This as-told-to essay is based on a conversation with Ari Redbord, the Washington, DC, head of legal and government affairs at the blockchain-intelligence firm TRM Labs, about protecting your crypto assets from hackers. The following has been edited for length and clarity.
Before working at TRM Labs, I was a senior advisor to the undersecretary for the Office of Terrorism and Financial Intelligence at the US Treasury Department. Before that, I worked as a federal prosecutor with the Department of Justice and focused on money laundering, terrorist financing, export control, and criminal-sanctions prosecutions.
Blockchain-intelligence firms like TRM Labs organize and analyze on-chain data — by timestamp, currency, address, or the service used to conduct the transaction, for example — to map trends or patterns of activity or surface other attributes that might indicate risk. This gives law enforcement, regulators, and compliance professionals more visibility on real-time financial flows.
In addition, blockchain intelligence is used to trace and track the movements of funds to and from an address associated with a hack, a nonfungible-token scam, or some other exploit against a crypto business to help investigators follow the money and, in certain circumstances, work to recover it.
I believe that crypto is safe. But because it s in its very early days, it s likely that we re going to see more incidents like the recent Ronin hack. Young businesses are having to deal with some very complicated issues, and it ll improve, but it ll take time.
The Ronin Network is software that allows users of the online game Axie Infinity to transfer digital assets across blockchains. The attackers used hacked private keys — passwords needed to access crypto funds — to forge withdrawals.
Most of the really successful malware attacks, whether it s ransomware or a hack of this kind, use social engineering, a tactic that creates a sense of urgency for the victim. For example, a hacker might send an email purporting to be from your boss, saying: I needed that Google doc back two days ago. Where is it? Click on this link and please put in your comments. Or they recreate a family situation that they ve identified through social media. The hacker might know who your spouse is and send an alarming email pretending to be them.
There s a notion that phishing is throwing everything at the wall and seeing what sticks. That s not always right. There are sophisticated, targeted attacks on people who have access to controls that an attacker wants to take over.
It s important to give to the Ukraine effort right now, but at the same time, some bad actors will try to take advantage. There s a proliferation of scams and fraud around donations to Ukraine, such as creating a fake site where they steal your funds.
Hackers also create a sense of urgency with NFT drops, where a fear of missing out drives people. That s a ripe opportunity for social-engineering attacks.
To protect yourself in situations like these, step back, be vigilant, and ask yourself some questions: Does this person, charity organization, or NFT issuer have a legit social-media presence? Do they have a legit website? Did the site disappear hours after launching? Are there any red flags when you type their crypto address into Google?
If your spidey senses start tingling, there s usually an issue. Ensure that you re transacting only with entities you have faith in.
For example, in cases of NFT rug pulls — where creators of an NFT artwork or game abruptly shut down the project, make away with the project funds, and disappear — here are some things you can do to protect yourself:
Create a new burner wallet with only the estimated amount required for NFT purchases and fees.
Refrain from keeping your investment portfolio in the same wallet you plan to purchase an NFT from.
Remove auto-approve on your wallet and consider implementing the auto-lock timer.
Don t search Google or other websites for the NFT-drop link — use only verified accounts or domains provided directly by the NFT company.
Don t click any links in Discord chats or download any files that claim affiliation with the NFT-drop team.
Never side-channel in a separate Discord server or encrypted chat app at the request of someone claiming to be customer support or responding to social-media threads.
Never show your secret recovery phrase to anyone offering to provide assistance.
It s more critical than ever for cryptocurrency businesses to harden cyberdefenses against social engineering and other attacks.
In terms of scams or frauds involving cryptocurrency, it s important that users remain vigilant as they would any time they re sending funds — just like you would anytime you re transacting with an unknown entity.
The Ronin hack was a unique situation, but we saw some general vulnerabilities displayed. Businesses should educate employees against social engineering and harden their cyberdefenses because that s the only way to stop these attacks from happening.
Blockchain-intelligence tools like mine can track the flow of funds in case of a hack for law enforcement of other institutions. The US government recently seized $. billion in bitcoin stolen in the Bitfinex hack and has recovered much of the funds paid in the Colonial Pipeline ransomware attack.
Privacy is going to become more and more critical as more financial activity occurs on an open ledger. The nature of blockchain — the open and distributed ledger on which tokens can be sent — means that each transaction is verified and logged in a shared, immutable record, along with the timestamp of the transaction and the addresses involved. This data from the public blockchain is accessible to anyone on the blockchain.
For example, when a terrorist organization posts a crypto address on social media to solicit donations, that address is tagged in a blockchain-intelligence tool like TRM Labs as being connected to terrorist financing. This allows a cryptocurrency exchange to flag any transactions involving that address, assess the risk, and take any action that may be required of them based on regulatory requirements.
With the Ronin hack, almost $ million is sitting in a wallet address that belongs to the hacker. The world is watching, and not just law enforcement — blockchain-analytics companies like TRM, the crypto Twitterverse, and all kinds of people.