Hacks and Scams Are Big Business
Chainalysis reports that 2022 emerged as a year that painfully highlighted the vulnerability of cryptocurrency assets, as a total of $3.8 billion (or $4+ billion according to Crystal) was illicitly stolen from digital wallets and projects. Intriguingly, this happened during a harsh bear market period, illustrating that fraudsters remained undeterred despite the overarching economic constraints. An alarming report from a Coindesk report indicates that DeFi protocols were the victims of hacking attempts 13x more frequently than their centralized counterparts.
Types of Scams
Understanding the common types of cryptocurrency scams and the red flags to watch for is crucial to safeguard your investments in this volatile and decentralized financial landscape. Scammers in the crypto world typically employ one of two strategies. The first involves gaining unauthorized access to a victim's digital wallet and private security credentials, often involving sophisticated phishing techniques. By sending emails with malicious links to fraudulent websites, scammers deceive victims into revealing their private keys, allowing the scammers access to the victim's crypto holdings.
The second strategy is more direct but no less deceitful. In this case, victims transfer their cryptocurrency directly to the scammer. This can occur in numerous ways, including fake cryptocurrency exchanges, Ponzi schemes, and rug pull scams. For instance, the Securities and Exchange Commission recently charged 11 individuals related to a cryptocurrency pyramid scheme worth an alleged $300 million. The scam involved paying 'returns' to existing investors using money from new investors, a classic Ponzi methodology.
Furthermore, with the rise in popularity of Non-Fungible Tokens (NFTs), new scam opportunities have emerged. Scammers have begun selling fake NFTs, which are digital assets typically bought and sold using cryptocurrency. In these cases, counterfeit NFTs are sold as valuable collectibles, exploiting the victim's lack of knowledge or discernment about this new asset class.
Online promotions are another breeding ground for scams. Investors are promised opportunities to double or even triple their investments, often with a misleading representation of the associated risks.
When it comes to infected files, cryptocurrency wallets like Metamask and numerous hot wallets secure the private key in an encrypted form on the device. An infected file, if opened, installs a virus that transfers this encrypted file to the intruder. The hacker then only has to guess or steal the password, to gain access to your crypto. Often, these criminals will target users of certain operating systems due to their vulnerabilities, such as the ability to masquerade harmful files as benign ones.
In addition, the threat of 'blind signing' looms large. While a standard transaction presents all the relevant information, in a blind signing scenario, a user unwittingly authorizes a transaction whose details are deliberately obscured by hackers. This renders the user unable to discern that they are inadvertently transferring their assets to the scammer.
Browser extensions have also become a conduit for illicit activity, with hackers introducing custom code unbeknownst to the user. For instance, an extension could manipulate your clipboard—what you copy with the control+C function—to alter an address you intend to copy. In the event of haste, a user may overlook this modification, underscoring the importance of verifying addresses on Etherscan and using Ethereum Name Service (ENS).
Fake websites, too, pose a significant hazard. Often indistinguishable from their official counterparts, these sites may feature a prominent "Mint" or "Claim Airdrop" button. A user may unwittingly execute a blind transaction intended to pilfer their assets when they interact with these buttons.
Not all threats, however, are technical in nature. Some scammers resort to 'social engineering', the art of exploiting human errors and behaviors, rather than technical hacking skills. This involves impersonating a legitimate institution, person, or even a familiar contact on various platforms—a tactic commonly called 'phishing'. Upon gaining the victim's trust, the attacker can disseminate harmful files or direct the user to a deceptive website.
Similarly, cybercriminals may hijack legitimate accounts to conduct their activities, further muddying the waters of trust in online interactions. This underscores the need for the “don’t trust, verify” principle; whether dealing with friends, family, or celebrities, we must always maintain a healthy skepticism.
Another threat vector is the use of bots to impersonate customer support services. These bots proactively search for individuals seeking assistance on platforms like Twitter or Discord, responding with malicious links or phishing attempts. Furthermore, these scammers have been known to exploit video calls, suggesting victims change the language settings on their device, all the while guiding them to disclose sensitive information and empty their wallets.
In conclusion, the crypto space, while rife with opportunities, is also fraught with a myriad of security risks. As users and investors, we must equip ourselves with knowledge, adopt best practices, and exercise due diligence to safeguard our assets.
Common Red Flags
The common red flags that every investor should be aware of include opportunities presenting high returns with little or no risk, consistent returns, no minimum investor qualifications, difficulty withdrawing earnings, excessive marketing, and poorly written whitepapers. These warning signs are not exclusive to cryptocurrency but are universal for any investment.
Scammers frequently target high-profile accounts to steal self-held assets. The takeover of social media accounts such as those on Twitter, Discord, and Telegram has caused substantial disruption in the cryptocurrency community. Upon gaining control, scammers send phishing messages or malicious communications to trick victims into relinquishing their sensitive information or private keys, which can lead to the loss of their cryptocurrency holdings.
Scammers may also utilize smart contracts to drain victims' assets without their consent. A smart contract is a self-executing contract whose terms are coded directly into the agreement. If the contract is designed maliciously or contains errors, it can allow its creator to seize the tokens, causing unsuspecting users to lose their cryptocurrency.
While self-custody can offer greater control over one's assets, it also brings with it certain risks. It's essential to understand these risks and take steps to protect oneself from bad actors. Keeping software up-to-date, using unique passwords, and using hardware wallets such as Ledger or Trezor to store your cryptocurrency offline can significantly reduce the risk of falling victim to these scams.
As the world of cryptocurrency continues to evolve and mature, being vigilant and informed about potential scams is critical. It is paramount for individuals and investors alike to understand the potential risks associated with investing in cryptocurrency and to take steps to protect themselves. Remember, in the world of investment, if something seems too good to be true, it probably is.
While alarming headlines such as “$X billion lost to crypto theft” might worry crypto investors that all is lost, these figures are arguably unsurprising given the context. High-value applications that use open-source codebases and function on public blockchains are, by their nature, vulnerable to security breaches. Attackers are afforded ample time to scrutinize contract code for weaknesses, and the irreversible and pseudonymous nature of transactions impedes traditional mechanisms of incident response.
However, this doesn't mean the challenge of web3 security is an insolvable one. On the contrary, we're observing the emergence of pioneering solutions tailored to fortify the web3 ecosystem against diverse security threats.
The web3 security stack refers to an assortment of services and tools geared towards shielding crypto applications, organizations, and their respective users or customers from harmful attacks.
The stack comprises several verticals, each playing a significant role in reinforcing web3 security.
Smart Contract Audit Services
Smart contract audits are independent evaluations of a project’s smart contract systems. Smart contracts (SC) can be complex and create ample opportunity for a malicious actor to try and undermine/exploit poorly written smart contract code. A long list of known SC vulnerabilities can be found here. Organizations like ConsenSys Diligence offer SC auditing services, combining manual code reviews and automated vulnerability scanning to analyze contract code for potential weak points or attack vectors.
Audit reports usually highlight security issues discovered during the codebase inspection and offer recommendations for fixing these issues before public application deployment. Although manual code inspection by expert auditors offers valuable insights, it is not scalable, leading to lengthy delays before project deployment. To counteract this, more audit companies are creating proprietary and open-source software designed for automatic vulnerability detection. These tools aid development teams in testing and ensure that auditors can focus on addressing issues overlooked during automated testing.
It should also be stressed that just because a project “passes” an audit, it does not mean that the project is impenetrable to hackers. Numerous projects with audits have been exploited by hackers.
While audits can identify errors that may affect a smart contract's runtime behavior, they cannot guarantee its consistent correctness. Formal verification, however, can affirm that a smart contract adheres to the provided specifications, offering more robust guarantees of a protocol’s security and reliability.
Formal verification involves converting a smart contract’s code into an abstract mathematical representation or formal model and creating a formal specification that delineates the contract’s desired behaviors. Formal verification engineers can then check if the contract's formal model aligns with the specification, deriving mathematical proof of a contract’s correctness.
Security from the Masses
Crowdsourced security generally refers to inviting a large group to test critical systems for concealed vulnerabilities or incentivizing third parties to responsibly disclose security issues discovered in an application to the developers. In web3, crowdsourced security usually takes the form of bug bounty programs and audit contests.
These initiatives harness communities to collectively secure applications. For example, bug bounties reward security researchers financially for identifying bugs in smart contracts, with rewards increasing according to the severity of disclosed vulnerabilities.
Blockchain forensics is an emerging field that focuses on analyzing blockchain data to detect financial crimes involving cryptocurrencies. By examining transaction histories on the blockchain, these companies can trace the flow of funds following hacks or scams and often assist in the de-anonymization of criminal actors by linking addresses to real identities. Companies like Elliptic, Chainalysis, CipherTrace, TRM Labs, and others have become renowned in this space.
Blockchain forensics not only aids in crime detection and prevention but also plays a pivotal role in reducing barriers to entry for traditional financial institutions venturing into DeFi. With in-depth insights into crypto transactions provided by blockchain analytics tools, businesses can ensure compliance with anti-money laundering (AML) regulations. Some innovative offerings include:
Blockchain analytics firms like Coinfirm, TRM Labs, and AnChain.AI offer tools to inspect and block transactions from addresses associated with malicious activities. They leverage artificial intelligence to build predictive engines capable of flagging unknown addresses and transactions that could be potential threats. This is referred to as Know Your Wallet (KYW).
User security encompasses tools that monitor and safeguard user interactions with web3 applications. This category includes fraud prevention, transaction safety, and private key management.
Apps like CoinCover, Redefine, Blowfish, and Harpie provide real-time risk assessments of transactions, flagging or blocking risky operations that could result in the loss of funds. Alongside this, transaction explainability tools such as WalletGuard provide valuable insights into the transaction process, improving user understanding and overall safety.
Private keys and seed phrases are a notorious security pain point, creating a single point of failure for wallet owners. Multisignature wallet technology and multiparty computation (MPC) offer potential solutions, decentralizing the storage of keys and seed phrases. Notable providers in this area include Safe and BitGo (for multisig wallets) and Qredo, GK8, Fordefi, and Fireblocks (for MPC wallet services).
Best Practices and Additional Safety Measures and Crypto Security
Use 2FA (not SMS-based): 2-Factor Authentication (2FA) is used to ensure accounts are protected by more than a password but need an additional randomly generated code or device to grant access.
How to restore access to your accounts if you lose/destroy your device w/ Google Authenticator (2FA)
Whitelisting of addresses is often used by businesses to ensure funds can only be sent to previously approved addresses. This forces a hacker to gain access to both the wallet and the mechanism that manages this list.
Bookmark your favorite/most frequented sites
Use a password manager
Use burner wallets/addresses, especially when interacting with a new protocol for the first time
Geographical distribution of these keys and/or participants to protect against physical attacks
A crypto vault has a built-in, predetermined delay when you try to move funds. This is also known as a timelock. It prevents the cryptocurrency from being moved until a certain amount of time has passed.
Yubi keys or other security hardware
What to do if you signed a scam transaction
Don’t link a device to your home address
Buy with cash if possible
Use separate email
Have “crypto computer”
Use a VPN
Use Brave or Firefox Browser
Be mindful when you give a website or extension permission to access things like your camera, location, plugins, etc., in the future.
Audit your Chrome Extensions: Remove extensions you don’t use, don’t need, or don’t trust.
How Event Horizon Capital Can Simplify and Help
As we have covered, simply safeguarding your funds in crypto, let alone outperforming the market, involves a level of expertise and sophistication that few possess in these early days of the cryptocurrency adoption cycle. The existing challenges to analyze, invest, store, and profit from a fast-developing digital asset landscape continue to burden investors and complicate efficient investing.
Event Horizon Capital (EHC) provides access to an actively-managed portfolio of publicly-traded digital assets secured by world-class crypto custodians and industry-leading security techniques for sophisticated investors. Our expertly-researched and diversified portfolio is the culmination of Event Horizon's extensive industry knowledge, experience, and strategic partnerships.
In partnership with CryptoEQ, one of crypto’s top providers for deep research and market insights, we maintain exclusive access to proprietary systems for fundamental and technical analysis. Our discretionary strategy is designed to combine these proprietary systems. Deep research drives the selection of the highest quality fund constituents and trading algorithms drive market quantitative analysis.
The Nebula Fund is a multi-strategy vehicle for U.S. investors that invests in 15-20 liquid digital assets at any time. The fund’s predominantly driven by a discretionary strategy focused on digital assets that fit at least one of four themes: digital store of value, general-purpose smart contracts, decentralized finance, or utility tokens. The fund’s remainder uses a quantitative strategy, trading up to a daily frequency.
At Event Horizon Capital (EHC), we believe select cryptoassets will outperform all other asset classes over the next five, ten, and possibly even twenty years due to their superior qualities as new money/assets for the internet age. Because of this, we seek the best risk-adjusted exposure to protocols that personify the blockchain benefits outlined above. With crypto markets being one of the world’s most dynamic markets, our agile and active management provides the flexibility required for swift, decisive action while also never compromising on security.
EHC’s multi-strategy approach is built upon:
Qualitative fundamental research
Quantitative tools and valuation metrics
Narrative and sentiment-driven market swings