The latest breach in crypto — in the wild fleeting hope that another does not happen before this is published — is the attack on Tornado Cash. The attacker took over the decentralized autonomous organization’s platform and gained access to reroute transactions. Ignoring all the things wrong with Tornado — like the fact that it was blacklisted for allowing hackers to launder $7 billion — the attack is a reminder of the high stakes and low standards of security in the crypto ecosystem.
In May alone — which was a quiet month for crypto hacks — at least $14.1 million was lost to three attacks on major crypto platforms. DAI, which was responsible for $6.5 million of that figure, was hacked for the third time since its inception. In April, $12.5 million was lost, according to Rekt, which tracks breaches and incidents in the crypto ecosystem.
In the first quarter of 2023, at least $370 million was lost — and even that is a record low in comparison to the $5 billion lost in the last quarter of 2022. The global cryptocurrency market was valued at $4.67 billion in 2022 and is expected to expand at a compound annual growth rate of 12.5% from 2023 to 2030, according to Grandview Research.
Most of crypto’s growth has been fueled by the promise of “investing in the world’s next financial system” and for a number of “benefits” over the traditional financial system. Transactions and the inherent value of cryptocurrencies are controlled by the general public instead of a central authority, such as a bank. The promise is that since it gives the public the power that is often vested in governments, it is much more private, and ironically, more secure. Crypto bros and investors tout that it is the future of money.
In fact, the entire premise of what is called Web3 — a generation of open-source and interconnected decentralized applications powered by blockchain architecture, which is also touted as the future of the internet —is based on the tenets of decentralizing authority and offering more privacy, and security.
Crypto wants to be the world’s next money, but it is a security nightmare. Despite the allure of decentralization and anonymity, the world of cryptocurrency remains plagued by significant security vulnerabilities.
The scale of cryptocurrency breaches is alarming. These breaches expose the vulnerabilities present in exchange platforms, wallets, and even smart contracts. Sophisticated phishing attacks, malware, and insider threats further exacerbate the risks faced by crypto users.
And the fallout of these hacks is devastating. Apart from the fact that many of these incidents lead to assets being moved from the accounts of legitimate users, they also lead to a crash in the value of the main cryptocurrencies of the platform affected, wiping out millions — sometimes billions — in market value.
“I just woke up one day and my money was gone,” said Kareem Babatunde, a crypto user in Nigeria. “You lose assets and then the remaining assets you don’t lose, lose their value.”
The same characteristics that make crypto attractive for investors, make them glaring red on the heatmap of threat actors. “it’s a lucrative pursuit for hackers and threat actors,” said Eric Jardine, Cybercrimes Research Lead at Chainalysis, a company that provides data, intelligence, and forensics on cryptocurrency. The open-source software that many of the platforms run on makes it easy for hackers to find vulnerabilities they can later explore.
And of course, since the crypto wallets where stolen assets are sent are anonymous and the platform isn’t regulated, it can be hard to track and retrieve funds, and much harder to tie incidents to an identity.
Chainanalysis has sometimes worked with law enforcement to track stolen funds by looking at how money moves from the accounts, which is of course recorded on a public ledger. The same public ledger that promises anonymity becomes a public record that tracks every transaction. Chainanalysis tracks every transaction until the stolen fund is sent to a wallet with an identity, often at the point when it needs to be converted into actual money.
But not everyone has access to this tool, and threat actors can find ways around this too.
The issue remains that the crypto ecosystem itself needs to prevent the breaches before they happen. “The security issue isn’t due to a particular problem or code. It’s much more due to how the ecosystem is, especially at the moment,” Jardine said.
The one-stop check for security might mean regulations that enforce “Know Your Customer” protocols, security troubleshooting, and enforcements that hold platforms to specific security standards. But the entire premise of crypto has been built almost entirely on things that do not align well with regulations.
But regulations or no regulations, the crypto ecosystem would be better off without so many security incidents. The ecosystem’s next challenge is to find a way to fix that without becoming regulated.
In response to the vulnerabilities in the crypto ecosystem, industry initiatives and best practices are emerging. The emphasis on education and user awareness is also growing, with organizations offering resources to help individuals navigate the crypto landscape much more safely. But these initiatives only respond to known vulnerabilities. “For an industry so young, there’s still a lot of vulnerabilities,” continued Jardine. “It would seem only time can fix these problems.”
As cryptocurrencies continue to evolve, finding the delicate balance between privacy, security, and user empowerment remains crucial.