Nearly a decade ago, there was little talk about how cryptocurrency and blockchain was going to affect cybersecurity. Today, we’re seeing thefts at record-breaking heights, especially on decentralised finance (DeFi) platforms.
Let’s take you through the new types of security threats in cryptocurrency and blockchain, and tips on how to protect yourself.
What is blockchain?
Blockchain is a distributed ledger that stores and keeps track of data, most commonly transactional data. Based on the proof-of-work blockchain model, miners process transactions by solving mathematical puzzles. These transactions accumulate in a block, which connects to another block, creating a chain.
This decentralised system makes it challenging for fraudsters to manipulate data without going unnoticed. Since doing so will require them to go on a tampering spree to cover their tracks, hacking a blockchain network leaves very little incentive.
Sounds safe so far, right? Well, not so much.
As DeFi services grow, some of their networks are poorly protected. Criminals who exploit their vulnerabilities tend to pull off the following attacks: private key thefts, flash loan attacks, phishing scams, 51% attacks, or deploy ransomware.
Let’s break down what they mean:
What are private key thefts?
Private keys should be treated like the PIN to your bank account. If you lose them, you are at risk of exposing your crypto funds to irretrievable losses.
That is why the type of crypto wallet you use matters to the security of your assets. Storing private keys online, where they are connected to a public network, puts users at risk of theft. But storing them offline and disconnected from public networks, makes them inaccessible to hackers. Crypto users usually store private keys online through hot wallets or crypto exchanges. Those who store private keys offline tend to use a hardware wallet, which is known to be the most secure.
In December, hackers stole nearly US$300 million worth of cryptocurrencies from gaming company VulcanForge and cryptocurrency exchange BitMart. VulcanForge lost private keys to 96 wallets, along with 4.5 million PYR – the company’s native token. BitMart CEO Sheldon Xia said that hackers stole a private key linked to two hot wallets, draining US$196 million worth of crypto from the exchange.
What are flash loan attacks?
A flash loan attack typically targets DeFi platforms. It usually begins with the thief taking out a flash loan, a form of unsecured loan enforced by smart contracts. Subsequently, they perform a complex web of transfers across multiple DeFi platforms.
Case in point: PancakeBunny.
The yield farming aggregator on the Binance Smart Chain suffered a flash loan attack in May 2021 after the attacker borrowed a large amount of Binance Coin (BNB) through PancakeSwap to manipulate the prices of USDT/BNB and BUNNY/BNB in PancakeBunny’s pools. The hacker then stole a massive amount of BUNNY and dumped it on the market, causing the price to crash. Subsequently, the hacker paid back the flash loan debt and ran away with profits said to be worth millions of dollars.
What are 51% attacks?
When a group of miners controls more than half of a blockchain network’s mining hash rate – or the total computing power for processing transactions – they are able to manipulate the network.
Cryptocurrency coin Bitcoin SV was a victim of the 51% attack. Its network experienced “reorganization events” on the chain and “synchronization conflicts taking place on major mining pools,” according to market-intelligence group Coin Metrics in August.
What is ransomware?
Ransomware is malware that blocks access to networks or computers until the target pays a ransom. In recent years, criminals have been demanding ransom in cryptocurrencies because they can transfer large sums of money anonymously.
In December, the Federal Bureau of Investigation in the United States said it seized around US$2.3 million worth of cryptocurrencies tied to ransomware attacks led by a Russian resident.
What is phishing?
Phishing happens when an attacker sends a fraudulent message to trick the recipient into giving sensitive information. They send messages through emails, mobile phones, and most recently, search engine advertisements.
Last year, scammer(s) targeted users of the Metamask and Phantom hot wallets, as well as crypto swap platform PancakeSwap, with an enticing Google ad containing a fake URL. Those who clicked into the ad allowed the scammer to steal their wallets’ passwords. The phishing scam resulted in the loss of at least half a million dollars, according to Check Point Research in November.
What can we do about these risks?
Use a hardware wallet
For starters, ensure that users properly manage private keys to their crypto assets. One of the best ways to do this is by storing private keys offline instead of on hot wallets or exchanges, where they are connected to public networks. Using a hardware wallet helps crypto users manage their keys better and avoid being a victim of private key theft.
UKISS Technology will soon launch a hardware wallet, known as the UKISS Hugware, to help users better safeguard their private keys. The hardware wallet comprises a pair of cryptographic key devices, one of which stores private keys to your crypto assets while the other helps to retrieve private keys in the event of loss or theft. They are known as the Authentication-Key (A-Key) and Rescue-Key (R-Key), respectively, and do not require recovery phrases.
Use file encryption
Encrypt your data and sensitive information as much as possible to avoid cyber attacks and data leaks.
UKISS is developing a Suite of Digital Security Applications (Suite) that can provide encryption for a variety of data. They includ applications for frequently used files on your computer (U-Hide), files stored on cloud (U-Archive), and messages sent through social media networks (U-Social). Both Hugware and the Suite will be part of an ecosystem dedicated to decentralised digital security solutions for crypto, blockchain-linked platforms, DeFI, and the metaverse. More details are in our White Paper.
Follow UKISS Technology on Twitter, Facebook, Instagram, LinkedIn, and Telegram for more information about decentralised security and how we plan to enhance this through a suite of solutions via our Ecosystem.