September 2024
1. Executive Summary
In the evolving landscape of Web3, crypto wallets have become indispensable tools for accessing decentralized finance (DeFi), non-fungible tokens (NFTs), and various blockchain services. These wallets serve as digital gateways to financial autonomy, offering users complete control over their assets. However, with this empowerment comes significant responsibility, as wallet security remains a critical concern.
As decentralized ecosystems expand, so do the threats targeting them. This report delves into the crucial importance of wallet security in Web3, examining both established and emerging vulnerabilities. Drawing on case studies of real-world attacks, we explore common methods used by malicious actors—such as phishing, dusting, and smart contract exploits—that have successfully compromised user wallets.
Furthermore, the report highlights the latest trends in wallet security and analyzes advancements aimed at mitigating these risks, specifically block-building centralization and Account Abstraction with ERC-4337. The report also delves into the potential new issues that these solutions pose. Finally, strategic recommendations will be provided, offering practical steps users can take to safeguard their digital assets from increasingly sophisticated hackers in the Web3 space.
2. Introduction: Crypto Wallets in Web3
We’re seeing headlines like “2024 Sees a Surge in Wallet Hacks: Over $500 Million Lost in Custodial Wallet Breaches” and “Phishing and Malware Attacks on Hot Wallets Spike 30% in 2024.” These alarming trends underline the growing vulnerabilities in both custodial and non-custodial wallets. While custodial wallets face third-party risks, non-custodial wallets demand high user responsibility for key management, leaving many at risk of losing access to their funds. As the crypto space continues to evolve, understanding and addressing these vulnerabilities is critical to safeguarding digital assets.
Custodial vs non-custodial wallets - a closer look
Custodial wallets involve a third party, such as a dedicated wallet service, who have access to your private keys and manage your assets. This can ease the experience of operating in the crypto world and handling assets, as one can alleviate the responsibility of understanding cryptocurrencies, transactions and blockchain intricacies to a more experienced operator. Of course, while giving access to a third party may feel more convenient, trusting others with your transactions is naturally a security risk, as additional individuals (from the third party) have access to and can manage your funds.
On the other hand, non-custodial wallets allow an individual to control their own private key. This means the user has complete control over their funds and transactions, without the involvement of a third-party. This requires a deeper understanding of cryptocurrency and best practices, however many will choose to operate their own transactions given the privacy and complete control of a non-custodial wallet.
2.2 Importance of wallet security in the crypto ecosystem
The importance of crypto wallet security in the crypto ecosystem is absolutely critical. Crypto wallets are frequent targets for hackers, given the crypto world’s rapidly growing and evolving nature. In our recent report documenting the major crypto incidents of September 2024, we found that crypto attacks by hackers rose dramatically in frequency during September compared to the previous month. Considering these statistics, it is imperative to prioritize wallet security to ensure it is not vulnerable to hackers and theft attempts. Strong security measures can considerably reduce the risk of irretrievably losing assets due to access by unauthorized personnel.
3. Evolving Threats in the Wallet ecosystem
3.1 Phishing
Social engineering attacks and phishing campaigns are common, can be highly effective, and are not necessarily too laborious for the bad actor.
Often, social engineering attacks involve creating a fake environment where users are encouraged or tricked into revealing confidential information or passwords. This could, for example, involve attackers posing as an employee of a known third party wallet service, who are calling to ‘help’ the user, but in reality, the attacker is stealing private information.
Phishing campaigns are used for the same goal. Emails, websites or messages may imitate legitimate wallet services, but contain links to fraudulent websites with the intention to obtain access credentials. Attackers may even create platforms that so closely resemble legitimate wallet interfaces it appears to be a clone. Users who are unable to tell the difference between legitimate and malicious clones of wallet platforms may be tricked into entering their private key information and passwords.
In October 2024, a group of scammers, known for luring in users with fake transactions, announced that while they previously targeted wallets on The Open Network (TON) to drain, they would be shifting their focus towards Bitcoin instead. The group tricked users into authorizing wallet draining operations, but complained of an absence of crypto ‘whales’ - users with large crypto assets - to target within the TON community. They appeared to suggest that Bitcoin would be more lucrative for them to target.
3.2 Malicious Software and Malware Attacks
Malicious software and malware attacks are a significant threat in the cryptocurrency space, used by bad actors to target and steal crypto wallets or assets. Types of malware can include keyloggers, that capture keystrokes and allow attackers to record sensitive information, phishing software, used to perform phishing campaigns as discussed in 3.2, Remote Access Trojans or ‘RATS’, that allow attackers to gain control over a victim’s hardware, enabling access to wallets and secret information, and cryptojacking, which involves hijacking a user’s computing resources to mine cryptocurrency. This may compromise the system’s security.
Malware may be distributed via links tricking users into downloading malicious software (much like phishing links), or accidental downloading of software from untrusted sources from the web.
In September 2024, Truflation suffered a security breach, which led to $5 million of assets to be stolen. This attack targeted multiple chains, exploiting both the treasury multisignature and personal Ethereum wallets. According to the CEO, the security breach was most likely due to the injection of malware into a computer at an international blockchain event.
3.3 Smart Contract Vulnerabilities, software bugs, and exploits
Smart contracts are self-running agreements that can integrate with wallets. They are particularly vulnerable because they are Open Source - they can be accessed by anyone, including bad actors with malicious intent. Oversights by developers who write the Smart Contracts may sometimes leave room for vulnerabilities and flaws, which can be taken advantage of by hackers. Commonly these can include:
Reentrancy Attacks - where the hacker exploits a functions that interacts with an external contract, prior to the update of the original contract. For example, an attacker could continuously call a function that withdraws funds, before the original smart contract has a chance to update the balance, so the attacker can withdraw more money than what is available.
Access Control Failures - when a smart contract does not have robust security for permission of access, an attacker could invoke restricted functions, that allow them to transfer funds or access assets.
Logic bugs - simple but frequent coding errors or oversights, such as incorrect conditions, or poorly defined terms in the smart construct logic, can allow attackers to perform actions such as draining the contract’s funds, as there is no existing logic to prevent this.
Blockchain networks, wallets, and applications rely on very complex software systems that leave vulnerability to bugs, which can act as entry points for attackers. These can include:
Node exploits - blockchain nodes that fail to properly validate transactions or blocks can become targets. Attackers can send invalid data or manipulate how the nodes process data, which may result in the attacker reversing transactions or stealing funds.
API exploits - some blockchain services provide APIs that developers utilize to interact with wallets and networks. If the APIs are not safely secured attackers can bypass authentication and access sensitive and private data.
Flash Loan attacks - flash loans allow users to borrow large sums of cryptocurrency without collateral as long as they return the loan within the same transactions, so hackers use these loans to manipulate prices on decentralized exchanges, or exploit vulnerable logic in the protocols to steal funds.
Caterpillar Coin suffered a flash loan attack when hackers took advantage of weaknesses in $CUT’s security system to manipulate reserves and rewards. They took out a flash loan in Tether cryptocurrency, swapped it for Caterpillar Coin tokens, and added liquidity. Their manipulation of the token prices allowed them to massively inflate the value of their tokens when it came to exchanging them back into Tether. After draining the entire reserve of the rewards pool and withdrew profits worth $1.4 million.
Liquidity pool exploits - many DeFi platforms operate liquidity pools where users provide funds for decentralized exchanges. Attackers can exploit the flaws in the pool’s smart contracts to drain funds.
Rivus DAO, a liquid staking cryptocurrency protocol, suffered a significant security breach from inside the company when an employee of the company, contracted to work on the migration contract, manipulated the contract. By adding a backdoor function, the employee could drain the entire supply of funds reserved for migration. The team were able to return and refund the stolen supply, but only due to their knowledge of the employees full dox.
Exploitation of features - the exploitation of the Permanent Delegate feature on the Solana blockchain allowed scammers to burn SOL tokens from user wallets immediately after a transaction. The scammer trigger a burn after a successful swap, so users see a token appear in their transaction history, but not in their wallet. An incident in March 2024 saw the accidental burning of 50,000 SOL tokens by the core developer of a new Solana based meme coin, SLERF, that had been put aside for an airdrop. The 50,000 SOL tokens were worth about $10 million.
Dust attacks - dust refers to small, often negligible amounts of cryptocurrency remaining in a wallet, that is typically too little to trade - however this ‘dust’ is used by attackers to trace and expose the identity of wallet owners. Hackers known as ‘dust collectors’ often target these tiny remnants from large-scale breaches, for example the Lazarus Group, following the $305 million DMM Bitcoin hack in May 2024. They employ basic phishing techniques like ‘claim’ emails, to send and retrieve dust, especially from browser based wallets. These small deposits frequently go unnoticed, so attackers are able to manipulate and further exploit users.
3.4 Weak Authentication systems
The importance of strong authentication mechanisms to protect private data, much like the rest of the digital world, is critical regarding crypto wallets and assets inside. Bad actors can exploit weak authentication mechanisms to gain unauthorized access and wreak havoc.
Perhaps the most common familiar form of digital protection to prevent unauthorized access is the use of passwords. Often, bad actors may choose to attack via ‘brute force’ - when bad actors easily guess simple or common passwords chosen by users. Additionally, if users reuse their passwords across several platforms, several accounts may be compromised as a result of one weak protection method.
4. Case Studies: Common Attack Patterns
The Atomic Wallet hack
In June 2023, Atomic Wallet users began to report that their cryptocurrency assets were disappearing from their wallets without their authorization. The attack resulted in the theft of over $100 million in various different cryptocurrencies including Bitcoin, Ethereum, Tether and other tokens. The largest individual loss was approximately $8 million worth of crypto, but over 5,500 users were affected.
While the exact cause remains unclear to this day, there are several potential and likely causes, such as:
Private Key Compromise - some speculated that due to weaknesses in Atomic Wallet’s security infrastructure, private keys may have been compromised which allowed hackers to gain unauthorized access and drained wallets.
Supply chain attack - another theory is that attackers may have exploited vulnerabilities in Atomic Wallet’s software updates, inserting malicious code that allowed them to steal user’s funds.
Phishing or malware - some users may have been tricked into downloading compromised versions of the wallet, mimicking the genuine one, or entering private keys into malicious links.
The Ledger Hack
In December 2023, Ledger faced a significant security breach involving the Ledger Connect Kit, used to link hardware wallets to decentralized applications. The attack stemmed from a phishing incident targeting a former employee’s Node Package Manager Java Script (NPMJS) account, which allowed the hacker to upload malicious code into the Ledger Connect Kit library. The code rerouted stolen funds to the hacker’s wallet, resulting in assets worth approximately $484,000 to be stolen. While funds stored on the physical Ledger wallets were not impacted, users who interacted DeFi protocols such as MetaMask were affected.
The Atomic Wallet and Ledger hacks emphasize the importance of a number of security measures, such as transaction monitoring, to detect unusual patterns that can indicate internal or external theft attempts from a user’s wallet. Automatic screening of transactions and advanced algorithms assessing withdrawal patterns would also have played a role in preventing the hacks - screening can identify anomalies, which are critical in ensuring suspicious activity is identified and flagged, and trigger an authorization process for the transaction preventing a hacker from draining assets.
Critically, the Ledger Hack elucidates the importance of security processes from insider threats. While presumably the role played by the former employee in the hack was unintentional, it highlights the importance of staying aware of who has access to critical code, and the variety of access points both outside and inside the wallet ecosystem that can be manipulated.
5. Emerging Wallet Security trends
In a recent report, Flashbots noted two trends that are characterizing the DeFi and wallet ecosystem, specifically the centralization of the block-building market, and the implementation of Account Abstraction with ERC-4337.
Block-building centralization
Block-building centralization occurs when a small number of validators or miners control the majority of block creation. According to Flashbots, trends within the DeFi ecosystem suggest that centralization of the block building market is becoming more common. However, centralization diminishes the decentralized nature of the network, which is a key principle in blockchain technology, designed to enhance security.
In centralized networks, the dominant validators or miners can become targets for hackers, given that attacking a few centralized entities is far easier than attacking a decentralized network of participants. If successful, attackers are able to do much greater damage with very little effort.
Block-building centralization may lead to a higher risk of 51% attacks - where an attacker or group of malicious actors that control the majority of block-building power can reorganize the blockchain, invalidate transactions, or double-spend coins. Validator collusion also poses a greater threat in a centralized market - collusion among a few powerful block-builders can allow them to control or bias transaction validation and inclusion. This can risk the privacy, freedom and security of users and their wallet transactions. Decentralization also increases risk of sybil attacks, where an attacker created multiple fake identities in order to gain control of a system. This is more viable in centralized block-building systems as the attacker is required to manipulate fewer validators than in a decentralized market.
Account Abstraction with ERC-4337
Account Abstraction (AA) with ERC-4337 is an important development in the Ethereum ecosystem, that allows wallets to function as smart wallets - meaning they can support advanced security features and logic beyond usual Ethereum externally owned accounts.
The benefits of AA is varied, but includes additional layers of security such as multisig wallets, meaning transactions require multiple signatures, for example from a mobile device, hardware wallet, or trusted third party, before they are approved.
AA also offers time delays and recovery options specifically on large or unusual transactions. This allows the owner time to cancel the transaction if it was unauthorized. Other security features can protect against common smart contract vulnerabilities, like re-entrancy attacks which are a common cause of financial loss. Additionally, While traditional crypto wallets rely on a single private key, ERC-4337 allows multi-factor authentication (MFA) and other authorization mechanisms preventing a hacker from easily accessing and controlling a wallet. Different layers of access control may include biometric authentication, time-locks, or approvals from a variety of devices.
While AA does add further security layers and offers potential solutions, it can also introduce new challenges. The additional security layers can lead to smart contract vulnerabilities, increased points of failure, and challenging user experiences.
Both block-building centralisation and Account Abstraction require careful consideration of tradeoffs between the benefits they bring but risks they pose, to ensure that they do not introduce further complex issues.
6. Importance of Threat Detection, and strategic recommendations for wallet providers
Proactive threat intelligence plays a critical role in detecting and mitigating cyberattacks in real time, through leveraging advanced techniques to anticipate and neutralize potential threats before they can cause damage.
Continuous real-time monitoring and Fraud detection
Proactive threat intelligence involves continuous monitoring of various data sources to detect suspicious or fraudulent activity before it can cause harm. The detection of unusual spikes or connections, new malware signatures or phishing sites, and sales of plans of attack methods, can keep users and their assets safe.
Compliance and AML screening
Anti-money Laundering (AML) and compliance mostly focus on identifying and preventing financial crimes, such as fraud, terrorist financing and of course, money laundering. Naturally, AML processes also help to detect and mitigate cybersecurity threats in several ways, since cybercrime and financial fraud are often heavily intertwined. Robust wallet screening, transaction compliance checks and monitoring of high risk transactions ensure that potential threats are identified and addressed.
Fake Token detection
Fake token detection is a crucial security measure that helps prevent and mitigate crypto fraud. Attackers will often create fake tokens to deceive users, steal funds or manipulate DeFi protocols, so the identification of counterfeit tokens can protect users from financial loss, and preserves the integrity of the blockchain eco system.
To enhance the security of crypto wallets and users’ assets, wallet providers can implement a number of strategic recommendations that integrate threat intelligence, user allerts, and collaboration with partners. These recommendations focus on preemptively identifying and neutralizing threats, educating users, and building resilient systems.
Integrating threat intelligence
Wallet providers should leverage advanced threat intelligence platforms to asist in indicating potential risks, such as phishing attacks, malware, or vulnerabilities in third-party libraries like the recent exploit that allowed the Ledger breach to take place. Automated systems can analyze both on-chain and off-chain indicators such as dark web forums, which can ensure substantial analysis.
Integration of third-party blockchain analytics firms prove to be critical in detecting risks and ultimately securing the assets of clients utilizing wallet providers, given their ability to rapidly detect and neutralize potential threats to assets.
User alerts and notifications
Wallet users should offer real-time notifications for users immediately upon detection of suspicious or unauthorized activity. For example, unusual transactions (noticeable following analysis of usual transaction patterns) should trigger warnings to users, prompting them to verify or deny a transaction.
Screenshot below from Nominis Vue platform, identifying and alerting users of suspicious withdrawal pattern and the subsequent potential risks posed
Encouraging users to ‘clear-sign’ transactions, where they verify the amount and destination details of a transaction before confirming them, particularly via a different route of access to the wallet, such an as app, may additionally reduce users’ vulnerability to phishing attacks or transactions performed by unauthorized actors. MFA (multi-factor authentication) can also be employed in parallel, to add another layer of defense against access to user accounts.
Education and Empowering Users:
At the core of hack prevention is the education and empowerment of users. Educating them on best security practices can dramatically reduce the potential risk of financial loss.
Users who hold sizeable assets should be encouraged to use cold wallets for long term storage. This would reduce the risk of hot wallet breaches.
Introducing users to understandable security settings on an accessible security platform within the wallet interface can empower users to become familiar with secure wallet practices. The platform can also include frequent user alerts and notifications.
The importance of KYE (Know Your Employee):
The Rivus DAO and Ledger Hack incidents are reminders of the importance of thorough background screenings upon recruitment of developers and employees in the crypto industry. Continuous monitoring of employees during acquisition to the team and throughout their employment - for as long as they have access to sensitive data and code - can prove to be a simple but significant method in preventing insider hacks or the exploitation of former employee’s access codes.
8. Conclusion : Future Trends in Wallet Security
As the web3 ecosystem continues to evolve, we should make every effort to keep up and anticipate how hackers will take advantage of new vulnerabilities as they emerge. Crypto wallets have an integral role at the center of development, allowing access to DeFi, NFTs and blockchain applications. As a result, reliance on wallets has increased, and they have become prime targets for cyberattacks.
To protect against these evolving threats, it is critical for both individuals and companies to adopt proactive security measures. For organizations, continuous real-time monitoring and fraud detection systems are essential to prevent financial crimes ranging from fraud to terror financing. Compliance with Anti-Money Laundering (AML) regulations, along with the integration of threat intelligence to detect phishing and malware, is vital in mitigating risks. Companies must also implement robust employee vetting processes to prevent insider hacks, a growing concern in the crypto industry.
For users, it is equally important to stay informed. Utilizing alerts for transaction authorizations can offer an extra layer of protection, and engaging in continuous education about crypto safety will empower them to make informed decisions. By fostering a security-first mindset and building stronger defense mechanisms, both individuals and businesses can help safeguard their assets and contribute to a more secure Web3 environment.
About Nominis:
Nominis is a leading threat management company, protecting blockchain projects through asset management, compliance & AML screening, Real-Time Monitoring, and Marketing Data Analysis and Counterparty Due Diligence. Nominis’ cutting-edge tools prove them to be at the forefront of proactive threat intelligence, with the ability to detect fraud and fake tokens. Nominis is able to protect the integrity of the ecosystems that their clients operate within, and is dedicated to tackling emerging threats while ensuring global compliance, so clients can focus on innovation and growth rather than managing security threats.