Understanding security
The crypto industry is technologically complex and relatively new, whose origins can be traced back to the emergence of Bitcoin in 2009. Since then, crypto has grown into a trillion-dollar industry.
As a side-effect of its own success, and with novice users and immature infrastructure, crypto has become a popular target for crime. Crypto criminals got away with a whopping $14 billion in 2021, an all-time high.
In this article, we will help you navigate some of the unique challenges faced when securing your cryptocurrencies.
The state of crypto crime
The relentless drumbeat of headlines about hacks, scams, and crime have prompted a renewed focus on security.
We outline some headline hacks, as well as best practices on how to protect yourself against them below.
Cross-chain bridge hacks
A cross-chain bridge is a “digital bridge” that enables users to transfer cryptocurrencies across blockchains. Typically, users will send assets to a bridge, which locks the assets into a contract on one chain. The user is then issued equivalent parallel assets or “wrapped tokens” on the receiving blockchain.
Bridges have been particularly vulnerable to attacks, as they often feature a “central storing point” that holds the assets backing the “wrapped tokens” on the receiving blockchain. Chainanalysis estimates that $2 billion in cryptocurrency has been stolen across 13 separate cross-chain bridge hacks.
Earlier in March 2022, the Ronin Network, a critical bridge chain that powers the popular play-to-earn Non-Fungible Token (NFT) game, Axie Infinity, was attacked, resulting in a loss of more than $650 million. This was one of the largest crypto hacks in history.
Hot wallet hacks
A crypto wallet isn’t a wallet as such but is instead a digital keychain allowing you to access cryptocurrencies on the blockchain. Similar to how a keychain holds your keys to your car or home, a crypto wallet holds the keys to your assets.
A crypto wallet stores 2 types of keys (public and private). A public key is comparable to an account number and links to an address that lets you make transactions. A private key proves that you own your crypto with that address and is not shared when making transactions.
When you set up your wallet, it generates a “seed phrase” to access your private key. The purpose of the seed phrase is to recover your hard-to-memorize private key by making it easier to record and remember. The seed phrase is generally a group of 12–24 words that can regenerate your unique alpha-numeric private key if it is ever lost.
Hackers can gain access to your crypto if they obtain your private key and/or your seed phrase.
Hot wallets are internet-connected crypto wallets and are sometimes called “software” wallets. In the same way that pickpockets steal actual wallets, hot wallets are particularly attractive to attackers.
Earlier this month, more than 7,000 Solana wallets were hacked, with ~$8 million stolen. The hack was connected to the Slope mobile wallet application, which was a popular hot wallet on the Solana blockchain. Experts claim that a “supply chain issue” was exploited, enabling hackers to steal users’ private keys, and ultimately their cryptocurrencies.
Phishing attacks
Phishing typically involves scammers duping victims into giving up personal information. The scammer usually impersonates a trusted company or person to deceive victims.
Usually, this involves the scammer sending an email or text to the victim with a link. The link leads the victim to a site built for the scam and prompts the victim to enter more personal details. From there, the scammer can impersonate the victim to steal funds.
Phishing is pervasive and has even impacted industry leaders. For example, Coinbase was hit by a phishing attack between April and May 2021 that affected 6,000 customer accounts.
In this instance, scammers impersonated Coinbase customer support and sent victims an email stating their account was locked. The email contained a malicious link, and victims that clicked on the link had their login details stolen.
The scammers were then able to log into Coinbase as the user, enabling them to steal victims’ funds from their Coinbase wallets.
Rug pulls
A “rug pull” is a crypto-specific scam where founders of crypto projects run off with investors’ money.
Typically, a rug pull starts with a decentralized finance (DeFi) project providing liquidity to a decentralized exchange. The DeFi project’s token is paired with a leading cryptocurrency such as Ethereum in a liquidity pool.
Malicious founders would create hype around the token to pump up its price. Once the token price had sky-rocketed, the founders would withdraw everything from the liquidity pool, driving the token price to zero.
A high profile rug pull that occurred last year was Squid Game (SQUID), inspired by the popular Korean Netflix series of the same name.
SQUID was marketed as a “play-to-earn” game token on the Binance Smart Chain (BSC) blockchain. According to the project’s whitepaper, participants would compete in a series of survival games and winners would walk away with a juicy prize pool.
SQUID’s price skyrocketed over 100,000% in less than a week from its launch. At that point, some users reported they were unable to sell their tokens, and shortly thereafter the price of SQUID fell to zero.
Best practices in security
Here are our top tips and best practices to reduce security risk:
Do your own research (DYOR)
Whenever you encounter a new crypto project, it is good practice to research it to ensure its legitimacy.
Malicious projects will have red flags such as:
- little or no information on the team
- poor liquidity
- outrageous marketing promotions
Doing some homework by researching the team, reading the project’s whitepaper and knowing how it works would help identify fraudulent ones.
The fate of many projects also depends on the integrity of its code. If you are not familiar with reading code, ensure the project’s code is audited by an industry-leading player.
Use a hardware wallet, or cold wallet
Cold wallets or cold storage wallets store your private key in a physical device, keeping your keys and seed phrase offline.
Unlike a hot wallet, a cold wallet is mostly disconnected from the network and isolated from attack. No transactions can occur with that copy of your private key unless you physically confirm them with your cold wallet.
This feature can keep your private key and seed phrase secure.
Store your seed phrase safely
On top of using a hardware wallet, you should store your backup seed phrase securely — keep it completely offline and avoid making a digital copy.
Watch out for fake sites, emails, social media accounts
When you receive communications, be it via email or social media, always look at where they are coming from, even if they look legitimate. They should always be independently confirmed by browsing the official website of the company.
Always use 2 Factor Authentication (2FA)
Whenever possible, enable 2FA. It is much harder for a scammer to gain access to your account if a second authentication method is required beyond login details. The scammer needs to guess the right code at the right time, which is infinitely more difficult.
Closing thoughts
The renewed spotlight on security is a positive move for the industry, as it enables higher levels of protection for investors.
As the space eventually becomes more secure, we can expect adoption to become increasingly widespread.
Until then, a firm understanding of security risks will enable you to powerfully protect your assets.
