FTX Collapse highlights the cyber security risks of crypto
John Jay Ray III is one of the world’s best bankruptcy lawyers. He has worked on cases such as Enron and Nortel. But his latest gig appears to be the most challenging. On November 11, he took over the helm of FTX, a massive crypto platform, which has plunged into insolvency.
His Chapter 11 filing reads more like a Netflix script. In it, he notes: “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of reliable financial information as occurred here. From compromised system integrity and faulty regulatory oversight overseas, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented.”
Security forensic investigation
Ray has wasted little time in assembling a top-notch team, which includes a named cyber security forensics firm. He has been “working around the clock” to secure assets, identify crypto on the blockchain, find records and work with regulators and government authorities.
Here are just some of the alarming details about FTX, based on the bankruptcy filing:
- There were unclear records and lines of responsibility for the team.
- Payment requests were made through a chat platform and approved with personalized emojis.
- There were no “appropriate” security controls with digital assets. Sam Bankman-Fried and Zixiao “Gary” Wang controlled access. This involved using an “unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world…”
- Around $740 million in cryptocurrency has been placed in new cold wallets. This is a fraction of what FTX had under administration.
- At the time of the bankruptcy filing, there were at least $372 million in unauthorized transfers, which may have been due to a hack or an inside job.
- Bankman-Fried “frequently communicated” using chat apps that automatically deleted. He encouraged employees to do the same.
“The FTX collapse will certainly have a lasting impact on the crypto industry,” said Muddu Sudhakar, co-founder and CEO of AI service experience firm Aisera. “But this is more than an economic story. Security is another issue with the industry. FTX is a strong example of this.”
also read: Web3 Cybersecurity: Are things getting out of hand?
The crypto industry has a checkered history with security. One of the first high-profile hacks occurred in February 2014 with the Mt Gox exchange. The hackers drained much of the holding, or about 750,000 BTC. The stock exchange eventually became insolvent.
Since then there would be many more breaches. Just a few include Coincheck ($532 million), Poly Network ($610 million), KuCoin ($281 million), Coincheck ($524 million), Binance ($570 million), and Axie Infinity ($600 million).
“From a cybercriminal’s perspective, crypto is an optimal target because the transactions are fast and irreversible,” said Brittany Allen, Trust and Safety Architect at fraud prevention firm Sift. “This is because victims are unable to initiate a process to reverse the transaction and receive a refund of their stolen funds. In any case, this does not mean that the funds cannot later be frozen by a crypto exchange or by law enforcement. But the recoveries can be a fraction of what is stolen.”
Crypto can also be a way to exploit cyber security breaches. One way is to hijack computing resources to mine cryptocurrencies. “These attacks are often overlooked as unthreatening ‘background noise,’ but the reality is that any cryptomining infection can turn into ransomware, data exfiltration, or even an entry point for a human-powered attack with the snap of a finger,” said Marcus Fowler, CEO of Darktrace Federal.
also read: The link between ransomware and cryptocurrency
Another source of vulnerabilities is the design of cryptosystems and smart contracts. Errors are common, as the development process can be complex.
“Security risks to end users take the form of two discrete methods: private key theft and phishing attacks,” said Christian Seifert, researcher, Forta.org. “However, both are launched via social engineering attacks where users are tricked into revealing information or signing transactions that give attackers access to a user’s digital assets. For users, the consequences of their actions may not always be immediately apparent, and FOMO – or fear of to miss – is often exploited by attackers to trick users into taking dangerous actions.”
Improving security with crypto is no easy feat. A large part of this is about the behavior of the end user. After all, the cryptocurrency must be stored in either a cold (offline) or hot wallet (online) – and both have their advantages and disadvantages.
“If there’s a wallet stored on the computer and the computer is infected, the threat actor can steal everything,” said Dmitry Bestushev, chief threat researcher at BlackBerry. “If it’s a hardware wallet and it breaks or gets stolen, the funds can be lost or stolen. The situation is similar with an online wallet, as we’ve seen online wallet sites hacked. The problem is not with cryptocurrency, but with the security of the storage. »
When it comes to the crypto platforms, security requires strong policies and cyber security tools. This is no different from any other organization. However, given the scale of transactions and the transparency of the blockchain, security systems must be proactive.
“By ingesting thousands of different signals, machine learning systems can quickly adapt to detect suspicious activity in real time without human intervention,” Allen said. “This allows cryptocurrency companies to automatically stop fake account creation, defend against account takeover attacks, and secure every transaction on their platform to reduce cyberattacks and ensure bad actors don’t sow distrust in their platforms.”
The cloudy future
Increased regulation for crypto seems likely. But this can take time. Indeed, in the United States, where there is now a divided government, there may not be much action in the next few years.
“Crypto industry players should not wait for regulations to be issued,” said Igor Volovich, VP of Compliance Strategy at compliance automation firm Qmulos. “Those looking to demonstrate their commitment to the integrity, transparency and security of their client funds should not wait to adopt existing regulatory frameworks and standards as a model for maturing their organization’s controls.”
Read more about security compliance and privacy regulations