When Wu Caizeng lost a 20,000-yuan (US$2,800) non-fungible token (NFT) to a phishing scam in September, he sought help on Twitter, where he publicised his thief’s public blockchain address. However, the anonymous nature that characterises much of the crypto world left him with no practical way to recoup his losses.
“I’m so stupid,” he said in his post, chastising himself for clicking on a fraudulent link pretending to be from the official Twitter account of a game he played. “I made a super basic mistake.”
Twitter cards, Apple’s AirDrop links, Discord messages, and even tokens on decentralised exchanges have all become avenues for crypto scams, which have become more frequent in recent years. Cryptocurrency thefts rose more than 500 per cent last year to US$3.2 billion, according to a 2022 crypto crime report from blockchain data platform Chainalysis.
“Security companies, ‘white hat’ hackers and customised tool makers are part of the main force that drives Web3 security,” said Mike Li, who left Chinese cybersecurity giant 360 Security Technology to found GoPlus Security in 2017.
Li likened his firm’s offerings to a decentralised version of the cybersecurity solutions offered by Russia’s Kaspersky Lab. The service allows any application on Web3 – the widely used term to refer to a World Wide Web decentralised through the use of blockchain and similar technologies – to use the GoPlus application programming interface (API) to flag blockchain addresses with red, yellow or green marks as a signal of a transaction’s risk level.
The need for Web3 security solutions has become more apparent with an increasing number of high-profile crypto scams. Even celebrities have been hit, from actors Bill Murray and Seth Green in the US to Taiwanese Mandopop sensation Jay Chou, who lost a valuable Bored Ape Yacht Club NFT to a phishing website in April.
Since 2012, more than US$27 trillion in cryptocurrency has been stolen across 827 hacks identified by Xiamen-based blockchain security company SlowMist. Scams, flash loan attacks and contract vulnerabilities were the top three types of attacks.
SlowMist’s chief internet security officer Zhang Lianfeng said that since the company’s founding in 2018, he has seen more weaknesses emerge in Web3 security, but few improvements.
“With weak security awareness, users are still being attacked from left to right,” Zhang said. “Now on even more fronts, including decentralised finance, cross-chain bridges and NFTs.”
The constant reappearance of similar scams since 2020 inspired Shanghai-based software engineer Fun Liu, a former adtech worker, to build a security product at Eth Shanghai’s hackathon in May. The result was Scam Sniffer, a free Chrome browser extension for consumers that aims to tackle crypto scams on platforms including Twitter and Discord.
“I hope to equip regular users with the tools to protect themselves from scams,” Liu said. “Because of the anonymous and tamper-proof nature of blockchain, it’s becoming increasingly important, especially as users have limited tools.”
The extension is open source and available on GitHub, where Liu has also published a list of more than 1,700 blacklisted domains and some 300 blacklisted wallet addresses.
Extensions like this are meant to help individuals who may not have the resources of the businesses that most crypto services cater to.
“You can get an idea of the social class of the industry via security,” GoPlus Security’s Li said. “0.1 per cent of the richest people are using 99 per cent of security resources, whereas the other 99.9 per cent of people are barely protected. This is the status quo of Web3 security.”
Yet no security solution is flawless, and when users like Wu wind up getting scammed, China’s official stance on crypto has left people with few legal avenues for redress.
After years of crackdowns, Beijing clarified last year that all cryptocurrency trading in the country is illegal. Regulators have not been clear about whether digital assets like NFTs have any property protections, and regional courts have given conflicting decisions.
In May, a district court in Beijing recognised cryptocurrency as an asset, which was seen as setting an important legal precedent. But last year, a court ruled that “cryptocurrency is not protected by law” after a user’s accounts were closed as a result of China’s regulation. Judges in places like the city of Tianjin and Fujian province have given similar rulings this year. None of the plaintiffs in any of the cases received compensation for lost tokens.
As a result, it is even more important for crypto users in China to be more responsible for their own security. To protect himself in the future, Wu said he has added security browser extensions, checks wallet addresses before transfers and does not trade when he feels unwell or unfocused.
“When I’m hacked, all I can do is swallow the pain,” he said.
Security professionals say it is important for individuals to take some action themselves. “Security has a so-called bucket effect, meaning one has to combine technical defences with human defences,” said SlowMist’s Zhang.
“When it comes to stolen funds, we advise victims to contact the police or security companies if the victim is held at fault,” he added. “If any theft is caused by the platform’s negligence, large platforms typically compensate their users.”
SlowMist has recently launched paid crypto-tracking services that can help with forensic inspection and investigations.
“It is especially important to improve the security awareness of individuals,” Zhang said. “Once that’s covered, it will work far better than a bunch of machines.” South China Morning Post