As more people enter the web3 ecosystem, there are increasing opportunities for hackers to attack. And during the second quarter, there was a significant rise in crypto-focused phishing attacks across social media sites, according to a new report.
There were 290 recorded attacks during the second quarter, up 170% from 106 in the first quarter, according to a Web3 Security Q2 2022 report by CertiK, a blockchain and DeFi security-focused platform backed by Goldman Sachs and others. While there are many day-to-day minor phishing attacks (or attempts) on individuals in the space, the major attacks are classified as events that resulted in crypto losses of $100,000 or more, the company told TechCrunch.
“Social media affects phishing attacks by providing a centralized, single point of failure via which hackers can dupe users into following malicious links,” Ronghui Gu, CEO and co-founder at CertiK, said to TechCrunch. “This in turn leads to users being robbed of their assets.”
The second quarter was filled with “losses” and hacks across the web3 ecosystem — and many aren’t expecting it to slow down. Since the beginning of the year, over $2 billion has been lost to hacks and exploits — racking up an amount larger than the entirety of 2021 in half the time, the report stated.
A majority of the attacks targeted projects that communicate with users through Discord servers. Last month, Discord introduced a way for servers to preemptively detect and block harmful messages and spam. The tool, AutoMod, allows anyone who moderates one of its server-based communities to create a custom list of words that the bot can scan for and intercept, TechCrunch reported.
While this is a step in the right direction, popular messaging apps like Discord and Telegram still don’t support account verification. Without verification, hackers can clone accounts and offer “giveaways” that are “too good to pass up,” the report stated.
“The recent spate of Discord hacks is troubling as it shows how web3 projects that rely on Web 2.0 infrastructure are vulnerable to attack,” Gu said. “By compromising the official social media account of a web3 project, hackers can post malicious links that masquerade as authentic, and consequently trick users into trusting them.”
While Twitter supports account verification, which gives some reassurance to users, there is a tremendous amount of spam on its platform, too.
“Forecasts for the rest of the year look grim,” Gu said. “The recent CertiK Q2 report shows that 2022 is already the worst year for losses ever, and we are only halfway through the year.”
Based on these numbers, the report forecasts a 223% year-on-year increase in funds lost to attacks in 2022.
“Typically we would expect hacks to go down in a bear market as users are typically more experienced and there is less new and naive money coming into the space,” Gu said. “The fact that these attacks can continue is a sign both of the continued enthusiasm of web3 users despite the bear market, but also of the need for continued diligence on the part of web3 teams in securing their projects.”
So what needs to happen?
There is a greater need for projects to protect their users. Since hackers are using tricks commonly seen in the Web 2.0 world to exploit the web3 realm, security measures need to be changed, the report stated.
“Much of web3’s negative reputation as a digital ‘wild west’ arises from the points where it relies on web2 technologies and the vulnerabilities it entails,” the report stated. “This drives home how web3 security depends on it moving further away from, rather than returning to, the centralized practices of its predecessors.”
Projects need to push for greater community education so users can avoid falling victim to common attacks, while members also need to exercise caution when clicking on links or trusting others, even if they are posted over official channels, the report noted.
Even though community engagement and education are important, web3 projects should focus on increasing security instead of using easily hackable social media sites like Discord, whether that be requiring multiple signatures each time an account is accessed or revoking authorization after each use, Gu said.
“To change this, projects need to take a proactive, end-to-end approach to their security, meaning both regular smart contract audits and blockchain analytics,” Gu said. “This will not only protect them and their communities, but also help to bolster the security of the wider web3 ecosystem.”