Unchained - How Crypto Users Get Rekt and How You Can Stay Safe - Ep. 987
Episode Date: December 24, 2025Visit our website for breaking news, analysis, op-eds, articles to learn about crypto, and much more: unchainedcrypto.com Security remains work in progress for crypto — and that may be putting it m...ildly. This year Bybit was hacked for $1.5 billion, the largest exploit ever, crypto or otherwise. In this Unchained episode, Security Alliance members explain how crypto exploits have evolved, why smart contracts are no longer the primary vulnerability and why a security plan alone may not be enough. They take us inside how North Koreans are getting jobs at crypto and tech companies and how they operate. Plus, best practices for individuals that intend to hold their assets for the long-term. Test transactions and 2FA based on authenticator apps may not be ideal. Thank you to our sponsors, Uniswap and Mantle! Guests: Pablo Sabbatella, Member of SEAL (Security Alliance) and Founder of Opsek Isaac Patka, Wargames Initiative Lead at SEAL, and Founder of Shield3 Links: Unchained: How the $1.5 Billion Bybit Hack Could Have Been Prevented The Chopping Block: Code, Chaos & Consequences — What the Balancer Hack and Rollback Debates Mean for Crypto’s Future How AI Agents Hacked Smart Contracts for $1 Apiece – DEX in the City DEX in the City: How Privacy in Crypto Makes Everyone’s Finances More Secure Chainalysis crypto crime report SEAL 911 bot SEAL website with profiles of confirmed DPRK IT workers Timestamps: 🚀 00:00 Introduction ⚠️ 1:27 How social engineering has become the primary driver of crypto exploits 🤔 8:28 What does SEAL do? 💡 12:08 Why safe harbor for white hats matters 👀 14:41 Why North Koreans are infiltrating U.S. companies? 🫠 18:03 How the North Korean IT jobs scheme has evolved with “laptop farms” 😬 22:05 How North Korean IT workers steal crypto from companies and how to avoid hiring them ⚠️ 32:20 Isaac explains how companies can minimize losses even with North Korean hackers on staff 🤯 35:52 Why Isaac doesn't do test transactions ❕️ 38:19 How Bybit was targeted ⁉️ 49:41 The primary ways individuals get hacked 🚨 54:28 How individuals can avoid getting rekt 💡 1:08:42 What privacy means for crypto security 🤧 1:12:38 What to do if your assets are stolen 💫 1:15:41 Useful security resources for individuals and companies Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
With a crypto startup, you can go from like just launching to suddenly being in charge of tens of millions of dollars of people's funds kind of overnight without kind of a gradual buildup of an internal security capability.
And so it's really hard to have somebody on stuff that's like just focusing on this stuff.
When you protect the company, when we do, for example, the audits, you have to find all the weak things, all the holes.
You have to find all of them.
third actor just need to find one.
Hi, everyone. Welcome to Unchained, your no high resource for all things crypto. I'm your host,
Laura Shin. Thanks for joining this live stream, just FYI, that it was pre-recorded.
Before we get started, a quick reminder. Nothing you hear on Unchained is investment advice.
The show is for informational and entertainment purposes only. And my guest and I may hold
assets discussed on the show. For more disclosures, visit Unchained Crypto.com.
Mantil is launching the global heckupon 2025 to accelerate the future of real-world assets,
with a $150,000 prize pool, backing from a $4 billion treasury,
and direct access to ByBIT's 7 million-plus users.
This is the ultimate ecosystem for builders.
Are you a builder who needs to add on-chain trading to your product?
The Uniswop Trading API from Uniswap Labs offers plug-in-play access to some of the deepest liquidity.
in crypto. It's on-chain execution at an enterprise level. More liquidity, less complexity.
Visit hub.uniswap.org to learn more. Today's topic is how to keep your crypto safe. And how to
keep all of crypto sage. Here to discuss are Pablo Sabatela, member of SEAL, the Security Alliance,
and founder of OPSEC, and Isaac Pakka, Certifications Initiative Lead at SEAL and founder of Shield 3.
Welcome, Pablo and Isaac.
Thank you.
Very good to be here.
Thank you, Laura.
So we're releasing this show shortly before the holidays,
and I understand it doesn't seem like a cheery topic.
However, if you either receive crypto or you buy crypto with holiday money,
or if you are giving crypto to someone who, especially if they're a newbie,
and you want them to keep it safe, then this episode is for you.
It is also for any crypto-oGs and crypto companies,
since, as we all know, even people, years of experience in this industry can get hacked, including companies.
I'm sure people remember that in 2025, this was very early in the year.
We saw the buy-bit hack for $1.5 billion.
That was not only the biggest crypto hack ever, but it was also the biggest hack ever in all of history.
We saw also a ledger executive become a victim of a physical ransom attack.
the attackers actually cut off one of his fingers.
A few months ago, Balancer was attacked at very old,
trusted smart contracts.
That shocked everybody.
Recently, Anthropic showed that AI agents can easily hack a number of smart contracts as well.
And for those of you who might have seen on the timeline,
recently Jill Gunter, who's been in crypto for a decade,
was hacked for $30K.
Okay, it's obviously not a huge amount of money.
However, the way that happened was it stemmed back to which,
transaction of $5 that she did, you know, ages ago. So, you know, on top of all this news,
Chi analysis reported recently that North Korea had hacked $2 billion for the crypto this year and that
a total of $3.4 billion in crypto was stolen in 2025. So you guys, you know, this industry is, yeah,
it's more than a decade old. But clearly we don't have the security thing down. So Pablo and Isaac,
Given all this, and numerous other incidents I did not even mention, how would you describe the state of crypto security today?
And Pablo, why don't we start with you?
Okay, thank you, Laura.
Well, I would say that crypto security changed a lot the last years.
When crypto started, we had basically smart contract hacks.
The industry, the security industry and blockchain got far better regarding the smart contract security.
And then third actors seeing this started to change their strategy.
So they started to attack Web 3 with Web 2 hacking techniques, right?
That's classical hacking.
So we are talking about private key leakage, total engineering, malware, zero the exploits,
fishing, Kim swaps, account takeovers, domain hijacks.
basically most of these attacks, like today, 99% of funds stolen are due to operational security issues, not smart contract hacks.
And from that 99% I would say that also 99% of those attacks start with soldier engineering, right?
What is soldier engineering?
it's the art of making someone do something against their interest and in the interest of the attacker, right?
And they would say that today all of those cases could be avoided if we do something as simple as
verifying who we are talking with, right?
Even if we are talking with someone we know or someone new, we don't know, most of that cases can be stopped late.
this.
Isaac, what would you add?
Yeah, I totally agree with
Pablo about kind of the root
causes of most
hacks that are happening these days.
One of the ones that I'm most nervous about
and specifically was nervous about today
is like fake
podcast interviews and fake
reporters reaching out. Like right
before this call, I was on my
weekly call with a security alliance
and I was like, hey guys, in case I reach out to you urgently,
I have this interview that I think
is with Laurishin, but like, this is the URL.
I'm pretty positive.
This is what's happening.
To me, that's one of the scariest ones because I've seen, I know so many people personally
that are, I have become victims of like maybe they're applying, they're trying to get
investment for their company.
They're trying to get grants.
People reach out and they say, hey, we want to highlight you.
We want to give you this grant.
We're so excited about what you're doing.
And it can go on for weeks and weeks.
And then in like a moment of, in a moment of, in a moment of, of, of high.
heightened panic or heightened pressure, say, hey, oh, we can't hear the interview coming through
on your device. Just download this driver onto your computer. And so if you ask me to download any
drivers, I will probably say no during this interview. And if anybody is on any interviews or any
Zoom calls or things and see stuff like that happening, just take a step back. Yeah, so like Pablo said,
we've moved farther away from smart contract tax because the industry has gotten so much better at that,
but move much more towards the operational side of the industry.
Somewhat interestingly, though, is the last few months,
we've seen some exploits on, like you said, old code.
And so I think that there's also a resurgence of people going out there
and figuring out what they can scrape from, like,
earlier days of smart contracts and seeing what exploits they can perform
on perhaps the contracts that have less attention on them at the moment.
So that might cause a bit more of an increase,
in traditional smart contract hacks.
But yeah, as Pablo said, it's mostly operational these days.
Yeah, I mean, I think that the social engineering piece really is based around the hacker,
just gaining your trust.
That's really what it's all about.
And, you know, for those who are familiar with the pig-buttering hacks, the pig-bitching
hacks, the pig-bitching is basically a subset of this, you know, whole social-engineering bit.
And that's exactly like what Isaac was talking about.
if you're, because I also have received, you know, requests in my DMs to be interviewed by, you know,
like tech cons or Bloomberg or whatever. And there's, because I'm a journalist, there's something about
the message before I knew that this was like a hacking thing. I was just like, it, like,
like, what is this? And I just somehow could sense, like, this is not a real journalist or something.
And I, and anyway, I just get so many messages. I just didn't respond. But that's another thing.
It's like, it brings your defenses down. And, you know, it's almost like,
flattering your ego a little bit. And so then that just makes you more willing to trust because
there's like you think that there's going to be something beneficial to you. So yeah, basically
that's how social engineering works. It's preying on the fallibility of human psychology. So you both
do work for seal. And I actually wasn't sure like, you know, what type of organization seal is in
terms of like, you know, whether you're like literally employees or what that relationship is.
But going to explain you what SEAL is, the Security Alliance. And like, what are the different
services that provides and then also talk about, you know, your work there? Sure. I'm happy to take
that. Yeah. I've been with SEAL since like a very early days. So I heard like back when SEAL was
forming, I just heard that there were these, these like this nascent initiative around trying to
fix all of the things that are broken in security in crypto.
And at the time, I had, Samson had reached out to me through actually, through a friend of a friend,
or somebody else had put us in touch because one of the main issues that he was trying to solve
was like war rooms and incidents when like crypto protocols get hacked were just not going very well.
Like teens were not very prepared. People were panicking. People were not like ready to contact the people
they needed to contact and they didn't know what to say to the community on their Twitter
when these hacks were inevitably happening. So in the earliest of days, I came in to help out
with this initiative called the War Games Initiative, where we just were doing internet response
training for protocols. We would do simulations to help them just prepare for the inevitable,
which is as a crypto protocol in this space, you will inevitably have some sort of incident.
And so we were helping them prepare. So that was one of the earliest initiatives. And then a lot of what
SEAL has evolved into is just trying to fill in all the various gaps. And so one of the most
visible initiatives within SEAL, I'd say, is SEAL 911. And so 911 is this group of like super talented
volunteer emergency responders that if you are under attack or you're a protocol that's under attack or
if you've recently been hacked, you can reach out to this telegram bot and immediately get connected
to the right to the right team that can help you solve that issue. That solved a really big problem
for a number of cases where before there were these big like crypto security telegram groups
where somebody would go in and be like, hey, does anybody know someone at X protocol?
And that set up a lot of alerts for a lot of people because there were white hats in these chats
and they were also black hats in these chats.
And so one of the problems was like, okay, how can we like, if we think there's a hack going on,
get the right people connected to the right folks to coordinate a response.
And so 911 has become a huge resource for the community.
As the 911 responders, learn a lot about what is happening.
on the front lines of crypto, hacks, and security.
And so a lot of that also gets fed into another relatively newer initiative called SEAL Intel,
which coordinates information sharing of hack data and exploit and coordination between
wallet companies, centralized exchanges, protocols throughout the space.
The best practices that we learn as SEAL from all of these different initiatives all get
fed into something called SEAL frameworks, which is like open source, free to use best
practices on how not to mess up on all things security.
and now the latest initiative, which I'm leading around certifications, is like taking everything that we've learned, try to come up with some standard for like benchmarking, like, this is what like proper security policies look like in this space.
Oh yeah. So in summary, like frontline responders, incident response training. I didn't even mention Safe Harbor, which is legal protection for white hats, which would be an interesting. Yeah, once I stop this monologue, we can perhaps come back to Safe Harbor because that's an interesting one as well.
So that's SEAL. I am employed by SEAL to lead certifications, but I also run my own company,
Shield 3, which now does incident response training as a service.
Okay, yeah, for anybody who read my book, they might remember this moment after the Dow attack
where the white hats had figured out how it had happened, but then there was this gigantic pool
of money that was still sitting in the vulnerable smart contracts that anybody could steal once other people
figured out how the hack worked. And so they had this kind of like debate, I guess you could call it,
about like, should they just go in and steal the money the way that the hacker had stolen the money
because they knew how to do it. And they were like, well, you know, we could just tell everybody
we're doing it to be white hacks and rescue the money, or white hats. But then other people were like,
oh, right, but since we're doing the same thing that the black hat did, like, what if we go to jail?
And so they waited until it started to be hacked again.
And then they realized that they could use this justification, like exigent circumstances, like, you know, urgent circumstances require them to rescue this money.
So anyway, so that safe harbor thing is meant to address situations like that, I would imagine.
Exactly. And one of the other triggers for that was the Nomad Bridge Hack, because that was one where similar.
money just started being drained
and then people realized like, wait a minute,
this is not some sort of sophisticated attack.
I can just go to this contract and say,
please send me all of the Bitcoin inside of you
and it would do it.
And so that was one where also White Hats were like,
I'm not sure should I do this.
I even, I have like one incident in which
I white hat sort of like hacked a
contract online where somebody had to put up
this kind of canary deployment contract
where it's like, okay, there's some funds in here.
if these get hacked, maybe it means our system isn't safe.
And so for me, like, there was no safe harbor at that time.
And so I just kind of tweeted at the person I thought deployed the contract and said,
hey, I'm hacking you right now.
I'm happy to return these funds if you would like me to.
But, yeah, white safe harbor provides an actual, like, on-chain guarantee from the protocol.
In fact, I think Lido just adopted yesterday.
As of recording this, Lido adopted so late, you know, December 2025.
And there's now, I think, over 50 billion in TVL under this protection.
It was used for the first time during the Balancer hack.
So this was the first time that during the Balancer hack, there were some white hats that
were able to actually rescue funds under the Safe Harbor agreement because Balancer
had adopted this on-chain legal agreement.
Oh, great.
Okay.
So let's now talk about something that's not only been a huge trend in crypto, but pretty
much all of tech, as far as I can tell, which is that companies are accidentally hiring North Koreans.
So explain, you know, more about this trend. Why is it that North Koreans are going after these jobs?
What are the ways in which, once they have them, they are either stealing crypto or enabling
crypto to be stolen by other North Koreans, you know, when they are employed?
Okay, good. I can take this one. Basically, the PRK from what?
what we know and what we see, what we research, has two goals when they make an IT worker,
how we call North Koreans that get hired by these companies, be hired by companies, right?
One of the goals is to hack that organization, right, to steal some money from that organization
or from their users or clients.
And then they have a goal that is to earn the salary, right?
many times they have one IT worker working for five different companies and getting five salaries.
So they also make use of that.
So they have these two goals.
Then inside the organization, let's say that they have two levels of people, right, IT workers.
Level one is people that go and get hired, right, by these companies.
or people that go and do soldier engineer to infect our people, right?
So the goal here is to put the first foot in their infra, right?
So let's say some company is looking to hire a solidity developer.
We think that today between 40 and 50% of applications received by web through organizations,
are from North Korea, nearly half of the applications received.
And these applications look very good,
but one of their biggest red flags
is that they know all of the languages
and they are at 10 at everything, right?
So they basically get hired, right?
And they put their first foot inside the infra, right?
So they have some access, right?
Because now they are employees.
And then after having this initial access,
they, let's say, pass the task to someone who is more advanced
and these people know how to move laterally in any organization
and to start doing privilege escalation, right?
How to scale.
And from there, the goal is to steal as most money as they can, right?
You know that the biggest reasons why North Koreans are not detected usually
is that they are very good at what they do.
They generate very good code.
They work a lot and they never complain, right?
That's the number one.
The three biggest reasons why they are not detected.
So this also changed a bit.
In the past, we used to see that most of the organizations
were DPRK people who were detected,
were organizations that had hired someone
that was anonymous, right?
Because it was something very, very common in crypto
to hire an unemployed.
I think that that cannot be done anymore.
I mean, if you are a founder from a company,
you should know everyone, in my opinion, in person.
If you don't know someone in person,
you should not hire them.
And not hire annons, right?
So then this started changing a lot.
Companies started hiring people
that they could see in an interview
like this or that they could do a background check.
So North Korea also changed their strategy.
So first, they started carrying laptop farms in the US, right?
What is it?
What is a laptop farm?
It's basically some US citizen or someone that lives in the US
who is sent a laptop from North Korea or from China.
They have to turn on these laptops,
connect them to the internet from their homes.
So you have an IT worker connecting remotely from North Korea.
and working from this device,
but then the company that has hired this North Korean thinks that this guy has an AP from the US, right?
So next step was that they...
I'm so sorry.
I don't know if I fully understood that.
So they get hired somewhere, but then North...
Sorry, sorry.
So the North Korean person gets hired, and then they get a computer,
but that computer has an IP from the US.
or I didn't follow.
Yeah.
So they get hired, let's say, by Apple, right?
So then after being hard by Apple, they send a laptop from themselves to the US, right?
To some guy that lives in the US.
This guy connects this laptop from North Korea in his home, right?
And now North Korea connects to this computer remotely, right?
but they work for Apple from this device,
showing that they have an IP from the US, right?
And how is North Korea finding that person in the US
to take the employee, to take the laptop?
Well, these people that first they used to do laptop farming
and now they are also selling identities,
they don't know that they are working for North Korea.
They just think that they are working,
they are helping someone from Singapore or from South Korea
or from the Philippines,
and that they are helping them land a job in the U.S.
that they cannot land because they do not live in the U.S.
So how do they connect on a message board
or like where are they finding these random Americans?
Usually there are like Telegram groups, Reddit groups,
but most of this stuff happens in telegram groups.
I mean, this is also something that is used by legit people, right,
that live in some country,
but they get a job that says that they have to live in the US, right?
So they do this, and they are not IT workers.
They are just people that are not following all the laws from these companies,
but this is something usual, right?
Wow, this was the first step.
Then this changed, right,
because companies started doing better background checks
and also asking you to have your camera on all of the time, right?
So these guys now pay U.S. citizens to go and do the interviews.
They sell, they sell them the script.
They do the background checks.
They do the KICs.
They connect to the daily calls, to the weekly calls, and they have a script of what they have to say.
So you have a company and you have hired someone from the U.S.
You did the background check.
You see them in calls and everything.
But the real person working behind that is an IT worker.
that's super scary, quite sophisticated, and not so easy to detect.
Wow.
Okay, that is crazy.
Okay, so I mean, for crypto companies, how can they avoid hiring this type of person?
Like, you know, or it's really a duo at that point.
Yeah, yeah, totally.
because one more thing and I let you, I start talking about this.
One more thing that it's very important to know is that once you detect, like from SIL, we detected, many people detected lots of IT workers working in different companies.
Once you detect that some company or some protocols has an IT worker working there, it's not so easy to remove them.
It's not even easy to report that because maybe it's, it's not easy to report that.
because maybe it's the CTO or maybe it's someone that has access to everything.
So when you report that, this person gets to see the report in some way and they know that they have been found,
they will get or do as most harm as they can, right?
So whenever they are detected, it's also very, very difficult to remove them because most of the times they have lots of access.
Yeah, and I actually, wait, before you answer how to not hire them,
Let's do, so once they get in the systems, how are they taking the crypto?
Well, most of the times it's private keys, private key leakage, or sometimes it's introducing
vulnerable code in contracts and then making use of this code that has not been detected.
But most of the times, it's private key leakage, right?
Okay, like meaning the company's assets, not user assets.
Okay.
Yeah, maybe the developer.
that you hired. Again, these are talented developers. They might have been done a great job for a long
time developing your smart contracts. And then one day you wake up and all of the money is gone because,
you know, they held the key to the contract. And there are ways of kind of protect, like,
through proper company operations around containing access control risks and stuff like that.
There's ways of minimizing that. But it really just is, yeah, it's super challenging to,
to deal with. There's a one thing that the security lines published recently is a way
website called lazarus.group, which is kind of funny. It's like a parody consulting website of all
of the profiles of known IT workers. And so highly recommend go to that site, look at the team page.
And if you recognize anybody on that page, you might have a IT worker at your company.
So, yeah, it's just, as Publis said, they're getting more and more sophisticated. So it's quite
challenging to do. But at least, like, some companies I speak to have now policies where they have to
meet somebody in person at an event somewhere in the world. But these already, you know,
increases recruiting budgets and that's even more challenging to do. So information sharing
between companies can help, but it's far from a solved problem. Yeah, I mean, I think like what
the issue would be, too, is that there's so many new crypto companies that are popping up all the
time. And it could be people who maybe, you know, don't have as many connections in the industry
or like they haven't been in the industry very long
and so they're like not as aware of these issues.
So you could just, yeah, see
this happening more like on the fringes.
All right.
So what would you recommend that crypto companies do
to not hire either North Koreans
or basically any bad actors whatsoever?
Although, yeah, maybe let's start with North Koreans
since it sounds like there are particular,
you know, kind of
traits of those workers?
Well, I would say, first of all, if you're hiring someone, that person should be recommended
by someone else.
It's true that we have lots of new people coming into the ecosystem, but you should have
always someone in common, some connection or someone who can vouch for you, right?
That's thing number one.
Number two, as I was saying, obviously making calls with live videos.
and checking that the person on the other side looks legit.
Fake video today looks very, very good.
In fact, something that we recommend to our clients
is that during every call, when the call starts,
even if it's with people from your team or people you don't know,
everyone should do this.
When you have a filter that changes your face,
which are very, very good today,
when you do this, that filter breaks, right?
So that's one of the things to check
that the person on the other side is legit.
Then language and cultural consistency, right?
Many people say, okay, yeah, I live in Singapore
or I live in Canada,
and you make basic questions about the city where they live
or what they do, and you find that there are lots of gaps, right?
And then as we were saying, I think that every call, every daily, weekly or anything, they should always have cameras on for everyone.
It doesn't matter where you are.
If your house is tidy or not, cameras always on.
We know that they can fake this, but we make it more complicated for them, right?
We never have 100% of securities.
Security is about adding layers.
So the more complicated you make it for them, the less return of investment that they have.
Then also something very important is cross-verifying identity, right?
For example, aside from doing an interview and a background check, doing OSINT, right, on this person,
and finding maybe that you are interviewing someone who doesn't have a history on the internet.
Like, this person did nothing on the internet from 2000 to 2025.
There's nothing about this person.
Wait, and I'm sorry to go back.
You said to do OSINT on the person.
What does that mean?
OSYNC stands for open source intelligence, right?
And this is a technique used by law enforcement agencies, three-letter agencies, investigators, people working in security.
And it's basically finding anything about a person, both in the deep web, dark web and surface web.
leaked credentials, passwords, KYC information,
passports where you leave,
your work address, lots, lots of data.
And if, for example, you don't find anything leaked about someone,
that's a red flag.
It's full of leaked information about all of us, right?
So that's something very, very useful.
And then something, two more things that they want to add
that are pretty simple is that many times we have seen
that after the IT workers have been detected,
when the addresses where they are paid are checked,
we find that then they consolidate all the money in one same address
or that they send us to some exchange in China.
So, for example, you are seeing that you're paying your employees in some addresses,
have those addresses checked with some tool like technology,
elliptic, TRM, or something like this,
and also check where those funds are being sent.
Because if you are hiring someone that supposedly is Canadian and lives in Canada,
why are they sending the funds to an exchange in Russia or China?
Right.
And then one last thing is post-interview.
You need an interview to someone.
You really liked it.
Wait three days and check if the profiles still exist, if something changed.
Right, because usually these guys create lots of profiles.
When an attack is successful, they delete it, right?
And while they are doing an interview with your company,
they are doing interviews with 10 more companies.
And many times to erase the traces,
they delete these profiles or they change the name or something.
So do an interview, wait three or four days and check if everything still looks the same.
Wow.
Okay, that is, yeah, that's really interesting.
All right, so in a moment, we're going to talk a little bit more about, you know,
what it is that crypto companies can do in the hiring phase to prevent these situations,
but first we're going to take a quick word from the sponsors to make this show possible.
Mantle has entered a new phase as the distribution layer connecting TradFi and on-chain liquidity.
To accelerate this vision, the Mantle Global Hackathon, 2025, is inviting developers to
build scalable RWA and DFI products. Why build on Mantle? It's an ecosystem built for builders.
You get direct access to buy its 7 million plus users for potential listing exposure,
support from the $4 billion Mantle Treasury, and mentorship from top VCs like Spartan and Anamoca brands.
With six tracks, prioritizing RWA's and RealFi, and a $150,000 prize pool plus grants, this is your
chance to deploy on a high-performance modular L2.
Register now.
The link is in the show notes.
Hey, founders and developers.
If you're looking to bring on-chain trading to your product, wallet, or platform,
check out the new Uniswap Trading API from Uniswap Labs.
It's your plug-and-play gateway to global on-chain liquidity.
No deep crypto experience required,
and no need to manage complex integrations or ongoing maintenance.
With the Uniswap Trading API, you'll get enterprise-grade on-chain execution, combining both on-chain and off-chain sources for the most competitive prices.
Simply put, more liquidity, less complexity.
And this isn't just any API.
It connects directly to the Uniswap Protocol, which has securely processed over $3.3 trillion in total volume, with zero hacks.
So stop worrying about liquidity infrastructure and focus on building your product.
Get access to the same liquidity that powers billions and swaps through one powerful API.
Visit hub.uniswap.org to learn more.
Back to my conversation with Pablo and Isaac.
So as we mentioned, there's a high probability that at least some people that any, you know,
crypto company is interviewing are North Koreans.
And so for that reason, I would imagine that, you know, you would advise them to
almost like assume they have somebody like that on their team, you know, just to be super safe.
So like what other practices should they follow to make sure that even if they had someone like
like that on their team that no user funds or none of their funds would be lost?
Yeah. I think that part of the problem here is that in a with a crypto startup, you can go from like
just launching to suddenly being in charge of 10.
of millions of dollars of people's funds kind of overnight without kind of a gradual buildup of
a internal security capability. And so it's really hard to have somebody on stuff that's like just
focusing on this stuff. But there are a few principles to take when just setting things up,
which part of it is just, you know, housekeeping, but like really important housekeeping of how
you're configuring things. And to me, it's all about minimizing the blast radius of one of one specific
thing going wrong. And so if, for example, you have multi-sigs in your protocol that are holding
all of the funds you raised from your investors and they're controlling all of your smart contracts
that can upgrade all of them and has all these emergency functions to, to like pause things and
withdraw things, pretty bad idea to have all of that concentrated in one place. It's much better
to spread things out and make it just harder for everything to go wrong all at the same time.
Also, introducing slowness and friction as a feature in places where it makes sense.
So if you are doing things that, like, if there's an ability to completely upgrade your protocol
and steal all of the money, making it so that one developer can't just do that without you
even seeing a transaction go on chain and being staged to do that.
So making it so that things that should take a long time are enforced to be slow so that you
have opportunities to catch things and having proper controls around access control,
even on your other infrastructure.
And so a lot of this stuff, it's very easy as like a developer in a startup to get a little
bit lazy and just think, okay, on board of this new developer, I'm just going to give
them root admin access to everything on AWS just so that I don't have to deal with, like,
giving them access to this and this and this.
And it's hard not to be lazy, but it's really important to actually minimize, like,
even for, because it's not just against like a malicious actor, it's also maybe you make a mistake at some point.
And so always think about like, do I really need everything to be like upgradable in one instant and have like one access point for in our entire infrastructure?
Or are there places that I can introduce friction to make it so that if something goes wrong, it doesn't all go wrong all at the same time?
Yeah, I mean, and we can talk a little bit more about what happened on the nois safe.
side, but I just wanted to call out something about what happened with Bybit, which is just like, it always blew my mind that they didn't even do a test transaction.
Like, they just did what coin by a billion all at once.
Like, I like, because doing a test transaction does not take very much time.
It adds maybe like a minute.
It doesn't, but I have a bit of a controversial take that I sometimes advise not doing test transactions.
Bummell because just because of address poisoning.
And so to me, like the proper way of doing a secure transaction, like when I talk to people that are receiving funds for investors or doing or sending stuff, they're like, how do I properly verify this address of this thing that I'm going to send money to?
If your process is you, the collective view, if your process as people that hold crypto is send a test transaction for a dollar, wait to be received, and then send the full amount.
That's not sufficient because where are you getting that address the second time?
it's really important not to copy that address from your wallet transaction history.
And so for me, sometimes I feel that test transactions are a place to introduce the risk of an address poisoning attack.
And instead, what I would do is have different controls where, like, I have an address book that I've verified a signature from the person that is receiving the funds.
And I've put that address into my address book.
And I only ever copy it from, and I only ever do it from my address book from inside the wallet.
And I never, so I personally, rarely, if ever do test transactions, just because there's other parts of the process that I think are more robust.
Oh, interesting. Yeah, I guess I would never copy from the transaction. I would copy from, like, I would use the original copy.
Yes, which is good. But like there's ways, there's so many places that can go wrong. We see, I mean, if somebody lost, what, $50 million last week, because of this, because they did a test transaction, copied it, copied it.
copied it from the Ether scan transaction history or their Metamask transaction history
and pasted it in, I don't know if it was MetaMask, copied it from their wallet transaction history
and pasted it in to send the rest of the amount. And getting worse and worse, like, I had a friend who,
being in security, I often get a lot of DMs from friends being like, I'm about to do the really
high value transaction. Can you just watch me do it? And I watched them do a test transaction. And then I
saw immediately within second their wallet is populated with so many spam addresses. And they knew,
knew they were like, okay, I'm not going to copy from those. I'm going to go back to the invoice
and copy from the invoice again. But it's just like, yeah, it's, yeah, I wonder how much money
has been lost because somebody did a test transaction instead of just like not doing it.
Oh, wow. Okay. Interesting. Yeah. And we go into the root cause of Bybit a bit a bit more because I think
it's interesting. Like Pablo and I, um, some for a while we were just doing these like weekly calls
where we just kind of hang out on a Friday morning, have coffee and, like, look at safe and think, like, what can we do to, like, hack safer?
How can we make the safe?
Wait, wait.
Before the bibit attack or after?
After the bibit attack, Pabu and I started getting a lot of requests from people like, hey, come train us on our multisigs.
And so we thought, let's just, like, have a fun, like, morning every week where we just, like, play around with safe and see what we can do to cause it to go wrong.
And so we went in really deep on, like, group calls on what happened there, which a test transaction would not have saved them to summarize.
Yeah, well, go ahead and tell us what you learned because I'm, so I'm going to reveal that they were supposed to come on the show to talk about it.
Martin Copleman of Nosis reached out saying that they wanted to do it.
And then when we kept trying to like actually mail down a date in time, like, then, yeah, they just stopped responding.
So there's a few different parts of the of the root cause of like, and I'll just say there's multiple places.
so that this could have been caught before it eventually, before it happened.
One thing to be cautious of on root cause investigations on Twitter, especially, or X,
is that everybody wants to be the first one.
So, like, always be skeptical of the first root cause investigation you read after an incident.
Like, I remember after Ballancer, people were like, oh, they didn't have access control.
That was not the root cause.
And so what I'll say is just, like, what I know about ByBitt is based on what I understood from what happened on chain,
plus some stuff that I just kind of read in reports online.
And so take some of it with a grain of salt.
But from my understanding, like, well, Bidit was specifically targeted.
There was a compromise in Baf's API infrastructure, but it was specifically Bibit that was
targeted.
The attackers could have targeted a lot more people.
But the code was specifically targeted to change the UI, to change the interface of
safe when the Bid people were going on to do their transaction.
and I think that the way that that happened
or a valid way that that could have happened
is basically somebody reached out to one of the developers
that they was like, hey, can you help me with this engineering problem?
Oh, sure, I can help you as this engineering problem.
Like, people want to be helpful.
That's the problem with social engineering.
It exploits the fact that people generally want to help each other.
So if some developer reached out to me and said,
hey, I'm having trouble compiling this code,
can you download this repository and see if you're getting this name error?
My instinct probably a while ago would have been, yeah,
I'm happy to do that.
People on the internet helped me when I was learning how to code.
So I want to help other people learn how to code.
But that is a way where if you run this code on your device in an unprotected way,
that can then get a backdoor into whatever company's infrastructure is that you're working for.
And that is one valid way of how this exploit could have been introduced into SAFE's API,
which made it so that when the people working for BIBIT went on to do their transaction,
they saw this transaction.
The transaction that they thought they were assigning is not the transaction that they were assigned.
And the transaction itself is actually very sneaky.
I think that the method, so when you're doing a transaction, the data that shows up on your
wallet is a, it depends on a few things.
It depends on like the way that the method is named in the smart contract.
And so like, what I mean is like if you're doing a transfer of tokens, a transfer will generally
always show up as like similar encoded data on your wallet, no matter what, whether you're
sending USDC, USDT, or anything else. It's just all using the standard. So the attackers made a
function called transfer inside of their exploit contract. But what that transfer function actually did
wasn't transfer tokens. It was to do some really sneaky upgrade of like a specific piece of
storage inside of the smart contract of this Faf that changed the implementation to a malicious one
that allowed the attacker to take all the money. And so it wasn't a simple like, oh, we
sent the money to the wrong place. It was that they called transfer on a contract that wasn't
verified on EtherScan, and they called it using a delegate call instead of a call, which is
another technical thing. You would never delegate call a transfer. It's like a weird tangent,
but like the ByBit folks could have called it if they were doing transaction verification,
but it was also very sophisticated in how it was engineered to get around a lot of safeguards
that if they even had the safeguards in place,
like if they had, you know, call data decoding,
it would have decoded as a transfer,
which is like a weird, like, edge case about this investigation as well.
Oh, wow.
So even then, wait, but I need to understand that.
So basically, it's just that it either used the word transfer
or it literally looked like a transfer,
but actually what was happening on the back end
was that the smart contract was being,
upgraded to a malicious contract.
Yeah, it looked like a transfer to like a certain, depending on how the wallet worked,
the data that was included in that transaction would have should, could have shown up like,
oh, this looks like a transfer.
Like it might have just kind of, if you hovered over the data, like some of these things
that are like hover to decode data that are there to help people because you can't just
read hex, it might have tricked something like that to be like, oh, this looks like a transfer.
There were other flags.
Like there was a something that should have been a zero.
was a one, but that's hard to detect and other things like that. But like, yeah, it was made to be very,
very hard to catch. Wow. Oh, my God. Yeah, I guess the thing is like any one person working in
crypto is working on security like for part of their job or like or just for whatever is in their
control, whereas North Korea has, you know, some army of people that are working on it all the
time and know how it's all interconnected. So, like, even if, you know, you have your little
fiefdom, you know, locked down, like, any time you transact with another person's fiefdom or
another company's fiefdom, then they, they can use that to hack you. So, yeah, there's no hiding.
There's no, there's no hiding at any scale, right? Like, the second that you've just played anything,
you're a target. Okay. Yeah. It's remind you. It's a lot of it. It's remind you.
Oh, go ahead, Papa.
So something that I was going to say about that is that when you protect the company,
when we do, for example, the audits, you have to find all the weak things, all the holes.
You have to find all of them.
And a threat actor just needs to find one.
And that's something very, very important.
And then something key here is that you can have the best teams, the best systems, the best systems, the best everything.
if you don't train your team in order to understand
and to be able to recognize soldier engineering,
it doesn't matter what you have.
Your company will eventually be hacked.
It's not a matter of if you will be hacked, not it's when, right?
And then before you, when we talked about what companies can do regarding active workers,
I wanted to add something interesting.
That is, there's something called least privilege policy.
Right?
His privilege policy is basically a concept where any user or any application should have
the minimum permissions that they need, right?
Even founders, right?
It's very common when we do this audience to see that founders have access to everything,
right?
And we should know that anyone in an organization could be hacked, anyone could be threatened
or coerced physically to do something, or anyone could become evil, right?
Or anyone could be an IT worker.
So if you design your security framework knowing that, that anyone can be evil, basically,
because choosing to do that or being coerced, then you configure everything in a very different way.
For example, me or anyone that we advise working in crypto founders should not have direct access to funds, right?
If I want to move funds, I cannot do that.
Most of the physical attacks that we have been seen lately is because of that,
that people usually have direct access to move all of their funds, right?
So when you are developing a good security policy, you should know that no.
I must not be able to move important funds.
Because if you can, the day that you have a gun pointed to your head, you will do it,
obviously.
You will do anything that you can.
Yeah, and just one further step is it's one thing to have these rules in place.
But someone once told me something that sticks to me is like the place to look for and the place that I always start when I'm doing an audit of a company is who has the power to change the rules.
And so it doesn't matter if you have the rules set up in the right way.
If the access control to change those policies is still highly concentrated, you're just as like you're just as bad off as if the policy.
weren't there. And so we see that a lot when,
when Pablo and I talk to companies that
want us to look at their, like, custody configurations
for,
for their custody tools like fireblocks and fortify.
We always ask, like,
who, which account has the policy
to change these policies?
And, uh, and like, how many confirmations does it require to change
these? And sometimes they're like, oh, like, yeah,
we just kind of, the account that can change the policies. We make it this
dead account that like nobody can even access and let it would take 30 days to
access this account. Like, that is,
it's really important to also think about where the power lies to change the rules that you've configured in your organization.
Yeah.
And then I would add one more thing that is one thing is to have a plan and the playbook, but it's very, very important to train it, to test it.
So do like a library.
Okay, let's simulate that we were hacked.
Or let's simulate that you wake up and your Google account was empty and your metamask.
So what do you do?
Okay, I will do this.
Okay, go and do it.
Because if you don't practice it, then it doesn't work.
And I will give you a very simple example.
Three months ago, I got a pepper spray to have with me in my car when I drive, right?
I have it there by me.
The other day, I was in a traffic light with my kids in the car.
A crazy guy, he was crazy, came to my window and I started punching the window.
And I didn't remember that they had the pepper spray in that moment because I was never trained to do it.
So having rules, having playbooks, having policies, but also doing these real trainings and tabletop exercises, it's key.
Yeah, yeah.
Yeah, this reminds me of like, yeah, just basically any time you know that you need to do something in a certain point, like knowing it intellectually and knowing it like in your body is like a totally running.
So, okay, so we're actually like well into this episode.
We have not gotten to everyday people, which we definitely should talk about.
So let's just talk about it.
So because all of that was, you know, companies.
So let's talk about the most frequent ways that people get their crypto stolen.
And I know we kind of already talked about social engineering.
I don't know if there's like more that you want to add on that.
But then, you know, obviously we should go into various tips.
Yeah, Pablo might have probably probably has a more comprehensive list to meet than I do.
like at least the ones that come to my mind are like drainers.
And so back when like air drops were happening more frequently in crypto,
I mean, I guess there's still somewhat happening.
But it was very common that like, uh, people would click on, you know,
a malicious air drop link or like, uh, or somebody posts a like a company,
a post something on their Twitter, um, in, in crypto.
And then somebody replies with like a, uh, like a company could be disclosing a hack and
they'll say, and then some attacker comes in and says, hey, submit your claims here to get
your money back from this attack.
And so, like, just clicking on these malicious links that trick you into signing malicious
transactions is quite a common one, which kind of falls into social engineering, but it also
falls into just, like, you know, clicking on the wrong thing, whether it's a malicious Google
ad or a malicious AirDrop link or something that somebody DM'd you on Telegram pretending
to be somebody else.
But, yeah, Pablo, what are you, what are your, like, top ways that, like, normal people get wrecked?
Yeah, what we're saying is first we have the classical soldier engineering cases that are founders are being approached by fake BCs, devs are being approached by fake recruiters, recruiters are approached by fake candidates, BCs are approached by fake startups, and key opinion leaders are approached by media and podcasts, right? Fake.
That was level one. Level two is they don't create a fake, lorishing profile.
to contact people.
But in some way, they hacked your
telegram account, your Twitter account
and from your real account, from
your real telegram, they start contacting people.
That's happening a lot.
So you say, okay,
I'm receiving a message from Laura Sching.
It's her profile. Yes, her profile. She's being followed
by anyone. Okay, this is legit.
And she's offered in an interview.
It's legit. So
that's something that has been happening a lot.
So even if you're contacted by
someone that
and that contact comes from a verified account,
an account that we know or someone we talked,
let's say that I met Isaac in FCC.
We took a photograph.
We started talking in Telegram.
And then he sends me to go into a call.
That could not be him.
In fact, something that they are doing today is this.
I meet someone at FCC.
We take a photograph.
Then this person in some way is hacked.
Through what?
Through a fake job interview, right?
When they are doing the job interview,
they recorded this person, right?
So then when this person had his telegram account hacked
and they contact me, they invite me to a call.
I get into the call and I see the video of the other person talking,
but I do not listen.
But the video is real because it was recorded
from the original time they hacked this person.
So it's telling, hey, I cannot see your water.
I cannot listen.
You they put in the chat.
What do you say?
Okay, I know this person in person,
we took a photograph, it's her or him in the video.
This is totally legit.
I will download the driver.
That's it.
So this is getting more sophisticated.
And something that I want to adhere to understand the sophistication is,
imagine this.
Someone says, okay, we want to hack this founder from the CFI protocol,
but we know that he's sophisticated.
He will not be falling to that trap of the meeting or this and that.
So what do we do?
Okay, lawyers and accountants, they have very bad security.
So they hack the lawyer.
They get into the lawyer's inbox and they see that this founder is waiting to get an agreement from this lawyer about a say for something next week.
So next week, the day that this founder is waiting to receive this agreement draft, that exact day.
and from the lawyer's email, they send the document, but it's infected.
So you receive something from someone you trust,
you receive something you're expecting from the real email,
and everything is legit.
Is there something to be suspicious?
No.
And that's the reason we say that we should, like, everything is a scam
until proven otherwise, and you should have second barriers of protection, right?
And here is where I go to the recommendations for people.
Eventually, we are all going to be soldier engineered.
Me, Isaac, Samsung, anyone, it doesn't matter how sophisticated you are.
We are going to be surgeon engineered.
We are going to download some malware.
So that's why we should, first of all, try to do interviews or calls in a separate device or something like that.
But also something as simple as have an antivirus or pay for an EDR.
antivirus are $30 per year.
People think that because of having a MacBook,
there are no viruses, no malware, nothing.
That's a myth.
Pay $30 for an antivirus.
Nine out of 10 cases in crypto that we see nowadays
could be avoided just because of having an antivirus, right?
So that's first thing.
And second thing is we keep on seeing people losing millions of dollars
because of having money in hot wallets.
Metamask, Ravi wallet, Exodus, whatever.
That's not smart, right?
If you have more than $2,000, please get a hardware wallet, transfer it there.
And now the important thing, the seed phrase.
Where do you put the seed phrase?
All in paper.
All in paper and that's it.
No are complex single or nothing.
We are seeing lots of cases.
I personally estimate that 20% of people in crypto
save the CID phrase where in a password manager right and we saw that three years ago
last pass was hacked and from that last pass bridge as Taylor Monaghan from Metamask has been
tracking and researching more than 300 million dollars have been stolen right so my two takes
there one get an antivirus and two Harrow wallet and your
Siddfrace only in paper.
And if you're not 100% sure, oh, yeah, I think I put it in a paper, but maybe it took a photograph
I put it in.
If you're not sure, create a new address and move everything.
And I know that this may seem basic, right?
And we're talking about the first thing that they tell you when you get in crypto,
they have your Siddfries in paper.
But we keep on seeing millions of dollars being stolen because of this, right, daily.
And what about the new set of where?
a lot of it is biometric.
Like what do you? So obviously, you know, there will still be a seed phrase associated with that.
But like, do you feel like that is safer or or are there still a lot of pitfalls?
I personally like stuff like that for convenience.
But it's all about like limiting blast radius again.
It's like don't have your entire life savings in one in like the biometric controlled thing in your,
on your hot wallet on your phone,
have these things in multiple places.
One, because you might make a mistake one day and accidentally send it.
I also heard, I was at a security conference and somebody told me this kind of funny,
not an anecdote, but imagine if when you went to pay for a coffee with your debit card,
if you could accidentally pay with a deed to your house.
That's what happens if you have all of your money in one wallet in crypto and you go to do one thing
and suddenly absolutely everything is gone.
So both to avoid the mistakes and to minimize the blast radius,
just spread things out.
Use custodial tools if you want.
Use a safe for your own account with multiple wallets if you have long-term savings.
Just, yeah, if you're on your phone all the time and you need to be constantly like betting
and like degenning into various things, like then you kind of have to accept that as your risk.
But if, like, you want to keep things a bit more long term, then, yeah, spread things out and actually be careful.
And how do you guys manage having so many different addresses and wallets?
Because, you know, if you're putting in a spreadsheet, but then your Google account is hacked or whatever, because that's another thing.
It's like, I don't know how many times I've heard somebody say, oh, I randomly found an old wallet, you know, and, oh, I had X amount of money in there.
And it's so clear that, like, yeah, you can just end up.
with so many wallets. And so I'm sure people are organizing them, but when they do it,
that could be another attack factor. It could be. I'm a little, I'm unsure about that because I
personally, like, I've had that issue. And if I call it, like, shaking out the crypto couch cushions
once in a while where it's like, oh, like I should go through all of the random old accounts from
six years ago and see, see what's in these. There are like, you know, portfolio tracking tools that,
yes, are kind of, if I enter in all of my addresses, now they're correlating all of those addresses
is back to me.
Is that a risk?
I think so.
But also, like, yeah, I mean, that's just a normal kind of hygiene and laziness.
I know that having all this stuff spread out is, like, potentially more annoying.
But, yeah, there are portfolio tracking tools that make it easy enough.
Yeah, I also think that many times we try to over complex some stuff.
and the cases that we see are very basic how they are happening.
But anyways, regarding tracking, I agree with Isaac, Cab.
You have apps that help you do this,
but what is very important is to know that then we have leaks.
For example, Coin Market Cap, the database was leaked.
So in Coim MarketCab, you have the portfolio section feature, which is great,
but if you have your portfolio there and then it's leaked, you're done.
Like with the Ledger League, the Treasurer.
leak and we're all done.
They don't have your money.
They're just like your target.
Yeah, sorry.
You are, now you are a target.
So something that I highly recommend is everyone should at least have three email
addresses.
Your personal or four, your personal email address, your work email address, a private
email address you don't share with anyone and doesn't have your name.
And what do you use these address for?
For example, to have a spreadsheet with.
with all your crypto assets, but also to use this email in your password manager, in your Apple
ID, in your 2FA application, right? You should not use your public email in a password manager
or as your Apple ID. Your Apple ID should be private. Nobody should know which one it is. And then to also
have another email addresses, another address for just signing up in crypto events or buying stuff or this
or that, that can also be replaced by this Apple relay service where they change your email
address. But having that in a separate, let's say, identity, I think that it's very, very important.
Okay. And so all of this is around self-custody, but then obviously there are a lot of people
that choose to go with a hosted setup where they are trusting a company to secure their crypto.
So, you know, what would you advise users to kind of like check either when they're, you know, deciding which company to go with, but then also when they set up that account to make sure that, you know, that doesn't get hacked?
To start, I think that probably might have some good advice on things like, you know, past keys and stuff.
But for me, it's like this is a case where I would probably try to go as name brand as possible.
Like if there, if you need to go with a big custody provider for, you know, setting up, you know,
some long-term account for future inheritance of your grandchildren,
like maybe go with a company that's been around at least five years, maybe,
or like have a really good reason for going with a different one.
They should have, you know, the potentially, you know,
something that I would probably look at is looking at things like, you know,
insurance, do these custody providers have insurance against, like, operational failures.
But yeah, on the account setup itself,
probably you might have some advice on things like, you know,
pass keys and stuff like that.
Yeah, first of all, we should know that it's not an all-in.
Or I have everything in my ledger or I have everything in a multisig or I have everything in a custodian.
No, I think that first of all, it depends on your knowledge.
If you are not technical, you don't want to handle a hardware wallet or a multi-sig or whatever.
The best thing for you probably is a custodian, right?
But then it's also a very good idea to say, I will have 25% with a multi-siguerre.
with safe, 25% in a ledger and 50% with a custodian.
I think that that's very, very good.
Diversification is always great.
And then about creating these accounts, as Isaac was saying,
first of all, do it with a private email, right?
Not your normal email.
Second, try not to put your phone number anywhere.
Do the exercise of waking up
and your phone number is not your phone number anymore.
It has been SIM swapped.
Now it's controlled by someone else.
So no phone number.
And if your phone number is mandatory, your phone number should be private, right?
You should not have a phone number that you're using important things like a custodian or your Apple ID under your name, right?
No.
Third is unique password.
This is very basic, but we are seeing a lot of people having a very complex password, but repeating it everywhere.
Right. So what happens? You have the same password in some very custodian or an exchange and also in some event that you sign up for some crypto event or in an event, right, or this or that.
So one database is leaked, that password is leaked. Then they are going to try it everywhere.
And then last thing. Well, one more thing is true FA, right? Two-factor authentication. We do lots of research on this.
So the summary or the take is, first of all, never do it with phone number.
Obviously, no SMS.
People are very used to thinking that the proper way to do to FAA is Google Authenticator, Microsoft Authenticator, or Althe.
That's not true anymore.
Why?
If I send you a phishing website of Coinbase Prime, you enter the phishing website and you put your username and your password.
And in the next screen, I asked you for your 2FA code.
And you go to Google Authenticator.
You check the code and you enter it.
You're giving the first and second factor to a third actor.
Your account is taken over, right?
The only thing that is anti-fishing resistant, right, regarding 2FA are hardware keys, right?
U.E keys, for example, or the Titan keys from Google, those keys, they are like 60 bucks.
when they are properly configured with something called 5.2,
that is basically storing a pass key inside these devices.
That cannot be fished.
That's the most secure thing.
So, in a summary, private email, no phone number, unique password, ubiquitous.
If you do that, you should be totally fine.
And the most important thing, as Isaac was saying, insurance.
I would choose one of the three biggest providers
and they would check that they have a good insurance policy.
Yeah, and I know that this all sounds very daunting
and it makes you might not even want to hold any crypto whatsoever.
And just to be clear that all of these rules to me are like,
this is the stuff that you want to hold onto for a very long time
and it's like relatively cold storage and you really care that you don't lose it.
It's also fun in crypto to have a hot DGEN wallet
that you use for random stuff that,
If it gets hacked, you're not about, you know, it's not going to ruin your life.
And so like use the right tool for the right thing.
Use all of these like high security, put up all the walls around the stuff that you really care about.
But if you also have, want to just have a really low friction thing for when you're like messing around with new apps, that's not against the rules.
There are no rules.
It's just accept the risks of like what you're using each wallet for.
Okay.
Yeah. Yeah. And also know that as we all
know we all have a physician and we ask this person about our body we have a lawyer that advises
us on law we have an accountant the attack surface and this is not only about crypto it's about
everything technology the attack surface is growing our assets are now mostly digital we have banks
we have fintech we have crypto we have stocks everything so the attack surface keeps growing
Third actors are getting more sophisticated.
So I think that if any person that has relevant money
should have a security advisor,
an operational security advisor or something,
and they should know that this is key, right?
Because if not, eventually with time,
we are going to lose our money,
either with a bank or with crypto or whatever.
And it's important to know that you cannot know,
everything. We go to a doctor because we don't know about how the body works. Well, in the same way,
you have lots of money. You're going to do a setup that you want to be the best setup out there
and to keep this money for 50 years for your kids. Okay, go hire someone or ask someone or do your
research, but spend resources, let's say. That can be time or money.
All right. So we're a little bit over time, but I do have two more questions for you guys if you have time. Okay. Great. So one other thing is that I'm sure you're very well aware that privacy is going to become a much bigger trend in crypto. We're already seeing that there is a resurgence of interest in privacy. And Ethereum announced that privacy is now one of its priorities. So I wondered, you know, if you thought that would affect our ability to go out.
after bad actors or whether it could also be used to help keep people's assets secure?
I think I can start.
I think that for me, yes, like there is potentially a risk on the tracing side,
but I think that that is, I think that we actually have the tools now where that's not really
as much of a concern.
Like as far as like mixing services to kind of break the link between source and destination
wallets, tools like, tools like,
rail gun and privacy pools.
And even actually original tornado had the ability to export kind of compliance
like notes to show like where my money actually came from in case you got audited.
So I think that like that's a question of making sure that whatever like kind of regulations and rules match what the technology can do.
I think the technology is there and it's sufficient to make it so that like we can have both privacy and accountability.
and have sufficient screening on these services,
at least the ones that function as mixers,
but they shouldn't have issues like the previous generation of services have.
As far as, like, the fully private chains,
I'm not sure.
I personally am not a C-L-911 fun tracing expert,
but I'm, yeah, I'm excited to see that all of these privacy tools are coming in,
and I haven't seen a ton of push,
back from the folks that actually do that tracing,
saying, like, no, we can't have privacy
because then we can't trace anymore.
But that's more of a personal layman's opinion
than somebody who's an expert in tracing.
I'm pretty sure that they know that if they were to say that,
then the crypto community would turn on them
more than set out them already have.
Well, I agree with Isaac.
I think that the work from products like privacy pools
is key here because from one side,
we want privacy for the users, for example, to stop $5 range attacks, right, so that it's easier
for a day-to-day user to have funds and not everyone knowing how much fans they have, right?
But on the other side, you don't want North Korea to be able to use these systems
to most of the money, right?
So products like privacy pools that allow you to deposit,
assets and then take them out from the to another address through a mixer and without
being able to show traceability, they have a very interesting feature that allows you to
have something called proof of innocence, right? So proof of innocence means that let's say
that we have a pool with 100 depositors, right? And one of those depositors is North Korea.
So when I deposit money and then I withdraw it from the other side, I am able to demonstrate, right, to verify that I am part of this set of 99 addresses and not this one.
So I can prove that I am part of these 99 addresses that are clean, right?
So in that way, you are able to give privacy to users and not privacy to third.
I think that that kind of solution, I think that it's great.
I love that.
It's the thing that we need, right?
We need to solve issues with technology.
That's why we are here, right?
All right.
So hopefully all the tips that we gave people will protect them from becoming victims.
But if somebody's crypto gets stolen, what should they do at that point?
Perfect.
Well, first thing is contacting C-911.
C-911 has a telegram bot where you can basically open a ticket there and explain what happened to you.
And there you will have people that will help you do whatever is needed, right?
So, for example, they will help you try to understand what happened.
They will help you save assets that were not stolen yet.
For example, they will help you secure.
all of your infra and then maybe if you were sold in lots of assets,
you will be contacted with a company that will then help you try to freeze those assets, right?
Most of the times when we see money being stolen, it cannot be freeze or recovered or anything,
but sometimes, right, 15%, 20% of those funds can be frozen sometimes.
So yeah, that.
So first thing, contacting C-911.
And then if we were talking from the technical point of view,
what I would say, if you were in an interview or something and something happened,
first of all, disconnect your computer from the internet.
Second, get a different device and export your seeds into this new device.
So let's say that you had metamask in your computer.
You disconnect the internet from your computer.
You check the seeds from the metamask.
from Metamask from your compromised device,
you enter it in a different device
and you move your assets to a new address,
right?
To have them safe because after your computer was compromised,
they steal all your private keys,
but they are encrypted,
so they need to decrypt them,
so they need some time these threat actors.
But if you leave your computer connected to the Internet
and you enter your Metamask password,
you are making it easier for them.
And then you will have to take it.
change all your passwords and everything.
And the most important thing, and they wanted to talk about this, is report it to your company.
You may think that you were targeted individually because they just want some money from your
hot wallets.
But maybe when they did that, you work for some Dify protocol or some company, and they also
got some credentials or some access to this company.
So if you don't report it, and then the company where you work,
was compromised or the first foot in your infra was done
because of something that they got from you
and you don't report it, you're making things worse
because that will be known in the future, right?
So you're putting at risk, your reputation
and the reputation from your company.
Okay, all right.
So, you guys, this has been an amazing conversation.
But are there any other resources that you think people should check out online
so they can learn more about how to stay safe
before we wrap?
I would just another plug for frameworks.
Dot security alliance.org.
Free resource of all of the tips on how to stay safe as a user, as a company.
During DevConnect, Mata from Beel and from the Red Guild also published this guide
called, I think it's like Opsack while traveling, which I think you can also find online linked
from Seal frameworks, which is like how to stay safe when you're a crypto person who's traveling
around. Yeah, have Seal 911 save so that you can contact them if you need to. And then just a brief
plug for the fact that all of these responders are volunteers and SEALs and non-profit. So
if they help you save money, also feel free to consider donating to SEAL. All right. Well,
thank you both. This has been just, yeah, just chock full of information. And I hope it keeps people
from having their crypto stolen and companies. Yes. But if it does, don't feel bad, everyone's
being targeted all the time. It happens to everybody. So don't feel like you messed up if,
if it happens to you. It happens to everybody eventually. Yeah, exactly. It's more common than
we think. Okay. All right. Well, thanks so much for joining us today, everyone, and happy
holidays.