You don’t have to be a novice to get hacked.
It can happen to anyone. Just ask Mark Cuban, who has been Web3-savvy since before it was called Web3, and who lost $870,000 in a crypto hack last month. Or even Vitalik Buterin, who fell victim to a sim card hack and had $691,000 filched from his followers. By one estimate, crypto hacks have stolen nearly $1 billion in 2023 alone.
How is this still happening? Given that the space is now over a decade old, shouldn’t we all know better? And what are the underlying reasons for the continued thefts, scams, and embarrassments?
“We will always have this issue,” says Steven Walbroehl, chief security officer of Halborn, a blockchain-focused cybersecurity company. One reason is that the industry (and tech) is always changing. When the technology gets updated and new code gets pushed in a sprint, says Walbroehl, “you’re going to have sophisticated attacks all day.”
Then there are the financial incentives. Hackers have more reason to break into crypto than they do traditional finance, because of the potential for major gains. If you’re a hacker trying to nick credit card data, says Walbroehl, then even if you’re successful – and it’s a tougher nut to crack – then you need to sell the loot on dark web marketplaces. That’s a chore. And it’s not particularly lucrative, as each credit card might only net you $2. But if you drain someone’s MetaMask wallet? Hunt the right target and that’s an easy $2 million.
Or as Eric Michaud, CEO of Unciphered, a security company that recovers lost crypto, puts it: With crypto hacking “the juice is worth the squeeze.”
To Michaud it’s not complicated. It boils down to what master thief Willie Sutton allegedly said when asked why he robbed banks: “Because that’s where the money is.” And if it feels that the scams are getting more savvy and sneaky, that’s because they are. For this, we can thank AI.
Dmitriy Budorin, CEO of crypto security company Hacken, explains how a common scam works: “Your favorite crypto project has some special announcement, and you go to their website,” he says. The website looks normal. You see an Airdrop for a new token, you click on it, and you connect your MetaMask wallet. But the website is an evil genius-designed spoof. “By just connecting your MetaMask wallet and pushing one button, your account gets drained,” says Budorin, which is essentially what happened to Mark Cuban.
AI’s role in this? Thanks to the wizardry of tools like ChatGPT, hackers can crank out an endless supply of blog posts, comments, FAQs, and website copy that, in the “old days” (last year), would have taken forever to create. Now, these faux websites look well-populated and legitimate.
“These hackers are experts in human behavior,” says Budorin. “They know exactly how many seconds a person is using a website to verify if it is legitimate.”
So if the hackers determined that the average person spends 15 seconds poking around on a site for due diligence, they’ll create enough AI-generated content to keep them busy for 15 seconds. This could include fake help articles, fake users, and fake comments.
Some bogus sites even use AI to power real-time help chatbots — and as the ultimate irony, they might give you advice to “help” you avoid scams. All of this AI-enabled fake content is why the game has changed so dramatically in 2023. Months ago, it was a lot easier to detect phishing scams, says Michaud. “Now, it’s incredibly difficult. It’s not fair.”
Adding to the unfairness, it’s now easier for scammers to do their thing on X, formerly Twitter. “These types of attacks have significantly increased, especially after Elon Musk [effectively] canceled censorship [on X],” says Budorin. While Musk’s intentions might have been to squash the bots, now anyone can pay $8 for Twitter Blue and impersonate the heads of crypto projects. Budorin says that even his wife lost an NFT by clicking on a fake Airdrop. It can be easy to get fooled. “Humans are humans,” says Budorin. “Sometimes they just lose their attention.”
The rise in crypto hacks has moved alongside the growth of decentralized finance (DeFi). It’s true that interconnected DeFi protocols can help trim the fat from traditional finance, speed up transactions, and unlock new types of financial instruments that could never otherwise exist. But it’s also true that they contain vulnerabilities. “Complexity is the enemy of security,” says Walbroehl. “The more things you have going on-chain, and the more DeFi components you have, you’re going to have more hacks. That’s just a fact.” Exhibit A: DeFi lender Euler was hacked in March and lost $197 million.
Behavioral economics and the human mind
But ultimately, at its core, the root of hacks might have more to do with human psychology than any lines of code. Many in crypto — and most of the OGs — are animated by the idea that we shouldn’t fully trust financial institutions and that you should “be your own bank.” The idea has a certain romance to it. But the reality is that the average person is far less effective at security than the average bank, and I’m confident that vastly more funds have been lost through crypto hacks, scams, or negligence (like losing a wallet) than from losing deposits at the Wells Fargos of the world.
The science of behavioral economics and risk analysis helps explain this dynamic. Most of us operate with certain biases, and these biases impact our decisions. One bias is over-confidence. “Most people think they’re better at many things than they are,” says Hersh Shefrin, an economist and expert in risk and behavioral finance.
In an often-cited Swedish study, for example, people were asked if they think they are a better or worse driver than the average person. Most people said they were above average, which of course, is statistically impossible. (The average should be the average.) Perhaps not surprisingly, men were especially over-confident in their driving abilities.
One psychological factor that may help explain falling victim to crypto hacks: We think we’re better at security than we really are. Another is the issue of control. “We think we have more control than we do. That’s the illusion of control,” says Shefrin. He adds that we also tend to be more optimistic about things we control – partly because we’re so confident in our ability – which compromises our ability to correctly analyze risk.
We probably overestimate the risk of our funds being lost (or stolen) by a financial institution and underestimate the risk of our own mishaps. “People try to protect themselves from the wrong threat levels,” says Michaud. “They’re worried about the government coming to get their crypto, when the more realistic thing is that you’re going to forget your obscure steps for password recovery.”
This reminds me, by analogy, of a classic study of risks following 9/11. Immediately after the terrorist attacks, many people were afraid to travel by airplane because planes might crash into buildings. So they took car trips instead. The tragic irony is that months later, academics analyzed the data and discovered that there were far more car accidents than normal. This is because driving in a car might feel safer than flying – because you’re in control! – but the math says it’s far riskier.
Obviously, crypto isn’t life and death, and I don’t say this to roast crypto or to argue that buying it is dangerous. (I’m a HODLer.) But to reach true widespread adoption, it could be useful to speak plainly about the risks, to challenge the merits of our own “control,” and to question if it really makes sense for everyone to be their own bank.