Merkle Science and Halborn Discuss Crypto Hacks and Cybersecurity: Webinar Recap
Merkle Science
On Monday, October 14, blockchain analytics company Merkle Science and blockchain security firm Halborn hosted a one-hour webinar, Crypto Hacks in 2024: Have We Truly Learned From Crypto’s All-Time Biggest Hacks?
Moderated by André Beganski of Decrypt Media, the webinar featured Merkle Science’s Director of Law Enforcement Affairs Robert Whitaker and Senior Solution Architect Justus Delp, along with Halborn’s Lead Security Architect Mar Gimenez-Aguilar and VP of Advisory Piotr Cielas.
You can watch the webinar on-demand here.
This article will provide a recap of the webinar with insights into some of the biggest security breaches into 2024, new trends in cybercrime, and best practices on how organizations can better protect themselves.
A broader, long-term view on smart contract vulnerabilities
The webinar was inspired by the recent release of both companies' flagship reports on crypto hacks: Merkle Science's 2024 Hackhub Report and Halborn's Top 100 DeFi Hacks Report, which set the stage for an in-depth discussion on the biggest security breaches and emerging cybercrime trends.
Merkle Science found that the amount lost to smart contracts fell by 93.5% from $2.6 billion in 2022 to just$179 million in 2023, but they still comprised half of all total attacks in that year. Halborn went so far as to proclaim smart contract vulnerabilities as the achilles heel of DeFi.
Justus Delp said that crypto protocols and services can occasionally take a limited view of potential attack vectors when it comes to smart contracts.“It's not necessarily just the smart contract itself that poses a risk, but actually also the UI that a potential malicious actor wants to use,” said Delp.Organizations thus need to be aware of who is actually trying to use the smart contract or UI to mitigate these risks. Delp said that Merkle Science’s Tracker helps screen addresses to deter bad actors.
Piotr Cielas agreed that organizations should take a holistic view of their entire technology stack, including the “people, processes, and data” involved.
Cielas also recommended taking a broader view of smart contract vulnerabilities in terms of time.
“You have to think about the whole lifecycle of the contract: When you start ideating through proof of concepts, then you arrive at an MVP, and you deploy it—you incrementally update functionalities at every of these steps. There can be vulnerabilities introduced, there can be misconfigurations, and there can be a misalignment between specification and implementation,” he said.
As a result, Halborn advised organizations to conduct regular security audits of smart contracts to uncover and patch any vulnerabilities. Such audits and updates should not be a one-and-done exercise, but part of an ongoing process. If cyber criminals are working around-the-clock to penetrate an organization’s systems, you should be doing the same to keep them out.
Preventive monitoring for regulatory compliance
Delp said that DeFi and CeFI are becoming increasingly intertwined. He pointed to the fact that hackers are stealing private keys from multi-chain bridge functions, as an example. Delp also explained that the regulatory environment in the United States does not distinguish between DeFi and CeFi.
“The U.S. Department of Treasury published [guidelines] in April 2023 saying it doesn't really matter if a service is decentralized or not, the key obligation—if it has any association with the United States at least—is that you need to comply with anti-money laundering and counter-terrorist financing guidelines,” he said.
The complication here is that criminals have developed increasingly sophisticated methods of money laundering. Delp cited the Lazarus Group, a cybercrime group with ties to North Korea, as a pioneer in obfuscation techniques.
Following the DMM Hack of more than$308 million in May 2024, the Lazarus Group moved stolen funds from Bitcoin to Ethereum, then to Tron, where they landed on UCT, before finally liquidating through exit nodes like exchanges and financial services.
According to Delp, the best way for organizations to stop money laundering and comply with US regulations is through prevention. “You need to know when a risky actor is trying to interact with your platform…And the only way you can really do this is by screening and monitoring your transactions and having a look at the pattern,” he said.
Merkle Science offers transaction monitoring through its tool Tracker, which can operate around blacklists, such as the one provided by Office of Foreign Assets Control, as well as behavior-based rules. Tracker has the ability to conduct both real-time and continuous monitoring, wherein addresses that initially turn up clean will be continually rechecked.
Robert Whitaker explained that trackers can also enable intervention. “If you're fast enough, depending on the threat actor, you can almost determine where they're going to go and beat them to the punch sometimes,” he said.
Focusing on the cutting-edge of tech
In his closing remarks, Whitaker discussed how the crypto space has evolved rapidly over the last ten years. At the beginning, security was only a matter of hiding your keys, which meant storing them in a cold wallet as opposed to a hot wallet from time to time.
“And now things have become much more complicated,” Whitaker explained. “So don't look at the threats today and mitigate the best you can, but try to stay a step ahead as well because the next evolution is coming—it's always coming. So looking down the path is just as important as looking behind you.”
Cielas elaborated on how bad actors might use cutting-edge technologies for their crimes. He noted that it could be as simple as bad actors relying on LLMs to speed up production of malicious code, or leveraging AI to clone bots or adapt them more quickly to changing conditions.
These technologies could even bring new life to social engineering attacks like spear phishing.“Deep fakes can modulate your voice, pretending to be a representative of your favorite centralized exchange or custodian to try and get the security questions from you, or the details that it needs to access your accounts, and potentially steal your assets,” said Cielas.
According to Cielas, Halborn is mindful of the opportunities that AI and other AI-adjacent technologies bring to cyber criminals. While organizations should be mindful of the latest trends, they should also not try to defend against them solely on their own. Extending themselves in every direction criminals may attempt to exploit may result in a significant opportunity cost, one that moves the business away from its core competencies.
“Don't try to keep it in-house if you don't have the expertise,” said Whitaker, who encouraged companies to tap companies like Merkle Science for assistance in combating crypto crime end-to-end, including tracing the movement of illicit funds as part of an incident response.
Conclusion
Based on what the representatives of Merkle Science and Halborn shared during the insightful webinar, organizations must take a broader view of smart contract vulnerabilities, one that includes the UI as well as considers its entire lifecycle; monitor addresses for bad actors trying to interact with your business as a matter of not only security, but compliance; and pay attention to cutting-edge technologies like AI that may scale up or reinvigorate old schemes.
For more information on how Merkle Science’s Tracker can assist in tracking the flow of illicit funds, identifying bad actors, and stopping their crimes, get in touch today.