Crypto crime: Challenges with Web 3.0 security

The majority of the crypto-related headlines from the majority of the places where the majority of us get our news cry of security breaches, scams, and ties to illicit activity. 

As they should, said Duke law professor John Reed Stark, the former chief of the SEC's office of Internet Enforcement and a skeptic — to put it mildly — of the majority of the projects in and around the space crypto-believers call Web 3.0.

"They're rife with market manipulation, insider trading, fraud, thievery, chicanery, just about any financial crime you can think of," Stark said.

That misses a lot of nuance, said Nick Neuman, the co-founder and CEO of the Bitcoin wallet Casa. He doesn't argue scammers see Web 3.0's deregulated nature as an opportunity: a blockchain network comprised of millions of personal computers around the globe, allowing us to post, share, download and move digital files, one day (maybe soon?) supplanting the internet of today where central authorities with their warehouses full of blinking servers grow preposterously wealthy off the user data they collect for free, decide what we see on this web we access through our many online accounts, and also — in theory — take responsibility for preventing and ensuring we don't get ripped off.

Neuman wants those against, considering, and currently investing in the space all to understand there exists a risk spectrum between the newer Pokemon-ish crypto video game Axie Infinityrecently hacked for around $650 million — and the Bitcoin blockchain, which has never been hacked in its 13-year history.

"People need to know that there's a difference between those two things," Neuman said.

"The one common thread among them all is they're wholly unregulated," Stark said. "That means there's no SEC auditing, SEC examining, no archiving of records, no licensure of the people there, no net capital requirements."

RELATED: What is Web 3.0?

Stark went on from there. But again, Neuman didn't disagree that the irreversibility of a crypto transaction makes it both the boon that enables what he calls "censorship resistance" ("which is incredibly important to providing essentially freedom money to people around the world," he said) and the curse that renders stolen or sent crypto as lost crypto.

Neuman said, "Unless somebody comes back on the back end and either finds that person through law enforcement" or a centralized entity like Coinbase refunds its customers from its own balance sheet.

"I think that doesn't scale," Neuman said. "We will not see that evolve over the next 10 years further."

Instead, Neuman expects more individuals to hold their own private key passwords to digital wallets containing their crypto tokens — a future that would require those wallets, the exchanges they fund, and the protocols on which they exist to continue to improve their security.

"There's still a long way to go," Neuman said.

"We in the industry are learning about how best to secure this infrastructure," Chainalysis VP of IT and Information Security Betsy Bevilacqua said.

Chainalysis is working with those investigating the aforementioned Axie Infinity hack.

"We provide data, software, services, and research to government agencies, crypto exchanges, financial institutions, insurance, and cybersecurity companies in over 70 countries," Bevilacqua said.

Chainalysis follows the movements of tokens between wallets to chart what's hacked or stolen from its origin to its final destinations.

"We make what's on the blockchain human-readable," Bevilacqua said.

The existence of that very public, un-editable giant spreadsheet, Bevilacqua and Neuman argue, might make crypto criminals easier for law enforcement to catch than those still majority of crooks who deal in cash.

"I live for a time when cybercriminals will realize that this is not the currency for them," Bevilacqua said.

"The idea that it's somehow a boon to law enforcement to have this traceability is something, I think — not I think — I know is wrong," Stark said.

Stark pointed out, even with the forensic accounting of Chainalysis, most often investigators only discover the public wallet addresses of the stolen funds and not the identity of the individual or individuals who perpetrated the hack — criminals often not even located in the United States or in a country with an extradition treaty.

"Cryptocurrency is a way to do drug-dealing, sex-trafficking, money laundering, ransomware attacks, extortion," Stark said.

"Illicit activity is about 1% of all Bitcoin activity," Neuman said.

Regardless of whether one sees all of crypto as one giant Ponzi scam, empowering criminals around the globe ("I don't even believe in blockchain anymore" Stark said) or the future of money, technology, and the internet ("We really see a lot of promise in what holding private keys and securing your money yourself can offer," Neuman said), we've now reached the point in crypto's evolution where it appears unlikely to vanish or retreat in its advance toward more mainstream adoption anytime soon, making Web 3.0 security, enforcement, and regulation all priorities not only for those in and around the space but also for our financial system and society as a whole.

"These are not problems I can go and Google away, you know?" Bevilacqua said.