This is the jungle: Law enforcement slowly waking up to the threat of DeFi exploits – Fortune

At the end of August, the FBI issued a public service announcement on the susceptibility for cybercrime in DeFi (decentralized finance), the growing crypto segment of financial applications backed by blockchain technology. Of the $1.3 billion stolen in cryptocurrencies in the first three months of 2022, 97% came from DeFi platforms.

The warning did nothing to deter cybercriminals, who launched flash loan attacks on the Avalanche blockchain and the New Free DAO protocol the following week that totaled nearly $2 million. According to data from investment platform DeFiYield, $211 million was lost in decentralized finance hacks just in August.

Cybersecurity experts say the timing of the FBI warningseveral years after DeFi exploits beganillustrates how slow governmental agencies and technological solutions have been to catch up to the vulnerabilities of the ecosystem.

Law enforcement is reactionary to whats happening out there, said Chris Tarbell, the co-founder of the cybersecurity firm NAXO and a former FBI special agent who was instrumental in taking down the notorious Silk Road marketplace. It takes time because its such an advanced technology.

As the apocryphal story goes, a reporter once asked Willie Sutton why he robbed banks. Because thats where the money is, he replied.

Michael Rosmer, cofounder of DeFiYield, said the same logic attracts cybercriminals to the world of decentralized finance, where transactions are irreversibleunlike in traditional bankingand law enforcement is still figuring out how the platforms work.

Where else can you go where you can steal really large amounts of money with no recourse? Rosmer told Fortune. That makes crypto a logical target until we can somehow turn around and come up with better systems for addressing this.

According to DeFiYields data, the $211 million lost last month still pales in comparison to August 2021, when cybercriminals stole an estimated $827 million. Rosmer clarified that the decrease does not mean there is any less of a threat, attributing the figure to the cryptocurrency industrys vastly lower market cap, as well as the shifting nature of DeFi hacks.

Previous exploits targeted lending protocolslike Binance Smart Chainbased protocol Meerkat Finance, which lost $31 million in user funds the day after it launched in 2021as well as other complex DeFi tools like liquidity pools and automated market makers.

Rosmer said that the main target in 2022 has been bridges, a type of technology that connects different blockchains, allowing users to move cryptocurrencies among chains. The biggest example from 2022 was the attack on popular play-to-earn game Axie Infinity, which lost an estimated $620 million in March when cybercriminals targeted the bridge to its Ethereum-linked sidechain.

The attacks have continued. Just last month, hackers exploited the Nomad bridgewhich connected blockchains such as Ethereum and Avalanchefor $190 million.

This is a challenging technical problem, Rosmer told Fortune. The more value that is being exchanged between two chains, the more attractive the pot exists to make it so that you would want to attack it.

Ryan Kalember, an executive vice president at cybersecurity firm Proofpoint, said that DeFi is in a tricky position where its attractive for cybercriminals to target, but not necessarily valuable enough for companies to develop sufficient defenses.

You could end up with this hell-state where its not worth enough to secure, but its still worth enough for cybercriminals to go after it, he said.

The problem is exacerbated by the international nature of cybercrime, which makes it difficult for U.S.-based law enforcement to act. If you cant get Edward Snowden in Russia, said Rosmer, how are you going to get some guy who just stole $10 million from a DeFi protocol in Russia?

Governmental agencies are starting to figure out new strategies, such as the U.S. Department of the Treasury sanctioning the open-source cryptocurrency mixer Tornado Cash, which cybercriminal organizations like North Koreas Lazarus Group have used to launder hundreds of millions of dollars, including from Augusts Nomad heist.

Even so, officials are just starting to wake up to the threat. Its complicated, its new, and its poorly understood, especially by law enforcement, Kalember said.

While Rosmer said that the FBI warning was a step in the right direction, he was skeptical it would have much of an impact. For him, the onus is on technology companies like DeFiYield to ramp up security.

This is like the jungle, he told Fortune. We are working on trying to make the jungle safe and turn it into a zoo.

Sign up for theFortune Features email list so you dont miss our biggest features, exclusive interviews, and investigations.

Read the original here:
This is the jungle: Law enforcement slowly waking up to the threat of DeFi exploits - Fortune