely agree with that. Just looking at the freshest Bitcoin ETF, the ETFs hold over $50.9 billion worth of Bitcoin onchain. So, it’s obviously a huge, huge target for hackers. Preemptively, do you feel like there’s anything that ETF issuers and the related companies could do to avoid being hacked?
[00:07:19] Michael Pearl: Certainly. At the end of the day, there are plenty of ways to secure your assets. So, it starts from obviously selecting the wallet and selecting the custodian. And there are several layers that are protecting the asset. But unfortunately, as we see it, nothing is foolproof. And the custodians are doing a great job. And they’re serving a very important purpose, especially on the operational level. So, you want to have a very easy way of withdrawing and depositing funds, and you don’t want to have any latency with that. You want to do it in the best way. But you also want to keep your funds secured. And that’s why people go to custodians in the first place. But again, custodians are not foolproof. Unfortunately, all the custodians, all the big names and the small names, were already hacked. And we found that. Just take a look at the recent cases. I’m not going to mention names here, but all the custodians are vulnerable, and that’s why you need to add another layer of protection.
That’s basically what we do. You have another layer of monitoring, and you have the response that basically allows you, in real time, to prevent the hack, or even preemptively, because sometimes and oftentimes, we can give the users the heads-up days and days before. We’re going to talk about WazirX in a second. But just to give you an example, if we were working with us, we could have given them the heads up eight days before the incident. Eight days. We knew about the malicious smart contract that eventually targeted them eight days before. We didn’t know who is going to be the victim, but if they were working with us, they could have blacklisted it and eventually prevent it before it even happened.
[00:09:01] Zoltan Vardai: Can you break down how you found this malicious smart contract over a week before? Because that’s insane, considering that your collaboration could have prevented over $230 million worth of stolen funds.
[00:09:12] Michael Pearl: Yeah. What we do in two words, I don’t want to get too technical, but in two words, what we do in Cyvers is that we’re scanning entire blockchains, block by block, 24/7, every second, every millisecond. And we see every single transaction on these blockchains, whether it’s a transfer, a swap, a deposit, and a deployment of a smart contract. Every smart contract that is being deployed, we scan it. Obviously, all of this is done with our AI engines in an automated way. And immediately, we can say whether it’s a smart contract that is aimed for day-to-day stuff or if it’s a malicious smart contract, because there are certain hints in the code that can say this smart contract is up to no good. It’s a ticking bomb.
Now, sometimes we already know who the victim is going to be, and we have warned several companies beforehand because we said, listen, guys, it’s like a hitman that has your address. You’re next. And we were able to save them a lot of money. In this particular case, it was a malicious smart contract that we knew of. We didn’t know who the victim is going to be, but if WazirX were working with us, they could have either blacklisted the smart contract, or, when it started interacting with their system, they could have blocked it. So, there are many ways of going about this, and obviously, it’s up to the client to decide, but we’re providing the entire plethora of possibilities.
[00:10:39] Zoltan Vardai: I know WazirX wasn’t actually the only incident where you discovered the case much sooner, because for the people who follow your alerts, probably know that you’re actually posting about a hack while it’s happening and while it’s going on, which is actually quite insane in terms of onchain intelligence. But just returning to this WazirX, this malicious smart contract, I’d love if you could go just a layer deeper and tell us a bit more about the smart contract and how it led to this vulnerability. Is there anything you can share? And please feel free to go into more technical details.
[00:11:08] Michael Pearl: Sure thing. So, first of all, I just want to state that some of the details here are still under investigation, both internal and external, by police and law enforcement and the regulator, the Indian regulator, because WazirX was the biggest exchange in India. And there is also a blame game between WazirX and the custodian that they worked with. So, I don’t want to say something very, very definitive here because a) some things we don’t know, and b) some things are still disputed. Having said that, WazirX had quite a sophisticated structure where they were working with the safe wallets and on top of that, they were also working with the custodian, and they also had some internal safety and security measures put in place. And after all that, for those of you who don’t know, multisig wallets, you need to have several signers and basically, everyone needs to sign and so on. And despite all that, eventually, they got hacked.
Now again, we have some theories about how it happened, and we published some of that information. But I think that the bottom line here is the fact that what you don’t know, you don’t know. Because what we see on a weekly basis, at least, is that every time there’s a new way of hacking, and you need to have a solution that is giving you a blanket coverage of everything, because if you prepare yourself for the hacks that already took place, you’re going to lose eventually because the hackers are becoming more sophisticated. There are, and I actually wrote a post about it lately, about state actors like North Korea and huge conglomerates of hackers entering the scene, and they are becoming very sophisticated. So, even the attack vectors that you know of and you protect yourself from, they are not sufficient. You need to stay ahead of the curve.
[00:12:59] Zoltan Vardai: Because hackers are basically always just one step forward and always looking for this next new vulnerability. Speaking of these attack vectors, we’ve actually seen some reports this year, in 2024, that suggest that while smart contract vulnerabilities were the biggest attack vector, a lot of the recent attacks are actually stemming from, I’d say, less complex attacks like phishing attacks, like private key leaks, like sending phishing transactions and user accidentally sending crypto. Do you feel like there’s also maybe a subset of hackers, maybe not the North Korean government-related hackers, but maybe a set of unsophisticated hackers who is trying to bank on user negligence more so than complex smart contract vulnerabilities? Do you feel like these attack vectors are changing, or are we still just basically in a constant smart contract attack cycle?
[00:13:45] Michael Pearl: Yeah. One of the main premises of crypto is be your own bank. So, everyone wants to be their own bank. You want to hold your money and to do whatever you want with that. But unfortunately, many people don’t really understand what it means to be their own bank. And even many companies don’t understand what it means to be the bank of others. And clearly, the regulation isn’t there yet. Maybe it shouldn’t be there. I’m more on the libertarian side of things. You know, I don’t think that regulation should be the one taking care of that, but it is what it is. And then definitely, you have plenty of actors that are taking advantage of the negligence or lack of knowledge of users. Just to give you an example of an attack vector that is lesser known: address poisoning. In very simple words, it’s me tricking you to send money to me instead of to someone that you wanted to send the money to. I’m not going to go into all the technical details, but four months ago, we identified an attack of $68 million in one single transaction of a poor individual that lost everything.
And again, people hear about hacks all the time. But there are other vectors of attack that are super relevant. My advice here is, first of all, for the end-users to be more cautious, to be more alert, to educate themselves. They can read about this online. Also, they can read our blog about those publications, about those incidents. But also, I think the companies should be more aware of that and should be more protective of their users. It doesn’t mean that they have to intervene in what their users are doing, but simply giving them some basic heads up. You know, we work with wallets that are implementing our services, and then they can tell a user that their wallet was address poisoned. Because with the address poisoning, there is a gap between when you got poisoned and when the actual scam is happening and you’re sending the funds. So, in this gap, it’s crucial to let the users know that they are in danger. And I think that it’s not implemented enough. That’s our mission now, to get these guardrails implemented more often.
[00:15:53] Zoltan Vardai: That’s a great perspective. And for the users, I mean, for the listeners who may not know, I think you’re speaking about the May $68 million address poisoning hack, which I believe Cyvers was the first to identify. And it’s basically, correct me if I’m wrong, but it’s not even basically a hack. It’s the trader receiving a transaction with a very, very similar address with 16 to sending his 68 million to that address without anything similar. Is that correct?
[00:16:19] Michael Pearl: Yes. And just to explain how it works in very simple terms: Let’s say you are a user that holds a big amount of crypto in different tokens in your wallet, and I see that you’re frequently sending money to other people. Let’s say you are managing a Web3 company, and you’re paying in crypto, you’re paying to suppliers, you’re paying to employees, and so on and so forth. So, I can see that there is a pattern here that big chunks of money are moving from your wallet to other wallets. And if I do my research, then I see you have the money, and I see that there are some third parties that are frequently in contact with you, I can trick you into sending the money to me. How do I do that? And it’s by no means not a manual for scammers. I can generate an address that looks very similar to the address that you’re usually sending the money to, because the way our brain works is that when we look at this alphanumeric string of an address, we see the beginning and the end that we often overlook the middle. So, there can be an address very similar to that. I’m going to send you some fake tokens or maybe small amounts of ETH just to poison your address. And then it shows in your log, let’s say on Etherscan. In 99% of us, we don’t have address books and whitelists and so on. We just go to Etherscan, we copy and we paste. And that’s basically where they get you, and you send the money to the wrong address. It sounds simplistic, it sounds quite stupid to be doing it, to be honest, but it’s something that happens on a daily basis.
[00:17:52] Zoltan Vardai: And that’s stupid as it caused this poor trader $68 million worth of wrapped Bitcoin. And what’s weird is for the users who aren’t interacting with DeFi protocols, a lot of protocols actually don’t display the full address. They just display like the first few numbers, dot, dot, dot, and then the last few. So, if you really generate a very similar address, the middle part might actually not be visible, right?
[00:18:13] Michael Pearl: Yes, yes. By the way, I can bet that many, many of your listeners have already been address poisoned. Now, they might not be scammed ever. Or maybe they will be scammed in five years or two months or whatever, because it demands for them to send the money to that address. But they have already been poisoned because they already received those fake tokens. And it happens very often. I guess after listening to this podcast, some people will go to their MetaMask and will see if they received any small amounts of fake tokens, but it happens very often. Too often, in my opinion.
[00:18:48] Zoltan Vardai: I can’t speak on behalf of my listeners, but I can speak on my behalf. At least two of my multiple crypto wallets constantly get these fake tokens. Say that I got concerned about what you just told me, and about my address being potentially poisoned by these fake coins, what’s the first thing I can do after we drop off this podcast?
[00:19:04] Michael Pearl: So, if you’re just a retail user, an average person using crypto and trading, first of all, I would advise you to be cautious not to copy-paste addresses from Etherscan to create your own whitelist, even if it’s just a notepad where you put the addresses that you interact with, especially if you got address poison that you see that you received the sum from a specific wallet, to double and triple check that you’re not sending funds to that wallet. By the way, some wallets have whitelist and address book services, which is great. If you’re a company, if you’re a wallet, if you’re an exchange, I would advise you to protect your users. And if you want to know how, then you can talk to me.
[00:19:45] Zoltan Vardai: That’s absolutely becoming necessary. And one reason because we need more and more protection from the likes of Cyvers is because, as you said, hackers are already most likely going to surpass the previous year’s achievements. We’re talking about $70 million address poisoning attacks, and we’re talking about the $230 million WazirX attack. And all this has a really, really negative effect on the institutional perception of cryptocurrency and of DeFi. A lot of people are actually saying that all these recurring hacks are the reason why we’re not seeing true institutional adoption, because we all thought that the ETF is going to be a vehicle for TradFi. And even though TradFi is slowly dipping its footing in, we’re not seeing mass institutional adoption. Would you say that this is because of these growing hacks?
[00:20:30] Michael Pearl: Definitely, definitely. I think that if you would ask me that question, let’s say, two years ago, I would say that perhaps the technology isn’t there yet and there are no sufficient solutions for on- and off-ramps. There are no sufficient solutions for interoperability. Whereas now, I think the technology has progressed significantly. If I can find one main culprit for the reason that we’re not there yet with respect to mass adoption yet would probably be the security and the scam threat.
And think about it. At the end of the day, institutionals, they are heavily regulated. They have the reputation to take care of. And it’s not just like... You know, I often hear on podcasts or in crypto events, why don’t they just diversify and invest, you know, 1% of their AUM to crypto, because then you become entangled with crypto. And crypto, to some extent, and in some areas, it can be toxic. Because if you get hacked, you get the spotlight of the regulators on you, and all of a sudden, all your other businesses are being inspected. So, that’s why they have to be very cautious about it. And obviously, the institutionals need to be aware and need to implement the best security measures, but also the entire industry, because we want to see that institutional money flowing in. And it doesn’t help to see the biggest exchange in India being hacked. And you see those heartbreaking stories on X and elsewhere. You know, it doesn’t help the crypto’s reputation.
[00:22:01] Zoltan Vardai: As we’ve seen, it doesn’t really help with the regulatory frameworks as well, because this makes regulators view crypto as something negative and something with a huge inherent risk. For those unfortunate traders or investors who’ve lost their user funds in WazirX or in previous hacks, is there anything they can preemptively do to potentially have a chance to regain these funds? And is there a chance that the industry could catch the WazirX hacker down the line in five years? Ten years? And, of course, I know this is still under investigation. I know you can’t share every detail about this, but I’m wondering if there’s anything you can share about this.
[00:22:33] Michael Pearl: So, to be perfectly honest, the chances of you recovering the funds are very low. According to our statistics, about 25%, only 25%, of those who try, because most don’t really try, but of those who try, will eventually recover some of the funds, and obviously not all of the funds. So, the chances are very slim. Will they catch the hacker somewhere along the way, maybe by tracing the funds? Perhaps. But I don’t think that this will be a proper remedy to the users and to the traders.
My advice to them? You know, when you decide where to trade, there are plenty of reasons why you do that. Some might be very basic, like you saw their ad on Super Bowl. Others might be more in-depth, like maybe you read about their proof of reserves and things of that sort. But I think that one parameter that even the simplest user must look at is which security measures do they implement. And that’s something that, for instance, we encourage our clients and exchanges and wallets that we work with to put a logo secured by Cyvers on their website, and there are quite a few that are doing that, because companies put their regulatory framework on the website, and they put their achievements with respect to TVL and things like that. I think that security is something that they should be proud of, or ashamed of, depends on how they go about it. And users should be minded about it as well when they select the company that they’re working with.
[00:24:04] Zoltan Vardai: That makes complete sense. And let’s say we resume our conversation one year from now, in 2025, towards the end of it. How do you feel like this entire cybersecurity space, especially in Web3, is going to evolve? And what are your plans for Cyvers for, say, the next year? How are you planning to protect more protocols, and how would our conversation look like in a year from now?
[00:24:26] Michael Pearl: So, I can only attest to what I see inside Cyvers. Obviously, what I don’t know, I don’t know, and nobody knows what the future will hold. But when I look at what our development team and our security operation center is cooking, I’m very optimistic because some of the things that we thought that are unsolvable, I actually see that we have major breakthroughs in solving them. Just to give you an example, only recently we saw that we found a very interesting correlation between behavior in Web2 and Web3. In simple words, we can look at a wallet and figure out whether this wallet is a fraudster, even in the Web2 space. So, it’s super relevant. Now we’re working with several on- and off-ramp companies that are struggling with chargebacks and fraud, with credit cards and things of that sort. Obviously, there are providers that are helping them on the Web2 side in figuring out whether it’s a fraud or not. But we are doing this onchain, and that excites me, because that means that you can complement these services and eventually prevent much more fraud. When it comes to hacks, we have a major breakthrough in prevention. So, we are going to present very soon several elements and several features that will allow to prevent much, much better, some of them preemptively. So, I’m very optimistic about the future because, eventually, technology moves forward, and the hackers are sophisticated, but the companies and the individuals who are fighting the hackers are also not resting. So, I really hope that a year from now we’re going to be at a safer Web3, and I’m working hard on making it happen. That’s my mission.
[00:26:09] Zoltan Vardai: And it’s really important for people like you to carry out this mission. So, I feel like a lot of next year’s Web3 cybersecurity theme is going to be prevention and preemptively stopping these attacks. Just based on this, do you feel like you’re going to see an array of institutional clients for Cyvers? Because we’ve discussed about how institutions are heavily afraid of hacks and how that could invite more regulation. It sounds like your preemptive measures could help a lot of institutions preemptively stop these hacks. Do you feel like you’re going to slowly generate more institutional interest as institutions join crypto, and as they’re looking for a safe way to enter into the space?
[00:26:46] Michael Pearl: Yeah. First of all, we are already working with several institutional clients. Some of them we published earlier, some of them are going to be published very soon. And actually, even the WazirX case has brought many, many institutional bodies, whether it’s hedge funds and ETF issuers and so on that are interested in it. It actually raised awareness. Too bad it had to be, it had to cost $230 million. But the awareness is definitely rising, and institutions are aware of that. Maybe they should be more aware, but I think that there is a healthy progress there.
[00:27:21] Zoltan Vardai: That’s a great perspective. Michael, before I let you go, is there anything else you’d like to share with our listeners regarding anything you’re particularly afraid or hopeful about?
[00:27:31] Michael Pearl: So, first of all, I urge your listeners to follow Cyvers Alerts. We’re publishing incidents on a daily basis and some insights about those incidents. What went wrong? How can you prevent it? So, you can learn a lot from that. And I really urge you to follow that. We also have a very active LinkedIn page. And by the way, another scoop for you. We’re going to publish a podcast very soon, and we have some very interesting guests there. We’re going to focus on security, on compliance, on scams and frauds, and obviously, how we can prevent them. So, we’re trying to educate the public, both the companies and the traders. I really urge you to consume our content, your content. You’re doing a great job. And just to learn, you have to be aware of that, because there’s no point avoiding and hiding, because eventually, we need to be alert about everything that is happening because it is upon us.
[00:28:29] Zoltan Vardai: The hackers are definitely upon us, Michael. Great last words to finish an excellent conversation. Thank you so much for your time, Michael, and for joining us today.
[00:28:36] Michael Pearl: Thank you so much, Zoltan. Thank you.
[00:28:39] Zoltan Vardai: This has been another episode of Decentralize with Cointelegraph. Thank you so much for joining us on yet another insightful conversation on covering the decentralized and Web3 space. Make sure you subscribe so you never miss an episode, and we’ll see you in the next one.
.png)
