Scams have been plaguing the blockchain space for years, and the way scammers conduct their nefarious activities only get increasingly sophisticated as the years go by. This year, NFTgators reported on a number of high-profile victims of phishing attacks, including DeFiance Capital founder Arthur Cheong, and Axie Infinity.
Cheong believes that North Korean state-sponsored cybercrime group BlueNorOff is targeting the entire crypto space. According to a report by UK-based blockchain analytics and financial crime compliance firm Elliptic, NFT enthusiasts lost more than $100 million in NFT scams between July 2021 and July 2022. The report also found that US-sanctioned crypto mixer Tornado Cash processed over $137 million worth of crypto assets.
In September, Popular NFT trader and crypto scam investigator ZachXBT exposed the person behind recently hacked NFT Twitter accounts. Most recently, FTX founder Samuel Bankman-Fried was the subject of a deep fake video scam, where the fake former CEO urged FTX customers to join a compensation plan that would drain their crypto wallets.
According to Chainalysis’ mid-year crypto crime update, the total scam revenue for 2022 currently sits at $1.6 billion, 65% lower than where it was through the end of July 2021 due to the market downturn. The blockchain data provider also found that individual transfers to scams are the lowest they’ve been in the past four years, saying that the falling numbers suggest that fewer people than ever are falling for cryptocurrency scams.
Despite that, there’s no stopping scammers from conducting their illicit activities in the space, so we ask David L. Schwed, chief operating officer of blockchain security firm, Halborn, to shed some light on why scams are so rampant in the space and what crypto users can do to prevent being scammed.
Please tell us about yourself and the story behind Halborn.
My name is David L. Schwed, and I am Chief Operating Officer at Halborn. In addition, I have worked in the financial services sector at a senior level for Merrill Lynch, Salomon Smith Barney, Citigroup, and Galaxy Digital. I am also the founding director and professor of the cybersecurity Master’s program for the Katz School of Science and Health at Yeshiva University, where I also serve as a practitioner-in-residence.
What piqued your interest in blockchain security and where did you first hear about it
It was when I served as the Global Head of Digital Assets Technology for BNY Mellon. I was responsible for integrating the IT strategy for BNY Mellon’s digital asset offerings across the enterprise.
Sam Bankman-Fried was recently the subject of a deep fake video scam. What were the telltale signs that it was a deep fake?
The first place I’d check is for the source of the video. Is the individual releasing it via one of their confirmed communications channels (e.g. Twitter)? While not dispositive of its authenticity, if released through official channels, it does instil some sense of credibility.
When examining the video itself, the important features to look at are the eyes, mouth, and language. Deepfake videos tend to not show eye movements as realistic. That is because the AI that generates the video utilizes other images it finds of the subject. Those photos typically are not with their eyes closed. The other area to look for is the mouth movements while speaking to determine if they match up with the words that are being spoken.
That being said, the old proverb of “Trust, but verify” rings true. Just because there is a video of someone saying something, just like any email or other form of communication, it’s always best to verify the message through alternative channels/means.
Why are deepfakes on the rise and what blockchain or Web3-related problems can they cause?
They are on the rise because the technology to create the videos is becoming cheaper and widely available to use. That coupled with the fact that they are highly effective results in threat actors using deepfakes.
The biggest risk, as with any social engineering tactic, is to get a victim to perform an action requested by the threat actor. As an example, someone from finance may receive a video call from their CEO saying they are in transit to their next meeting and wanted to quickly call and ask them to grant someone access or wire funds. These types of attacks are not new, just the medium of deepfakes is relatively new.
Scammers could also create deepfakes to pose as friends, family or co-workers to run phishing scams. What should people do when they can’t tell the difference between deepfakes and real people?
Videos should not be given any more weight than receiving an email from someone. If they are asking you to do something, communicate with them via alternative means to verify. For example, if they email you a video, call them.
What other Web3-related security threats do you predict will be on the rise in the coming year?
I think we will see a rise in phishing activity that tricks individuals into granting unlimited access to their tokens. Essentially by clicking the links and granting access, you could be unknowingly granting access to a malicious contract to access all of your tokens. Once granted, they can spend your tokens even if stored on a hardware wallet like a ledger since you’ve granted them such access.
Besides transferring their assets to a cold wallet, how else can people protect themselves from being scammed of their crypto?
I’d suggest utilizing all of the security features afforded by hardware wallets (such as the secret passphrase that functions as a 25th seed.) I’d also recommend creating multiple wallets in case an individual gets tricked and authorizes token spending for a malicious smart contract. For more advanced users, I’d recommend looking at Multsig wallets like Gnosis.
Why do you think scams are so rampant in the blockchain space? Are companies not doing enough to ramp up their cybersecurity efforts or are there not enough cybersecurity professionals specialising in blockchain?
I think it’s a combination of lower cybersecurity budgets compared to more established enterprises as well as a skill shortage for Web3 proficient cybersecurity professionals.
What can the blockchain space do to attract cybersecurity professionals or upskill them to be proficient in Web3?
There needs to be better education, certifications, and a clear path into Web3 from existing positions. While there are some blockchain-related certifications, outside one or two, they are mostly high-level, easily obtained, and not focused on security. Blockchain-related classes should be taught at the college and graduate levels as well. I speak to many people who want to work in the Web3 security space, but don’t know the correct path forward.
How can Web2 cybersecurity professionals make the transition to Web3? What was your personal experience like?
A true cybersecurity professional can easily make the transition. The core foundational skills required to be a successful cybersecurity professional do not change from Web2 to Web3. The biggest challenge is learning the new technology, ecosystem and nomenclature. If someone truly lives and breathes technology, they will rise to the challenge and become self-taught. Those that find it challenging are what I refer to as 9-5 technologists. They are technologists due to their job/profession, but their technical curiosity and inquisitiveness stop when they leave work.
What does a day’s work for you look like? What kind of cybersecurity threats do you fight against?
All threats that may impact a Web3 project, including exfiltration of funds to denial of service. There isn’t one particular threat that we look out for. It’s effectively standard risk management methodology. What are the risks to this company/project and how can we ensure there are effective controls to both prevent and detect.
What’s the most sophisticated blockchain cybersecurity threat you know of or have seen a hacker attempt?
Although not necessarily a sophisticated technical attack, I think the Axie Infinity hack clearly demonstrates the lengths threat actors will take in order to effectuate their nefarious activities. They carried out a sophisticated social engineering attack in order to gain the trust of a developer who opened an infected PDF with malware which then took control of his computer. The attack consisted of creating a believable LinkedIn profile for a Coinbase recruiter, real interviews with the developer, and finally an offer letter.
What are the most challenging aspects of your role at Halborn and how do you overcome these challenges?
The most challenging is also the most rewarding for our engineers. Given the size of the funds that are at stake, the threat actors are always trying new techniques or exploring new zero-day vulnerabilities to exploit. Great engineers like to be challenged and in this new world, they are always being kept on their toes.
Where do you think we could see blockchain security in the near future?
I think we will start to see more regulation and more industry standards. For example, something similar to the NIST CSF but blockchain specific.
Sign up to the world’s biggest crypto exchange Binance to buy and sell cryptocurrencies.
Stay up to date: