The Pipeline Knowledge Graph

Attack vectors in cryptocurrency

8 min read

From: thepipeline_xyz

The cryptocurrency space is considered a highly susceptible environment for hacks and exploits due to its nature of programmable money, making it a prime target for malicious actors [00:02:07]. It combines traditional Web2 attack vectors with unique Web3 issues like smart contract execution problems [00:02:33].

Crypto Security Challenges

Users in the crypto space are often caught between two massive pillars of attack vectors: traditional Web2 vulnerabilities and Web3 smart contract execution issues [00:02:49]. This constant pressure necessitates prudence and care [00:02:54].

Core Targets of Cyber Attackers

Attackers typically target three main areas [00:03:30]:

  • Funds: Whatever is stored on-chain, exchanges, or wallets [00:03:35].
  • Access: The ability to use an individual as an interception point to compromise their colleagues, friends, or family [00:03:44]. For public figures, compromised accounts can be leveraged in spear phishing campaigns [00:04:01].
  • Data: Sensitive credentials stored anywhere must be rigorously audited [00:04:16].

Common Attack Vectors

Phishing Scams

Phishing is by far the most common attack vector, and these attacks are becoming significantly more versatile and sophisticated [00:14:59]. Nation-states like North Korea run massive phishing farms targeting individuals from top founders to everyday traders [00:15:10].

Common phishing tactics include:

  • Spoofed Websites: Attackers create websites that look nearly identical to legitimate ones [00:18:22]. Users may approve unintended actions or lose credentials by interacting with these sites [00:18:30].
  • Malicious Ads: Attackers purchase ad space on search engines for popular crypto-related terms (e.g., “Uniswap”) [00:18:48]. Clicking these ads can lead to spoofed websites that are highly convincing [00:19:03].
  • Domain Spoofing: Attackers create similar-looking domain names by using interchangeable characters (e.g., ‘rn’ for ‘m’, ‘l’ for ‘i’) [00:19:50]. These can appear in comments, DMs, or emails [00:19:40].
  • Spear Phishing: Targeted attempts, often through DMs (e.g., on Twitter or Discord), where attackers impersonate companies or offer fake job opportunities [00:23:05]. These often include malicious links (e.g., meeting links) or requests to download executables [00:23:41].
  • Malicious Files: PDFs or Word documents (.docx) can contain macros that execute code, leading to compromise [00:24:54].

Smart Contract Execution Issues

Vulnerabilities in smart contracts pose a significant risk [00:15:39]. Users unfamiliar with code should be very prudent about the contracts they interact with [00:16:01].

Compromised Applications and Software

  • Malicious Chrome Extensions: Extensions can be malicious and gain access to cookies, credentials, or other sensitive data [00:22:01]. Attackers may pay influencers to promote these [00:22:11].
  • Outdated Software: Not keeping operating systems, browsers, Twitter, and Discord updated can leave users susceptible to known vulnerabilities, including zero-day exploits [00:10:42].

Multi-Factor Authentication (MFA) Exploits

While crucial, MFA is not bulletproof [00:39:03].

  • SMS-based MFA: This is insecure because if a phone number is compromised through a SIM swap, attackers gain access to all accounts using SMS-based MFA [00:06:57]. This can include Google accounts, exchanges, and bank accounts [00:07:13].
  • Prompt Bombing: Attackers spam an authenticator app with MFA requests, hoping the user will eventually approve one out of annoyance or distraction [00:34:10].
  • Man-in-the-Middle on Public Wi-Fi: On unsecure public Wi-Fi networks (e.g., Starbucks, conferences), attackers can set up malicious access points to intercept traffic [00:35:57]. When a user logs in, the attacker can capture usernames, passwords, and MFA codes, allowing them to replay the login [00:36:19].

Service Desk and Account Recovery Exploits

Attackers can gather enough information about a user to spam service desks (e.g., for Twitter or phone carriers) and trick them into resetting passwords or providing account access [00:37:44]. This is a common method for SIM swapping [00:38:18].

Address Poisoning Attacks

Address poisoning attacks occur when an attacker monitors a user’s transaction ledger (e.g., on Etherscan) [00:39:42]. They then send a small transaction to the user from an address that looks very similar to one the user frequently interacts with, especially the first and last characters [00:39:48]. If the user isn’t paying close attention, they might accidentally copy this similar-looking address from their transaction history and send a large amount of funds to the attacker [00:40:15].

QR Codes

Scanning random QR codes, especially in public places like airports, can be dangerous [00:32:54].

Best Practices for Crypto Security

For new crypto users and experienced “trench warriors” alike, constant self-awareness and proactive measures are essential [00:06:03].

Self-Audit and Mindset

  • Critical Self-Audit: Understand all potential points of failure in your digital life, creating an “attack surface map” to identify and mitigate concerns [00:03:25].
  • Paranoia and Humility: Be as “schizophrenic and paranoid as possible” [00:26:00]. Never be overconfident, as new scam varieties constantly emerge [00:05:00]. Assume you are a target and that attackers are smart [00:32:27].
  • Verify Before Trusting: Always verify the source of any link, email, or application before interacting with it [00:20:38]. For password resets, go directly to the website rather than clicking links in emails [00:21:02].
  • Avoid Urgency: Attackers often capitalize on urgency (e.g., “quick 20-30x,” “alpha”) to bypass user due diligence [00:29:03]. Take a deep breath and verify before proceeding [00:29:37].

Account and Device Security

  • Strong MFA: Enable multi-factor authentication (MFA) on every account holding funds or important data [00:06:41].
    • Avoid SMS-based MFA due to SIM swap risks [00:06:57].
    • Prioritize hardware-based MFA (e.g., YubiKeys) for physical security [00:07:59].
    • If hardware isn’t an option, use an Authenticator app (e.g., Google Authenticator), ideally on a secondary device [00:08:28]. Back up your MFA codes securely [00:08:31].
  • Secure Recovery Methods: Lock down all account recovery methods [00:09:13]. Use a SIM access code or communicate directly with your phone provider about not allowing unauthorized access [00:09:41].
  • Password Management: Use a credible password manager like Bitwarden, or ideally, keep sensitive information air-gapped on physical paper or in a crypto capsule [00:08:48].
  • Regular Updates: Keep your operating system, browser, and all applications (Twitter, Discord) up to date, preferably with automatic updates turned on [00:10:42].
  • Browser Extensions Audit: Be cautious about what Chrome extensions you download, ensuring they are credible [00:22:33]. Regularly audit and remove any unrecognized or unnecessary extensions from your browser [00:22:39].
  • Avoid Executables and Macros: Never download or run executables from untrusted sources [00:24:20]. Be aware that documents like PDFs and .docx files can contain malicious macros [00:24:57]. Use tools like dangerzone.rocks to safely review PDFs [00:25:20].
  • Public Wi-Fi: Avoid using public Wi-Fi for sensitive crypto activities due to potential traffic monitoring and malicious access points [00:36:37]. If absolutely necessary, use a VPN, but even then, it carries risks [00:33:28].
  • Multisig Key Distribution: For multi-signature wallets, ensure keys are not stored in one place. Use different hardware wallets so a compromise of one does not affect all [00:44:20].

Wallet Management

  • Cold Wallets (Offline Storage): Use cold wallets as much as possible for storing funds [00:10:00]. The private keys are offline, making them far more secure from online hacks [00:13:01]. Back up recovery phrases offline in a safe, ideally fireproof, location [00:13:42].
  • Hot Wallets (Online Storage): Hot wallets are connected to the internet and are easier to use for frequent transactions [00:13:20]. Do not keep too much money on a hot wallet due to higher compromise risk [00:14:23].
  • Wallet Segmentation: Maintain separate wallets for different purposes: a “burner” wallet, a trading wallet, and a storage wallet, with cold wallets in the background [00:10:13].
  • Address Verification: Always verify the exact address when sending crypto, especially when copying from transaction history, to avoid address poisoning attacks [00:40:47]. Have a centralized, airtight source for your addresses and bookmarks [00:41:07].

High-Profile Cases and Examples

  • Ronin Network/Sky Mavis Hack: A devops engineer was phished with a job offer, leading them to click an executable [00:42:51]. This single point of failure allowed attackers to gain access to four keys of a multisig, which required five out of nine keys to unlock [00:43:03]. Through lateral movement, they compromised another device to get the fifth key, resulting in a half-billion-dollar exploit [00:43:40]. This highlights the dangers of social engineering and centralized points of failure, especially in the cryptocurrency gaming sector [00:44:03].
  • Y22 Trader Compromise: A notable trader’s Twitter thread was exploited when an impersonator posted a malicious Telegram group link [00:26:50]. The impersonator mimicked Twitter history, follower count, and even had a gold checkmark [00:27:40]. Users were prompted to verify on their phone, then perform an action on their desktop browser where hot wallets were located, leading to compromise [00:27:25].

Future Outlook

While improvements to user experience (UX) like account abstraction (e.g., Fuse Wallet offering two points of failure instead of one) are emerging [00:30:22], the ultimate answer for security remains using cold wallets [00:31:47]. The crypto space is inherently one where people are “out to get you,” and this mindset should be ingrained in users [00:32:10]. The goal is to reduce the risk of compromise as much as possible, as at some point, something is likely to happen [00:47:39].

Educational Resources

  • Lumos (chainlight.io): A website that displays different attack vectors in crypto [00:14:45].
  • Phishing Quiz (therktgames.com): Created by Tincho Abate (Ethereum security researcher and founder of The Red Guild), this quiz helps users identify phishing attacks and address poisoning attempts [00:41:46].
  • Tavano: An “OG of everything crypto security,” Tavano offers incredible resources, including a Medium article on securing crypto [00:49:04].
  • Officer CIA: Has a massive aggregation of resources on Open-Source Intelligence (OSINT), including Telegram and Discord security [00:49:31].

Graph View

Backlinks