Why Cybersecurity is the Key to Crypto

Nick Percoco, Chief Security Officer at cryptocurrency exchange Kraken, explains to OPTO Sessions why he believes that cybersecurity is a more important consideration for crypto firms than it is for traditional finance companies, and describes how the community collaborates in countering threats.

Cryptocurrency exchange Kraken counts cybersecurity as one of its key differentiators. Nick Percoco, Kraken’s Chief Security Officer, believes that security is a particularly key concern for crypto companies — even more so than for traditional finance companies.

“If I trick you into sending me crypto funds, and you want those funds back, there’s no one for you to call,” he tells OPTO Sessions. “There isn’t a 1-800 BITCOIN number; you can’t call up bitcoin and say ‘Hey, I lost all my funds, can I get a refund?’

“So the sophistication and the robustness you have to build around security programming in crypto far exceeds traditional finance.”

Hacking crypto exchanges is a lucrative business. According to data from Chainalysis, the value stolen in crypto hacks reached $3.8bn in 2022. This fell 54.3% to $1.7bn in 2023, despite it being a year in which individual incidents increased.

Percoco recommends that clients start their security measures “before Kraken”. Two-factor authentication on email accounts, for example, is a must, because if hackers can access an email account then they can potentially access a lot of secure information.

The Story of a Hack

An email account hack ultimately led to a high-profile attack on Kraken, Coinbase [COIN] and other exchanges in 2019.

“A professor at the University of Cambridge had their email account compromised,” explains Percoco. “The hackers used that professor’s email to send legitimate-sounding emails to people that worked at exchanges, saying they want to collaborate.”

The sophistication of the attack is reflected in the precision with which it was targeted. The messages, Percoco says, went to business development staff and others who were interested in creating external collaborations.

“We’re never going to eliminate the criminals. What we want to do is raise the bar to make it more difficult for them”

Rather than immediately sending malicious code, several weeks passed between the initial contact and the sending of a link — during which time, the ‘professor’ had established trust with the exchange employees. The link, when opened in Firefox, caused malware to be installed on the employee’s device.

Coinbase detected and blocked the attack within hours, according to CoinDesk’s report, which was written after Coinbase went public about the attack.

“Coinbase detected it and stopped it in their world,” says Percoco. “In our world, we have lots of scanning that happens on inbound email. As you might imagine, it’s pretty common for someone to send weird things to us.”

Crypto’s Collaborative Counterattack

The crypto community itself takes a collaborative approach to defending against cybercrime.

“There are communities within the crypto space, especially folks that are running crypto exchanges,” says Percoco. There are multiple industry groups focused on the subject, including one that he hints is “in the works” and will be “announced, I think, later this month”.

Participation in such groups allows Kraken to stay ahead of developing threats, as well as to share knowledge that allows the rest of their industry to do the same. It is in individual exchanges’ interests to collaborate with other exchanges which, day-to-day, they might otherwise consider their competitors.

“Any success that cybercriminals have gives them more funds that they can then use against us,” Percoco explains.

“It’s an information-sharing consortium, essentially. If we’re seeing attacks against our systems or against our clients, we’re going to share those indicators of compromise or those signatures with the community so that they can ingest them.”

Often, he points out, attackers will target one crypto exchange at a time — so sharing this knowledge can help the others to prepare for upcoming attacks.

“We’re never going to eliminate the criminals,” he says. “They’re always going to exist. There have been criminals for thousands of years. What we want to do is raise the bar to make it more difficult for them.”