July 28, 2025 • 13 mins
Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security
**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].
In this episode of "Upwardly Mobile," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].
Key Takeaways:
• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].
• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:
◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].
◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].
• Coinbase Under Attack:
◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].
◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected and mitigated this issue [5].
• Evolving Attack Vectors:
◦ Social Engineering and Phishing: These tactics remain highly lucrative, with scammers evolving methods to trick victims into revealing sensitive information or transferring funds [6, 13]. Phishing was the most costly attack vector in Q2 2025, with over $395 million lost, surpassing previous periods [14].
◦ Wallet Compromise: This has been the costliest attack vector overall in H1 2025 due to major incidents like the Bybit hack [6].
◦ Infrastructure-Level Breaches: More than 80% of stolen funds in 2025 have resulted from breaches where hackers gain significant access to core infrastructure [7].
◦ Targeting Employees/Contractors: The Coinbase incident specifically illustrates a growing trend of cybercriminals bribing or coercing individuals with legitimate system access [7].
◦ Supply Chain Attacks: Exploiting vulnerabilities in third-party tools or service providers, often through weak APIs or compromised software updates [10].
◦ Malware Attacks: Including Advanced Persistent Threats (APTs) and keylogging for credential theft [15].
• Strengthening Defenses: Crypto exchanges are implementing comprehensive security frameworks and multi-layered approaches to build resilience [11]:
◦ Advanced Wallet Technologies: Utilizing Multi-Party Computation (MPC) Wallets to eliminate single points of failure by never reconstructing private keys in full [9, 16], alongside robust hot-warm-cold storage architectures [16].
◦ Enhanced Security Protocols: Implementing Multi-Fac
**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].
In this episode of "Upwardly Mobile," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].
Key Takeaways:
• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].
• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:
◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].
◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].
• Coinbase Under Attack:
◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].
◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected and mitigated this issue [5].
• Evolving Attack Vectors:
◦ Social Engineering and Phishing: These tactics remain highly lucrative, with scammers evolving methods to trick victims into revealing sensitive information or transferring funds [6, 13]. Phishing was the most costly attack vector in Q2 2025, with over $395 million lost, surpassing previous periods [14].
◦ Wallet Compromise: This has been the costliest attack vector overall in H1 2025 due to major incidents like the Bybit hack [6].
◦ Infrastructure-Level Breaches: More than 80% of stolen funds in 2025 have resulted from breaches where hackers gain significant access to core infrastructure [7].
◦ Targeting Employees/Contractors: The Coinbase incident specifically illustrates a growing trend of cybercriminals bribing or coercing individuals with legitimate system access [7].
◦ Supply Chain Attacks: Exploiting vulnerabilities in third-party tools or service providers, often through weak APIs or compromised software updates [10].
◦ Malware Attacks: Including Advanced Persistent Threats (APTs) and keylogging for credential theft [15].
• Strengthening Defenses: Crypto exchanges are implementing comprehensive security frameworks and multi-layered approaches to build resilience [11]:
◦ Advanced Wallet Technologies: Utilizing Multi-Party Computation (MPC) Wallets to eliminate single points of failure by never reconstructing private keys in full [9, 16], alongside robust hot-warm-cold storage architectures [16].
◦ Enhanced Security Protocols: Implementing Multi-Fac
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
All right, curious minds welcome. We've got a stack of
truly eye opening sources today, all about cryptocurrency exchange security,
and honestly, what they reveal about the first half of
twenty twenty five is pretty jaw dropping.
Speaker 2 (00:14):
It really is.
Speaker 1 (00:14):
Our mission today is to know peel back the layers
on these cyber attacks, what's driving them, how attackers are
changing their tactics, and critically, what it all means for
anyone building or just interacting with digital assets exactly.
Speaker 2 (00:27):
The numbers themselves are stark, but the stories behind them,
they really light up some significant shifts in how attackers
are operating these days.
Speaker 1 (00:35):
Yeah, let's connect those dots.
Speaker 2 (00:37):
We'll try to link these big incidents to the broader trends,
give you insights not just into what happened, but maybe
why it matters for anyone in the crypto space.
Speaker 1 (00:43):
Okay, so let's just dig into these numbers first, because
they are genuinely shocking. First half of twenty twenty five alone,
over two point four to seven billion dollars lost hacks, scams, exploits,
the whole lot, and just to give that some context,
that figure it already beats the entire out lost in
all of twenty twenty four.
Speaker 2 (01:01):
Yeah, it's a huge jump. And what's really striking, I
think isn't just the total cost massive as it is,
it's that two incidents just to the Bivate breach and
the seats protocol thing, they account for something like over
seventy percent of that two point four to seven billion dollars.
Speaker 1 (01:18):
Wow, seventy percent from just two events.
Speaker 2 (01:20):
Yeah, nearly one point seven eight billion dollars between them. Yeah,
it shows a critical vulnerability. Right. For all the talk
about decentralization, these huge losses often still come down to
the security of a few, very large, often centralized players,
single points of failure.
Speaker 1 (01:35):
Essentially, that's a really powerful point. So the sheer volume
of attacks is one thing, but the potential scale of
a single breach is maybe the even bigger worry here.
Speaker 2 (01:44):
It seems that way.
Speaker 1 (01:45):
And it's not just the dollar amount, it's how they're
doing it. The methods are evolving, aren't they. What are
we seeing with these attack vectors?
Speaker 2 (01:51):
Well, the sources are highlighting while it compromise as sort
of the costliest vector overall for this first half of
the year, and that's largely driven by massive incidents like
that bybit breach back in February, hackers stole an estimated
one point four billion dollars there, and notably that attack's
been linked to Lazarus.
Speaker 1 (02:08):
Lazarus, the North Korean state sponsored group, that's.
Speaker 2 (02:11):
The one an advanced persistent threat or APT group. Yeah,
very sophisticated.
Speaker 1 (02:15):
So yeah, sophisticated groups hitting the biggest targets. But what
about the more human focused attacks. Are things like phishing
and social engineering still working or are people getting wise
to them?
Speaker 2 (02:27):
Oh, they're still incredibly effective. Maybe surprisingly so. Critixx report
actually noted that phishing became the most costly attack vector
in Q two of twenty twenty five, really.
Speaker 1 (02:37):
More than the others in Q two.
Speaker 2 (02:38):
Yeah, over three hundred and ninety five million dollars lost
just to fishing in that quarter. It's our past previous periods.
So attackers are definitely refining those deceptive techniques, often going
after individuals within organizations.
Speaker 1 (02:49):
So we've got these high tech maybe nation state attacks
on one hand, and then the persistent human vulnerabilities on
the other. But is the overall trend shifting towards deeper
system compromises? Are these infrastructure level breaches really where the
big money is Now.
Speaker 2 (03:05):
That's absolutely what the data suggests.
Speaker 1 (03:07):
Ye.
Speaker 2 (03:07):
More than eighty percent of the funds stolen in twenty
twenty five have come from exactly those types of breaches
where attackers managed to get significant fundamental access deep inside
of platform's core systems.
Speaker 1 (03:19):
Eighty percent wow, okay, And a really worrying trend tied
into that seems to be targeting employees, contractors. The insider
threat problem. It's not just about keeping hackers out anymore,
is it?
Speaker 2 (03:30):
No? Exactly? It raises that tricky question, how do you
defend against someone who already has some level of legitimate access,
even if it's limited.
Speaker 1 (03:38):
Right.
Speaker 2 (03:38):
The coin based data breach from May twenty twenty five
is a well textbook example. Hackers actually bribed and coerced
a small number of overseas customer support agents, so they.
Speaker 1 (03:48):
Didn't hack sisters directly. They targeted the people precisely.
Speaker 2 (03:51):
Now, no log in credentials or private keys were stolen
directly in that part, but the compromised data it included names,
dates of birds, partial social security numbers, mask bank accounts, addresses,
phone numbers.
Speaker 1 (04:05):
Emails, ooh, sensitive stuff.
Speaker 2 (04:08):
Very and that data was then used to launch further
social engineering attacks against Coinbase users, trying to trick them
into sending funds.
Speaker 1 (04:15):
And Coinbase refused to pay the ransom right they were
demanding twenty million dollars.
Speaker 2 (04:20):
They did refuse. Instead, they set up a twenty million
dollar reward fund for information leading to the attackers. A
pretty bold stance.
Speaker 1 (04:27):
Yeah, bold. But does that kind of hardline approach actually
deter future attacks, you think? Or does it just maybe
push attackers towards different targets or even make them escalate
their tactics next time.
Speaker 2 (04:37):
It's a really complex calculation for any company. Coinbase chose
that strong stance, but the financial hit for them is
still significant, estimated somewhere between one hundred and eighty million
dollars and four hundred million.
Speaker 1 (04:47):
Dollars just from that one incident, Yeah.
Speaker 2 (04:49):
Covering remediation, security upgrades, and importantly voluntary reimbursements to customers
who were tricked into sending money because of those follow
on social engineering scams.
Speaker 1 (05:00):
Wow.
Speaker 2 (05:00):
It really hammered home the risk of insider threats and
the absolute need for better real time endpoint security and
data loss prevention DLP solutions.
Speaker 1 (05:11):
And Coinbase also had another scare earlier in the year,
didn't they something about a supply chain attack?
Speaker 2 (05:16):
Yes, that's right. In March twenty twenty five, researchers reported
they were targeted via a GitHub action supply chain attack.
Someone exploited a public continuous integration delivery flow. Okay, thankfully
Coinbase spotted it and shut it down before a wider
attack could happen, which really underlines how important rapid detection
and response are.
Speaker 1 (05:35):
Absolutely so. Okay, let's break down the common playbooks hackers
are using social engineering, What specific tactics are making it
so effective?
Speaker 2 (05:42):
Still, they're getting very sophisticated in how they disease people.
You see phishing emails, of course, often looking like they
come from executives or regulators, even internal tech support, trying
to trick employees into giving up credentials or clicking bad links.
Then there are clone websites. They build sites that look
exactly like the real platform to steal user data, and
(06:02):
they often create a sense of fabricated urgency you must
act now to pressure people into bypassing normal security checks.
It's fundamentally about manipulating human psychology.
Speaker 1 (06:13):
Right, playing on trust and fear. And then there are
malware attacks. They can be sneakier operating in the background,
sometimes for ages exactly.
Speaker 2 (06:21):
Malware infiltrates systems, steals credentials, monitors activity, often without anyone
noticing for a long time. You see advanced persistent threats
apts again, often state sponsored embedding malware for long term
spying or exploitation, and also more common stuff like key
logging or credential theft malware designed to grab private keys
(06:41):
or passwords right off a compromise computer.
Speaker 1 (06:43):
And supply chain attacks. You mentioned the GitHub one. How
do these sort of hidden risks work in the crypto
world specifically, Well, they.
Speaker 2 (06:51):
Exploit vulnerabilities in third party tools or services that in
exchange depends on think about it, weak APIs from a
custody provider they use, or maybe a cloud service.
Speaker 1 (07:03):
Okay, so not attacking the exchange directly, but going through
a partner exactly, or.
Speaker 2 (07:08):
Even compromised software updates. A legitimate update gets push out,
but it has a hidden back door, so you're attacking
the target through a trusted relationship, often without them even
knowing they're vulnerable through that channel.
Speaker 1 (07:20):
Yeah, and it's like threats from every angle. And these
aren't entirely new problems, are they the sources give us
a bit of a history lesson highlighting some recurring themes. Yeah.
Speaker 2 (07:28):
If you connect this to the bigger picture, many of
these issues they echo past incidents. It shows how critical
robust security has always been. Like xt dot Com lost
one point seven million dollars in November twenty twenty four
wallet infrastructure vulnerabilities wa Xerox September twenty twenty four two
hundred and thirty million dollars lost from a malicious smart
(07:50):
contract upgrade that points to governance weaknesses. Who approves these things? Yeah?
Dm A Bitcoin May twenty twenty four lost about forty
five hundred bitcoin due to wallet exploits.
Speaker 1 (08:00):
Yeah.
Speaker 2 (08:00):
That exchange actually had to shut down completely afterwards.
Speaker 1 (08:03):
Wow. And going back even further, we see similar issues,
especially around hot wallets and private keys, hitting.
Speaker 2 (08:09):
Some big names precisely. Coinex September twenty twenty three lost
seventy million dollars because attackers got access to private keys
for hot wallets. Liquid Back in August twenty twenty one
lost ninety seven million dollars from their warm wallets. That
incident really underscored the need for better tech like multi
party computation or NPC MPC, right, and then there's the
infamous coin check hack January twenty eighteen, Five hundred and
(08:31):
thirty four million dollars in anym token's gone largely because
of well inadequate security, hot wallets without even basic multi
signature support.
Speaker 1 (08:38):
And we can't really talk cryptosecurity history without mentioning the
elephant in the room. Mount Gox is kind of the
original sin of cryptosecurity, isn't it the breach that launched
a thousand nightmares.
Speaker 2 (08:46):
It truly was catastrophic. February twenty fourteen, eight hundred and
fifty thousand bit coins lost about four hundred fifty million
dollars back then but obviously worth vastly more now. That
led to bankruptcy, intense scrutiny really shaped to the industry's
approach to security, or lack thereof, early on, and looking
across this whole decade of major breaches from matt Gox
(09:09):
right up to buy a bit recently, the really shocking
thing isn't just the massive amount stolen. It's the frustrating
recurrence of the same basic problems poor key management, human error,
weak internal controls. It really feels like we're constantly relearning
very old, very expensive.
Speaker 1 (09:24):
Lessons as a pretty stark reality check. So given that
history and this constantly evolving threat landscape, what does it
all mean for actually building resilience? How do exchanges protect
themselves protect their users against these increasingly sophisticated attacks.
Speaker 2 (09:39):
What really boils down to needing comprehensive security frameworks. You
need a multi layered approach. There's no single magic.
Speaker 1 (09:44):
Bullets, okay, like what specifically advanced.
Speaker 2 (09:46):
Wallet technologies are absolutely key things like NPC wallets, multi
party computation. They eliminate that single point of failure because
the private key is never actually reconstructed in one place,
makes it much harder for an attacker to steal.
Speaker 1 (09:59):
The whole right, distributing the risk exactly.
Speaker 2 (10:02):
And also using things like a three pure storage architecture
hot warm cold wallets for custodial funds. It helps balance
the need for transaction efficiency with robust security for the
bulk of the assets.
Speaker 1 (10:15):
And it's not just the tech right, its processes too.
But are these kinds of solutions like MPC truly scalable?
Can every exchange from the huge ones down to smaller
platforms actually implement this effectively? Or is there a significant
cost barrier.
Speaker 2 (10:30):
Scalability and costs are definitely considerations, yes, but the foundational
principles they apply across the board. Things like robust governance
policies are crucial. Multi approval policies for instance, making sure
no single person can authorize a really high risk action
like a massive withdrawal.
Speaker 1 (10:45):
Makes sense, checks and balances exactly.
Speaker 2 (10:48):
And proactive monitoring and controls, real time monitoring of API
activity system updates, plus advanced risk controls like address white listing,
daily withdrawal limits, maybe time based approvals for certain actions.
And then there's compliance and certifications things like SC two
or ISO twenty seven Area one. These are basically rigorous
independent audits of security practices. They help validate that an
(11:11):
exchange is actually adhering to recognized international standards okay.
Speaker 1 (11:16):
And finally, looping back to that coin Base example, employee
training it's vital for mitigating social engineering insider threats, but
is it really enough or is there an argument that
the human element will always be the weakest link no
matter how much training you do, so maybe the focus
needs to be heavier on the technical fail safes.
Speaker 2 (11:33):
That's kind of the perpetual challenge isn't it. Training is
absolutely indispensable. Human error or manipulation is so often the
initial way in for attackers. You have to do it.
But a true defense in depth strategy means you supplement
that training heavily with technical safeguards like the real time
endpoint security and advanced DLP. We mentioned tools that can
(11:54):
potentially detect and block malicious activity or data theft, even
if an employee it's compromised or makes a mistake. It's
about building protective layers around that human element, because yes,
it will always be a factor.
Speaker 1 (12:07):
Okay, let's try and wrap this up. Then it's clear.
The cryptocurrency landscape is well, it's a battlefield. Constant vigilance
is just the baseline. We've seen, the sheer scale of
the losses, the way tactics are shifting, social engineering, infrastructure hacks,
supply chain attacks, and the absolute need for this multi
layered defense. You talked about hitting both tech and human factors.
Speaker 2 (12:28):
What's really striking, I think is how those core security
principles managing insider risk, robust wallet security, strong governance, they
remain constant challenges across a decade of these breaches, even
as this specific attack vectors get more complex.
Speaker 1 (12:42):
Yeah, the fundamentals don't change.
Speaker 2 (12:44):
Right, And it raises this important question, doesn't it In
a world where even the biggest, most established players are targets,
how do we keep adapting our security thinking, not just technically,
but to really integrate and strengthen that human element and
overall organizational res resilience. It's an ongoing.
Speaker 1 (13:01):
Process, indeed, and for you listening understanding these dynamics is
just crucial. Whether you're involved in building these platforms, investing,
or maybe you're just curious about the space, Recognizing these
threats is the first step towards fortifying your own digital presence.
Speaker 2 (13:17):
And just to note, this exploration of crypto exchange security
was put together using human sourced intelligence, and we used
AI assistance to help synthesize and bring you the most
critical insights from all that material.
Speaker 1 (13:29):
Stay curious, stay safe out there, and we'll be back
soon to explore another stack of sources.
All right, curious minds welcome. We've got a stack of
truly eye opening sources today, all about cryptocurrency exchange security,
and honestly, what they reveal about the first half of
twenty twenty five is pretty jaw dropping.
Speaker 2 (00:14):
It really is.
Speaker 1 (00:14):
Our mission today is to know peel back the layers
on these cyber attacks, what's driving them, how attackers are
changing their tactics, and critically, what it all means for
anyone building or just interacting with digital assets exactly.
Speaker 2 (00:27):
The numbers themselves are stark, but the stories behind them,
they really light up some significant shifts in how attackers
are operating these days.
Speaker 1 (00:35):
Yeah, let's connect those dots.
Speaker 2 (00:37):
We'll try to link these big incidents to the broader trends,
give you insights not just into what happened, but maybe
why it matters for anyone in the crypto space.
Speaker 1 (00:43):
Okay, so let's just dig into these numbers first, because
they are genuinely shocking. First half of twenty twenty five alone,
over two point four to seven billion dollars lost hacks, scams, exploits,
the whole lot, and just to give that some context,
that figure it already beats the entire out lost in
all of twenty twenty four.
Speaker 2 (01:01):
Yeah, it's a huge jump. And what's really striking, I
think isn't just the total cost massive as it is,
it's that two incidents just to the Bivate breach and
the seats protocol thing, they account for something like over
seventy percent of that two point four to seven billion dollars.
Speaker 1 (01:18):
Wow, seventy percent from just two events.
Speaker 2 (01:20):
Yeah, nearly one point seven eight billion dollars between them. Yeah,
it shows a critical vulnerability. Right. For all the talk
about decentralization, these huge losses often still come down to
the security of a few, very large, often centralized players,
single points of failure.
Speaker 1 (01:35):
Essentially, that's a really powerful point. So the sheer volume
of attacks is one thing, but the potential scale of
a single breach is maybe the even bigger worry here.
Speaker 2 (01:44):
It seems that way.
Speaker 1 (01:45):
And it's not just the dollar amount, it's how they're
doing it. The methods are evolving, aren't they. What are
we seeing with these attack vectors?
Speaker 2 (01:51):
Well, the sources are highlighting while it compromise as sort
of the costliest vector overall for this first half of
the year, and that's largely driven by massive incidents like
that bybit breach back in February, hackers stole an estimated
one point four billion dollars there, and notably that attack's
been linked to Lazarus.
Speaker 1 (02:08):
Lazarus, the North Korean state sponsored group, that's.
Speaker 2 (02:11):
The one an advanced persistent threat or APT group. Yeah,
very sophisticated.
Speaker 1 (02:15):
So yeah, sophisticated groups hitting the biggest targets. But what
about the more human focused attacks. Are things like phishing
and social engineering still working or are people getting wise
to them?
Speaker 2 (02:27):
Oh, they're still incredibly effective. Maybe surprisingly so. Critixx report
actually noted that phishing became the most costly attack vector
in Q two of twenty twenty five, really.
Speaker 1 (02:37):
More than the others in Q two.
Speaker 2 (02:38):
Yeah, over three hundred and ninety five million dollars lost
just to fishing in that quarter. It's our past previous periods.
So attackers are definitely refining those deceptive techniques, often going
after individuals within organizations.
Speaker 1 (02:49):
So we've got these high tech maybe nation state attacks
on one hand, and then the persistent human vulnerabilities on
the other. But is the overall trend shifting towards deeper
system compromises? Are these infrastructure level breaches really where the
big money is Now.
Speaker 2 (03:05):
That's absolutely what the data suggests.
Speaker 1 (03:07):
Ye.
Speaker 2 (03:07):
More than eighty percent of the funds stolen in twenty
twenty five have come from exactly those types of breaches
where attackers managed to get significant fundamental access deep inside
of platform's core systems.
Speaker 1 (03:19):
Eighty percent wow, okay, And a really worrying trend tied
into that seems to be targeting employees, contractors. The insider
threat problem. It's not just about keeping hackers out anymore,
is it?
Speaker 2 (03:30):
No? Exactly? It raises that tricky question, how do you
defend against someone who already has some level of legitimate access,
even if it's limited.
Speaker 1 (03:38):
Right.
Speaker 2 (03:38):
The coin based data breach from May twenty twenty five
is a well textbook example. Hackers actually bribed and coerced
a small number of overseas customer support agents, so they.
Speaker 1 (03:48):
Didn't hack sisters directly. They targeted the people precisely.
Speaker 2 (03:51):
Now, no log in credentials or private keys were stolen
directly in that part, but the compromised data it included names,
dates of birds, partial social security numbers, mask bank accounts, addresses,
phone numbers.
Speaker 1 (04:05):
Emails, ooh, sensitive stuff.
Speaker 2 (04:08):
Very and that data was then used to launch further
social engineering attacks against Coinbase users, trying to trick them
into sending funds.
Speaker 1 (04:15):
And Coinbase refused to pay the ransom right they were
demanding twenty million dollars.
Speaker 2 (04:20):
They did refuse. Instead, they set up a twenty million
dollar reward fund for information leading to the attackers. A
pretty bold stance.
Speaker 1 (04:27):
Yeah, bold. But does that kind of hardline approach actually
deter future attacks, you think? Or does it just maybe
push attackers towards different targets or even make them escalate
their tactics next time.
Speaker 2 (04:37):
It's a really complex calculation for any company. Coinbase chose
that strong stance, but the financial hit for them is
still significant, estimated somewhere between one hundred and eighty million
dollars and four hundred million.
Speaker 1 (04:47):
Dollars just from that one incident, Yeah.
Speaker 2 (04:49):
Covering remediation, security upgrades, and importantly voluntary reimbursements to customers
who were tricked into sending money because of those follow
on social engineering scams.
Speaker 1 (05:00):
Wow.
Speaker 2 (05:00):
It really hammered home the risk of insider threats and
the absolute need for better real time endpoint security and
data loss prevention DLP solutions.
Speaker 1 (05:11):
And Coinbase also had another scare earlier in the year,
didn't they something about a supply chain attack?
Speaker 2 (05:16):
Yes, that's right. In March twenty twenty five, researchers reported
they were targeted via a GitHub action supply chain attack.
Someone exploited a public continuous integration delivery flow. Okay, thankfully
Coinbase spotted it and shut it down before a wider
attack could happen, which really underlines how important rapid detection
and response are.
Speaker 1 (05:35):
Absolutely so. Okay, let's break down the common playbooks hackers
are using social engineering, What specific tactics are making it
so effective?
Speaker 2 (05:42):
Still, they're getting very sophisticated in how they disease people.
You see phishing emails, of course, often looking like they
come from executives or regulators, even internal tech support, trying
to trick employees into giving up credentials or clicking bad links.
Then there are clone websites. They build sites that look
exactly like the real platform to steal user data, and
(06:02):
they often create a sense of fabricated urgency you must
act now to pressure people into bypassing normal security checks.
It's fundamentally about manipulating human psychology.
Speaker 1 (06:13):
Right, playing on trust and fear. And then there are
malware attacks. They can be sneakier operating in the background,
sometimes for ages exactly.
Speaker 2 (06:21):
Malware infiltrates systems, steals credentials, monitors activity, often without anyone
noticing for a long time. You see advanced persistent threats
apts again, often state sponsored embedding malware for long term
spying or exploitation, and also more common stuff like key
logging or credential theft malware designed to grab private keys
(06:41):
or passwords right off a compromise computer.
Speaker 1 (06:43):
And supply chain attacks. You mentioned the GitHub one. How
do these sort of hidden risks work in the crypto
world specifically, Well, they.
Speaker 2 (06:51):
Exploit vulnerabilities in third party tools or services that in
exchange depends on think about it, weak APIs from a
custody provider they use, or maybe a cloud service.
Speaker 1 (07:03):
Okay, so not attacking the exchange directly, but going through
a partner exactly, or.
Speaker 2 (07:08):
Even compromised software updates. A legitimate update gets push out,
but it has a hidden back door, so you're attacking
the target through a trusted relationship, often without them even
knowing they're vulnerable through that channel.
Speaker 1 (07:20):
Yeah, and it's like threats from every angle. And these
aren't entirely new problems, are they the sources give us
a bit of a history lesson highlighting some recurring themes. Yeah.
Speaker 2 (07:28):
If you connect this to the bigger picture, many of
these issues they echo past incidents. It shows how critical
robust security has always been. Like xt dot Com lost
one point seven million dollars in November twenty twenty four
wallet infrastructure vulnerabilities wa Xerox September twenty twenty four two
hundred and thirty million dollars lost from a malicious smart
(07:50):
contract upgrade that points to governance weaknesses. Who approves these things? Yeah?
Dm A Bitcoin May twenty twenty four lost about forty
five hundred bitcoin due to wallet exploits.
Speaker 1 (08:00):
Yeah.
Speaker 2 (08:00):
That exchange actually had to shut down completely afterwards.
Speaker 1 (08:03):
Wow. And going back even further, we see similar issues,
especially around hot wallets and private keys, hitting.
Speaker 2 (08:09):
Some big names precisely. Coinex September twenty twenty three lost
seventy million dollars because attackers got access to private keys
for hot wallets. Liquid Back in August twenty twenty one
lost ninety seven million dollars from their warm wallets. That
incident really underscored the need for better tech like multi
party computation or NPC MPC, right, and then there's the
infamous coin check hack January twenty eighteen, Five hundred and
(08:31):
thirty four million dollars in anym token's gone largely because
of well inadequate security, hot wallets without even basic multi
signature support.
Speaker 1 (08:38):
And we can't really talk cryptosecurity history without mentioning the
elephant in the room. Mount Gox is kind of the
original sin of cryptosecurity, isn't it the breach that launched
a thousand nightmares.
Speaker 2 (08:46):
It truly was catastrophic. February twenty fourteen, eight hundred and
fifty thousand bit coins lost about four hundred fifty million
dollars back then but obviously worth vastly more now. That
led to bankruptcy, intense scrutiny really shaped to the industry's
approach to security, or lack thereof, early on, and looking
across this whole decade of major breaches from matt Gox
(09:09):
right up to buy a bit recently, the really shocking
thing isn't just the massive amount stolen. It's the frustrating
recurrence of the same basic problems poor key management, human error,
weak internal controls. It really feels like we're constantly relearning
very old, very expensive.
Speaker 1 (09:24):
Lessons as a pretty stark reality check. So given that
history and this constantly evolving threat landscape, what does it
all mean for actually building resilience? How do exchanges protect
themselves protect their users against these increasingly sophisticated attacks.
Speaker 2 (09:39):
What really boils down to needing comprehensive security frameworks. You
need a multi layered approach. There's no single magic.
Speaker 1 (09:44):
Bullets, okay, like what specifically advanced.
Speaker 2 (09:46):
Wallet technologies are absolutely key things like NPC wallets, multi
party computation. They eliminate that single point of failure because
the private key is never actually reconstructed in one place,
makes it much harder for an attacker to steal.
Speaker 1 (09:59):
The whole right, distributing the risk exactly.
Speaker 2 (10:02):
And also using things like a three pure storage architecture
hot warm cold wallets for custodial funds. It helps balance
the need for transaction efficiency with robust security for the
bulk of the assets.
Speaker 1 (10:15):
And it's not just the tech right, its processes too.
But are these kinds of solutions like MPC truly scalable?
Can every exchange from the huge ones down to smaller
platforms actually implement this effectively? Or is there a significant
cost barrier.
Speaker 2 (10:30):
Scalability and costs are definitely considerations, yes, but the foundational
principles they apply across the board. Things like robust governance
policies are crucial. Multi approval policies for instance, making sure
no single person can authorize a really high risk action
like a massive withdrawal.
Speaker 1 (10:45):
Makes sense, checks and balances exactly.
Speaker 2 (10:48):
And proactive monitoring and controls, real time monitoring of API
activity system updates, plus advanced risk controls like address white listing,
daily withdrawal limits, maybe time based approvals for certain actions.
And then there's compliance and certifications things like SC two
or ISO twenty seven Area one. These are basically rigorous
independent audits of security practices. They help validate that an
(11:11):
exchange is actually adhering to recognized international standards okay.
Speaker 1 (11:16):
And finally, looping back to that coin Base example, employee
training it's vital for mitigating social engineering insider threats, but
is it really enough or is there an argument that
the human element will always be the weakest link no
matter how much training you do, so maybe the focus
needs to be heavier on the technical fail safes.
Speaker 2 (11:33):
That's kind of the perpetual challenge isn't it. Training is
absolutely indispensable. Human error or manipulation is so often the
initial way in for attackers. You have to do it.
But a true defense in depth strategy means you supplement
that training heavily with technical safeguards like the real time
endpoint security and advanced DLP. We mentioned tools that can
(11:54):
potentially detect and block malicious activity or data theft, even
if an employee it's compromised or makes a mistake. It's
about building protective layers around that human element, because yes,
it will always be a factor.
Speaker 1 (12:07):
Okay, let's try and wrap this up. Then it's clear.
The cryptocurrency landscape is well, it's a battlefield. Constant vigilance
is just the baseline. We've seen, the sheer scale of
the losses, the way tactics are shifting, social engineering, infrastructure hacks,
supply chain attacks, and the absolute need for this multi
layered defense. You talked about hitting both tech and human factors.
Speaker 2 (12:28):
What's really striking, I think is how those core security
principles managing insider risk, robust wallet security, strong governance, they
remain constant challenges across a decade of these breaches, even
as this specific attack vectors get more complex.
Speaker 1 (12:42):
Yeah, the fundamentals don't change.
Speaker 2 (12:44):
Right, And it raises this important question, doesn't it In
a world where even the biggest, most established players are targets,
how do we keep adapting our security thinking, not just technically,
but to really integrate and strengthen that human element and
overall organizational res resilience. It's an ongoing.
Speaker 1 (13:01):
Process, indeed, and for you listening understanding these dynamics is
just crucial. Whether you're involved in building these platforms, investing,
or maybe you're just curious about the space, Recognizing these
threats is the first step towards fortifying your own digital presence.
Speaker 2 (13:17):
And just to note, this exploration of crypto exchange security
was put together using human sourced intelligence, and we used
AI assistance to help synthesize and bring you the most
critical insights from all that material.
Speaker 1 (13:29):
Stay curious, stay safe out there, and we'll be back
soon to explore another stack of sources.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
What Are We Even Doing? with Kyle MacLachlan
Join award-winning actor and social media madman Kyle MacLachlan on “What Are We Even Doing,” where he sits down with Millennial and Gen Z actors, musicians, artists, and content creators to share stories about the entertainment industry past, present, and future. Kyle and his guests will talk shop, compare notes on life, and generally be weird together. In a good way. Their conversations will resonate with listeners of any age whose interests lie in television & film, music, art, or pop culture.