Hacker News new | past | comments | ask | show | jobs | submit login

its Interesting how cryptocurrencies have provided an economic incentive for exploiting zero days. It’s hard to keep an exploit a secret when there’s such huge potential payoffs.

The level of sophistication in crypto hacking would terrify me if were a crypto startup employee.




If I were a crypto startup I'd be more worried about insider threat than anything sophisticated.

Protecting against a rogue employee also adds defence against employee computer compromise.


Insider threat is probably non-existant. You know all your employees and if a hack happens there is an easy list of people to investigate. Also trying to cash out large amounts of stolen crypto is going to be difficult with the amount of blockchain analysis going on and all fiat exchanges requiring KYC.


Insider threat is absolutely a risk.

The other risk if you don't fully and publicly mitigate insider threat is someone applying pressure to your employees to do something bad. (The intel community and other high risk environments have long had this threat model). This is basically identical to insider threat at time of pressure, although there are some different countermeasures leading up to it.

The low end of this is catching someone doing something they shouldn't (browsing porn on a work computer, having a relative with legal difficulties, etc.) and applying that as leverage. Usually "report early, no action will be taken against you" is a good policy for minor things.

I would NEVER expect (or want) someone to do anything but fully comply with an attacker who has kidnapped his kid and credibly threatens to do something horrible unless he authorizes a payment. My instructions to the insiders are "comply; we have technical countermeasures which will make those attacks fail".


KYC should really be renamed CYA (cover your ass), because it's borderline useless as a real security measure against determined threat actors. For anyone willing to commit fraud and/or identity theft, it would be relatively easy to "pass" a KYC process under an assumed identity, especially when no in-person/biometric verification is required.


I wouldn’t be so sure. There have been situations where insiders stole crypto and then claimed they were hacked to cover it up. Looks like Gelfman Blueprint is an example and there are almost definitely others.


> there is an easy list of people to investigate

If the criminal has an ounce of brains, they'd execute the hack while on an overseas vacation.


Or if the insider slowly siphoned off tiny amounts from lots of accounts over a long period of time. That sort of thing would probably be very hard to catch.

I am not likely to notice one day if I have 4.96551 ETH and the next 4.96530 ETH


A good wallet would show the last transactions prominently. Also you can setup email alerts for ETH transfers from/to your account with a tool like etherscan.io.

That's the advantage of public ledgers, it's way easier to monitor for abnormalities. You don't need to tell your employees about all the checks you have put in place either.


>I am not likely to notice one day if I have 4.96551 ETH and the next 4.96530 ETH

note to self: only keep round amounts in online wallets.


According to this story (https://news.bitcoin.com/looting-fox-sabotage-shapeshift) the threat is real and at least one person got away with it.


Speaking as someone who works for a crypto-startup, it's hardly soothing to know that we are a gigantic target for hackers. Also have the joy of being consistently bombarded with phishing emails pretending to be from other employees.


For internal funds use Multi-sig and require all signers to use hardware wallets. As for contracts, formally verify them using KEVM and get audited by a reputable cybersecurity firm like Trail of Bits.


Enable advanced protection on your personal Google account while you're at it. Bit of hassle, lot of benefit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: