By: Oded Vanunu- Head Of Products Vulnerability Research & Roman Zaikin – Security Expert
Bitcoin Day is around the corner and a huge topic of interest in our modern era. As bitcoin becomes the hot new technology, it is clear that hackers have taken advantage of it. According to reports, crypto scammers took a record $14 billion in 2021. Over the past 12 months, Check Point Research (CPR) has found serious security flaws in leading Web3 platforms OpenSea, Rarible and Everscale. CPR estimates that thousands of crypto-related cyber attacks happened last year, and of these about 40 has major consequences that caused losses of up to 1 to 3 billion dollars.
As the world of cryptocurrency continues to expand and becomes a focal point for threat actors, we look at how this technology has evolved and where it is headed next.
2008: The Introduction of Bitcoin and Blockchain
Back in 2008, Satoshi Nakamoto first introduced the concept behind bitcoin and blockchain. According to this study, the Blockchain infrastructure is designed to securely support peer-to-peer transactions without the need for trusted third parties such as banks or governments. Blockchain is a shared public ledger which the entire Bitcoin network relies on. Blockchain allows Bitcoin wallets to manage and calculate balances so new transactions can be verified. Bitcoin is open source; its design is public, has no owners or controls and everyone can take part in it. Unlike centralized systems, the blockchain shares ledgers between participants, which make this entire ecosystem decentralized. It also makes it much cheaper, faster, and secure.
Figure 1: Bitcoin timeline
The decentralized blockchain ecosystem introduced the era of cryptocurrency. Cryptocurrency is a digital currency exchanged through networks that does not rely on a centralized authority. A record of the currency ownership is stored on a digital ledger. A digital ledger can be described as a database that secures data using cryptography- all verified, controlled and transferred on a platform that is owned by a 3rd party.
Over the last few years, cryptocurrency prices have been volatile. The first decentralized cryptocurrency was Bitcoin, which was initially released as an open-source software in 2009. Since then, more than 10,000 blockchain networks have been created.
2013: Ethereum- a decentralized blockchain with smart contract functionality
In 2013, a then new decentralized open source blockchain with a smart contract functionality, dubbed Ethereum was introduced. Vitalik Buterin published a whitepaper, which describes Ethereum’s functionality and how this decentralized application platform works. In this paper, Buterin challenges the bitcoin protocol and refers to it as a ‘weak version of the smart contracts’ concept. The world was then introduced to a whole new terminology and concept, taking the financial era to new heights with the use of Ethereum smart contracts.
A smart contract is known to be a digital program or transaction protocol intended to manage and execute events and actions according to the terms of the agreement. The objectives of smart contracts are the reduction of the need for trusted intermediates, arbitrations and enforcement costs, fraud losses, as well as the reduction of malicious and accidental exceptions.
2017: Non-fungible tokens uniquely identifiable digital asset
In 2017, non-fungible tokens (NFTs) entered the mix. NFTs consist of digital data, and the owner of an NFT is recorded in the blockchain. NFT’s can be transferred by the owner, allowing these to be sold and traded. NFTs usually contain references to digital assets such as videos, photos, or audio. Every NFT is uniquely identifiable, which is different from other cryptocurrencies.
2018: Initial coin offering
In 2018, a new type of funding using cryptocurrencies, the Initial coin offering (ICO), was introduced. ICO is the cryptocurrency equivalent of an initial public offering (IPO), a way to raise funds by using cryptocurrency. Interested parties and investors can buy into it and receive tokens that may have a utility related to the product or service that the raising company owns, or just represent a stake in the company. Some ICOs have yielded massive returns for investors while numerous others have turned out to be either fraudulent or have performed poorly. Individuals participating in ICOs are buyers and investors that understand the field of cryptocurrencies and wallets.
Between 2020 to 2021, the NFT market saw dramatic growth. The market peaked in 2021 at over $17 billion. Ethereum was the central blockchain used for NFT transactions, with a 78% market share. Ronin trailed at 19%, followed by Flow and Immutable X at 6% each.
2021: The Revolution towards “Internet of Value”- The future is here
NFTs and smart contracts have started the hype around Web3 and the metaverse. The ability to sell, buy and transfer uniquely identifiable digital artwork online in a new revolutionary financial and monetization model has opened the door to the virtual world in which virtual and augmented reality (VR and AR), digital art and design, gaming and cryptocurrency all meet, interact and merge. This is often referred to as “The internet of value”.
Web3 is the next generation of the worldwide web where blockchain and decentralized financial platforms are the infrastructure and basis. The metaverse is the manifestation of all these developments, in the virtual world, which will become even more virtual with the shift to VR-based networks and social platforms. In 2021 alone, Facebook (“meta”) invested $10 billion in the metaverse, an investment that is expected to increase in 2022 and the coming years.
The dark side of the revolution
Check Point Research (CPR) researchers are continually monitoring the crypto world, unveiling new vulnerabilities and numerous schemes, and collaborating with different platform vendors, all to ensure the general community has a safe and secure experience. Some recent findings include research around the Opensea prevention of crypto wallets, the security flaw identification in Rarible , and unveiling the Everscale vulnerability.
CPR has seen thousands of crypto cyber attacks over the last few years. As of 2021, there was a 79% increase over the previous year, resulting in $14 billion of stolen cryptocurrency
Why are crypto threats growing?
- Cryptocurrency is growing fast. New innovation is great, but often built with potential holes for breaches.
- Currently there is more focus on tech and less focus on security. With new projects being released each day, there is not enough focus on securing what is being built. The risk here is that new frontiers, like the metaverse, will be built on an insecure foundation. More focus on security is crucial.
- Lack of security experts. In a new frontier, the security space has yet to fully embrace the front-lines of Web3
The sophistication and scale of cyberattacks will continue to break records and we can expect a huge increase in the number of crypto attacks. Looking ahead, users should remain aware of crypto wallet risks and remain vigilant when it comes to suspicious activity that may lead to theft. Threat actors will continue to expand their efforts in order to hijack crypto wallets while exploiting system vulnerabilities as seen in 2021 and 2022.
How to stay protected
Blockchain transactions are irreversible. In blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys for your wallet are stolen, your crypto funds can become easy prey for cybercriminals, and therefore safety should be users’ concern at all times.
To prevent theft of keys, and as general safety tips, CPR recommends:
- Do not open suspicious links, especially from a source you do not recognize.
- Keep your OS, anti-virus software and cyber security software updated at all times.
- Do not download software and browser extensions from unverified sources.
- Be wary whenever receiving requests to sign any link within any marketplace
- Prior to approving a request, users should carefully review what is being requested, and consider whether the request seems abnormal or suspicious.
- If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorization.
- Users are advised to review and revoke token approvals under this link: https://etherscan.io/tokenapprovalchecker.