its Interesting how cryptocurrencies have provided an economic incentive for exploiting zero days. It’s hard to keep an exploit a secret when there’s such huge potential payoffs.
The level of sophistication in crypto hacking would terrify me if were a crypto startup employee.
Insider threat is probably non-existant. You know all your employees and if a hack happens there is an easy list of people to investigate. Also trying to cash out large amounts of stolen crypto is going to be difficult with the amount of blockchain analysis going on and all fiat exchanges requiring KYC.
The other risk if you don't fully and publicly mitigate insider threat is someone applying pressure to your employees to do something bad. (The intel community and other high risk environments have long had this threat model). This is basically identical to insider threat at time of pressure, although there are some different countermeasures leading up to it.
The low end of this is catching someone doing something they shouldn't (browsing porn on a work computer, having a relative with legal difficulties, etc.) and applying that as leverage. Usually "report early, no action will be taken against you" is a good policy for minor things.
I would NEVER expect (or want) someone to do anything but fully comply with an attacker who has kidnapped his kid and credibly threatens to do something horrible unless he authorizes a payment. My instructions to the insiders are "comply; we have technical countermeasures which will make those attacks fail".
KYC should really be renamed CYA (cover your ass), because it's borderline useless as a real security measure against determined threat actors. For anyone willing to commit fraud and/or identity theft, it would be relatively easy to "pass" a KYC process under an assumed identity, especially when no in-person/biometric verification is required.
I wouldn’t be so sure. There have been situations where insiders stole crypto and then claimed they were hacked to cover it up. Looks like Gelfman Blueprint is an example and there are almost definitely others.
Or if the insider slowly siphoned off tiny amounts from lots of accounts over a long period of time. That sort of thing would probably be very hard to catch.
I am not likely to notice one day if I have 4.96551 ETH and the next 4.96530 ETH
A good wallet would show the last transactions prominently. Also you can setup email alerts for ETH transfers from/to your account with a tool like etherscan.io.
That's the advantage of public ledgers, it's way easier to monitor for abnormalities. You don't need to tell your employees about all the checks you have put in place either.
Speaking as someone who works for a crypto-startup, it's hardly soothing to know that we are a gigantic target for hackers. Also have the joy of being consistently bombarded with phishing emails pretending to be from other employees.
For internal funds use Multi-sig and require all signers to use hardware wallets. As for contracts, formally verify them using KEVM and get audited by a reputable cybersecurity firm like Trail of Bits.
The level of sophistication in crypto hacking would terrify me if were a crypto startup employee.