With the widespread emergence of any technical industry comes opportunists. The prevalence of email and mobile telecommunications in the past decade spurred a boom in internet hacks and phishing attacks aimed at separating businesses and individuals from their money. 

These attacks come in all different forms and are primarily geared towards exploiting a vulnerability at any weak link of the chain, whether that’s the code of a web domain hosting login credentials or a newly hired employee’s email inbox. These bad actors look for any way to insert themselves into your network and find some way to capitalize. 

Tessian Security Agency reported employees experience 14 phishing attack attempts each year through email or other communication channels, and for good reason. Gaining access to your business’s network can be very profitable for an exploiter, which is why many hackers have turned their attention to cryptocurrency and blockchain. 

The industry is literally at the forefront of technology as coders and developers are constantly building new things, and discovering cutting edge ways to break current digital systems with the goal of improvement. 

With this frontier of fast development comes a world of oversights and vulnerabilities as developers are oftentimes rushed to meet deadlines tied to fundraising milestones, creating scenarios where coding reviews and security audits are often deprioritized for the sake of product delivery. This leaves plenty of opportunities for seasoned hackers to step in.

Loss of Capital from Corporate Accounts

The surface level result of most hacking exploits targeting cryptocurrency projects is a massive loss of digital assets stored in vulnerable smart contracts or protocols. A rush to be the first network-specific token bridge may result in the launch of a burn/mint smart contract holding millions of dollars in tokens that can easily be penetrated to withdraw all funds.

As an example, Poly Network was hacked for over 600 million US dollars in August of 2021. A vulnerable bit of code allowed the hacker to transfer funds directly into their account.

Corruption of Software and Technology

Businesses not holding funds or capital in a smart contract are not exempt from exploits. Hackers often attempt to gain control of digital assets such as system networks, websites and platforms, and even laptop computers to leverage this loss to gain money. 

Ransomware attacks are commonplace for any business operating on the internet. The University of California paid hackers over $1.1MM in 2020 after hackers gained access to sensitive files on Covid-19 research. 40% of all ransomware victims pay the hacker, which is certainly understandable when both your business and your ability to generate revenue is directly tied to gaining your network back from a bad actor.

Sensitive Data Leaks

When your business is primarily geared towards the management and collection of data, your greatest asset may be easily accessible to hackers. 

The prevalence of data breaches has increased year over year while businesses struggle to keep up with evolving tactics used by hackers. Ancestry.com reported a breach of 300,000 individual records following a hack of their system due to “poor security.” With a business model tied directly to providing data and serving as a data supplier, the value of their greatest asset was made worthless overnight as it was freely distributed among internet forums.  

Public Image

The cryptocurrency industry in its current state is rife with speculation and suspicion as investors over-analyze every bit of content and conversation to gain an inside view of the inner workings of your company. As a result, public image is everything, and the way you conduct business is directly reflected by the value of your digital asset on the open market. 

Many companies abandoned plans of recovery after experiencing a hack, considering the insurmountable task of rehabilitating their reputation. Investors are wary of the irony when a simple web security vulnerability fuels the downfall of an entire ecosystem geared specifically towards safe and secure asset trading.

 

Best Practice Security Measures for Your Startup

We often see founding teams speak about security as an afterthought or even a nuisance, but implementing some minor measures can go a long way with your community and your investors. There is a lot to lose considering how much of your business may live on Web2, but as that transition to Web3 continues, it’s important to take some lessons learned from the less fortunate. 

Arcanum recommends implementing some of these industry best practices in your business:

Two Factor Authentication (2FA) for Network Devices

Two-factor authentication tools can serve a vital role in security by creating an additional layer of security across all network devices. Custodial wallet security can be improved by requiring singular access through a trusted device to perform asset transfers. A corroborating standalone authentication app tethered to the wallet, or even an SMS notification barrier can severely limit the ability of a bad actor to siphon funds remotely.

Virtual Private Network (VPN) for an Extra Degree of Separation

Using public wireless networks while on the go exposes yourself to bad actors or malicious programs operating discreetly on public networks. It’s important for any employee to create an added layer of security while on the move by using a highly reputable virtual private network (VPN). Good VPNs make sure your web traffic remains protected from prying eyes that could be monitoring your activities on public wi-fi networks. We personally recommend ExpressVPN and NordVPN, but there are many geared towards small and large businesses.

Processes and Protocols

Interoperability is the big blockchain theme of 2022 as the target is placed on ease-of-use and mass adoption. Many projects are focused on delivering cross-chain products to maximize exposure across different markets for their user base. This, however, comes with added vulnerabilities for those pioneering their own technologies. 

Projects like Lossless and ImmuneFi are geared towards proactive monitoring of your system and reducing the impact of a hack following the detection of suspicious activity. 

Employee Training and Education

Any individual working in a startup environment will find the fast decision-making and reactive work culture familiar. Unfortunately, these hectic environments and rapidly developing ecosystems suffer from the lack of processes and best practices used by larger corporations with tenure. Employee training sessions on best security practices can help your colleagues understand the workplace vulnerabilities social engineers may use to gain access to the company network or devices. 

Annual training sessions in simple security processes like email phishing recognition, device storage, and use in public go a long way in mitigating security risks for everyday users. 

Some daily safety measures users can take include:

• Never store a laptop or device in a car or in plain view
• Never leave devices unattended in public places or while traveling
• Always lock your desktop or laptop computer when leaving it unattended, even in the workplace
• Implement physical security in office spaces that prevent external parties from entering and accessing devices, documents, networks, etc.

 

Prioritizing Security Can Help Prevent Losses

Using several or all of these methods may give your business a fighting chance of fending off blackhat hackers. There are many more security best practices we recommend but the security program for your specific business should be tailored towards your ecosystem’s technical and social vulnerabilities. 

Leaving even a minor oversight can open you up to a potentially crippling attack in the future. Here are some examples in the last year that resulted in significant or total losses of company assets:

Wormhole, February 2022

The cross-chain bridge Wormhole fell victim to a hack when attackers exploited security vulnerabilities stemming from an update to their GitHub repository. Investigation showed the publishing of a known bug and the proposed fix which had not yet been deployed. The hacker was able to make away with close to $325 million.

Bitmart, December 2021

Hackers were able to steal close to $200 million from two of Bitmart’s hot wallets by gaining access to private keys. Losses totaled over $100 million in currency stolen from the Ethereum blockchain alone. Transactions were frozen in the aftermath of the attack, and an upgrade was rolled out, as Bitmart promised that affected users will be compensated from the company’s coffers.

BXH, November 2021

Multi-chain exchange BXH suffered a leak of sensitive private keys that led to the theft of $139 million worth of tokens on their Binance Smart Chain (now BNB Chain) window. The company says it suspects an inside party to be responsible for the leak, however, a bounty of $10 million has not yet yielded any result on the identity of the persons behind the heist.

Cream Finance, October 2021

Popular DeFi platform Cream Finance reported that an exploit targeting its flash loan facility led to the theft of the entirety of its liquid assets on the Ethereum blockchain, totaling $136 million. The platform has been a target of other attacks through 2021 which amount to a total of $215 million.

 

Crowdsourcing Security and Vulnerability Assessment

In a rapidly developing industry, it’s important to employ innovative ways of maximizing your security. Arcanum Ventures can recommend two projects in particular that can help your business gain a security advantage.

ImmuneFi Bug Bounty Program

ImmuneFi is a crowdsourcing platform that serves as a meeting point between projects and talent, focused on tracing and solving vulnerabilities. As the crypto space is at the bleeding edge in innovation, in both finance and functionalities, it is no longer enough to rely on gold-standard audit companies as they often struggle to keep up with new things being created every day. Often, it is enthusiasts, be it individuals or small shops, that dedicate the time and effort to stay abreast of developments in growing startups. 

ImmuneFi actively works to minimize digital asset losses through community auditing. Their platform incentivizes talented persons to help look for unique vulnerabilities in your project’s codes that company auditors are otherwise unable to trace. So far, ImmuneFi has launched hundreds of bounties and has so far averted the loss of over $20 billion for various projects.

Lossless Smart Contract Monitoring

Lossless gained notoriety through their tried-and-true platform that specializes in smart contract security. They offer an automated protocol that monitors token movement through smart contracts in real-time. Their platform empowers white-hat hackers and security experts to sniff out suspicious activity, freeze transactions and even reverse assets according to strict protocols of due diligence. Lossless also provides a vigorous auditing and reporting process that combines both automated and human reviews for their clients. 

Lossless has helped dozens of projects minimize damage caused by hackers, including Cream Finance, whom they helped recover $16.7 million worth of Ether from a $19 million hack. Lossless’ unique approach to security and impressive track record are just two of the reasons why we at Arcanum recommend them for nearly every project we work with. The seamless integration of their code into your smart contracts can help provide peace of mind for your business.

 

Change from the Top Down

Arcanum Ventures believes the cryptocurrency industry is lacking in both traditional and novel security practices. In an industry where digital assets move quickly and irreversibly, we believe security is a small price to pay for holistic business health and investor reassurance. Corporate culture flows from the top down and businesses should work to prioritize security even at the risk of missing product delivery deadlines. 

Arcanum works with several projects having onboarded Chief Security Officers (CSOs) for this reason. A dedicated security specialist can work to implement these best practices and foster a diligent corporate culture that will ensure your company is protected from technical and social vulnerabilities. It is important to keep in mind that all assets are subject to hack and theft and only companies that truly prioritize security are likely to survive in the long term.

Whether you’re concerned about the vulnerability of your decentralized wallet or the financial safety of your ambitious startup, feel free to reach out in our communities to learn more on securing your digital assets and information.