As the crypto market is waking up, so are the illicit actors, meaning that it’s a good time for a security check.

Overall, yearly crypto losses due to illicit activity appear to have significantly decreased. Compared to last year’s nearly $4 billion lost to hacks and scams, the first 10 months of 2023 have witnessed only $1.4 billion (source: Immunefi).

Such a decrease could be attributed to the long bear market, however, even the recent price movements have not (yet?) transformed into a surge in hacks. Indeed, while Q3 2023 was the quarter that recorded the most crypto losses since the beginning of the year, the month of October saw very few.
 
That said, crypto has its fair share of illicit actors, and it is essential to learn to recognize and protect from them. The most popular deceit techniques include seed phrase theft, DeFi exploits, scams, and phishing attacks.
 
Wallets
 
User experience stands out as a major obstacle to crypto adoption. For many, the responsibility of managing a 12-word seed phrase proves to be too cumbersome, prompting users to use third-party services. 
These services include not only crypto-native but also all-purpose software, such as the popular password manager LastPass.
 
The service is now accused of being at the origin of a long string of crypto thefts that started after the company was hacked last December. The hacker used seed phrases stored at LastPass to drain the associated wallets. At first unknown, the connection between the thefts and the LastPass hack became apparent after several on-chain investigations later in the year. However, due to the company’s misleading communication (it first claimed that user keys were not accessed by the breach), and users’ procrastination, the hacker managed to drain some $39 million, and counting. The last hack of $4.4 million was reported just last week.
 
Any intermediary is a potential threat, and it is concerning that so many crypto users still commit the same mistake. The golden rule is “not your keys, not your coins”.
DeFi
 
Telegram bots are another tribute to convenience in the crypto world. Unsurprisingly, it is also prone to failure.
 
Yesterday, the popular Telegram trading tool Unibot revealed a “token approval exploit” – a vulnerability in smart contract’s permissions allowing unauthorized token movements. The UniBot team promised to compensate all $640,000 lost due to the bug.
 
In general, DeFi protocols facilitating trading, swapping, or bridging, are hackers’ favorite victims. According to Immunefi, DeFi hacks typically account for 70-80% of total losses from exploits.
 
Most often, such hacks target new and relatively unknown protocols (Curve Finance’s hack this summer being a notorious exception, but also with most of the stolen funds reimbursed). To avoid losing money, the rule of thumb here is to use well-established platforms.
Scams
 
Some of the most popular scams in crypto are called rug pulls, describing a situation when a project’s founding team disappears together with their client’s funds. This year, the most significant rug pull was Fintoch, causing $31 million in losses.
 
It can be difficult to spot a rug pull, especially if its authors are adept at manipulating social media. The safest approach here is to avoid investing in or using protocols without a significant track record.
 
Phishing
 
Phishing means impersonating a person or a service to lead users to a fraudulent website and/or make them approve a fraudulent transaction. 
 
To do that, scammers clone a reputable website, choosing a name that could mislead inattentive users. Just last week, scammers duplicated the websites of crypto media Blockworks and Ethereum blockchain scanner Etherscan to trick readers into connecting their wallets to a crypto drainer. However, something must have gone wrong: after verification, the drainer’s smart contract appeared to be incorrectly set up, meaning no losses for the users.
 
To fend off phishing attacks, attention to detail, such as website or email domains, is crucial. When approving a transaction, or clicking on a link, it’s better to cross-check the domain from several sources (verified social media accounts, other websites…) 
 
Securing users’ crypto experience is one of the industry’s holy grails, and new initiatives appear regularly. For example, MetaMask, one of the most popular crypto wallets, has recently revealed a DApp scanning solution. Launched in collaboration with Blockaid, a crypto security startup that concluded a $33 million funding round in October, it is said to simulate transactions offline and see if they are malicious.