The idea of a totally decentralized virtual world, allowing increased and free of (state) control exchanges, where each user can contribute to the building of this space, is not new. It is rooted in the very conception of the first Internet protocols and the web. However, these metaverse would take the interconnection of the world and the virtualization of our lifestyles and consumption to a new level: cryptocurrencies, NFT1A non-fungible token (NFT) represents a digital object (artwork, collectible, avatar, etc.) to which a unique identity is attached, ensuring that it cannot be reproduced. They can be used in video games, be digital collectibles such as CryptoPunks or Bored Ape Yacht Club, parcels of digital real estate in metaverse or even digital artworks., customization of our avatars, travels in different universes, experience of new sensations in virtual reality, etc. This would require abandoning Web 2.0, also called “participatory web”, which took off in the 2000s with the advent of the large platforms and social networks (GAFAM) concentrating most of the exchanges on the Internet. To limit the risk of a systematic control of exchanges by large tech companies, it would be necessary to develop Web 3.0 based on blockchain2Blockchain is a kind of registry that contains a list of all exchanges made between users. This register is decentralized – that is, stored on the servers of its users and not on the servers of a single company – and relies on a cryptographic system that is deemed secure to validate each transaction. technology. This technology, which aims to facilitate transactions in a decentralized manner, is based on validation systems using cryptography and is perceived as being very secure.
Beyond the many environmental (energy consumption3Although we are not there yet, we can already imagine the energy consumption represented by the implementation of metaverse: construction of mega-datacenters to process data, hyperconnectivity and use of connected objects, etc. Today, the energy consumption of datacenters worldwide is estimated at 2 or 3% of global electricity consumption.), ethical (regulation, censorship) and financial (volatility of cryptocurrencies) issues raised by the use of these technologies, the very real and current development of Web 3.0 based on blockchain also represents a security issue. This article is not intended to provide a technical overview of the functions and dysfunctions of blockchain, but rather to offer an overview of the economic and (geo)political consequences of Web 3.0, from a cybersecurity perspective.
1/ A very lucrative global market
The market that has developed around Web 3.0 is based on blockchain, a technology that ensures the decentralization of transactions. Indeed, each blockchain defines the modes of transaction by establishing a set of rules (protocol). For example, each blockchain defines what constitutes a proof of purchase or a certificate of authenticity during a transaction, in order to ensure trust in the crypto-asset (currency, object) exchanged, since it is not tangible. An NFT or a crypto-currency token will therefore be associated with a unique digital identity, linked to an owner and registered in the blockchain. It is in principle impossible to usurp this identity thanks to the cryptographic processes used. There are therefore as many modes of transaction as there are blockchains (e.g. Bitcoin, Ethereum, Solana, etc.), making this economy totally decentralized and extremely lucrative, although very volatile.
The first crypto-currencies, including Bitcoin, started to interest the public and the media from the 2010s. New crypto-currencies have since emerged, some of which track the price of real currencies such as bitUSD which is pegged to the US dollar and therefore less subject to speculation. There are now thousands of crypto-currencies in the world, and the market is growing every year: in 2022, the record of 425 million crypto-currency holders – or 5% of the world’s population – was reached. Both companies and individuals invest in digital currencies. In addition, in November 2021, the global crypto-currency market reached a capitalization of $ 3,007 billion, its highest historical level. The blockchain market (bringing together cryptocurrencies, NFTs, etc.) has been valued at $12.7 billion in 2022, with a projection of $40 billion by 20254https://fr.statista.com/themes/9325/les-cryptomonaies/ . Some countries have even launched their own national crypto-currencies, like China, or have adopted Bitcoin as their official currency, like El Salvador and the Central African Republic.
2/ The very essence of blockchain makes it a prime target
If the holding of crypto-currencies is becoming a trend today, the blockchain technology so prized for its security presents many flaws, exploited by various actors, both state and criminal. Since blockchain protocols are developed in open-source, they are accessible to anyone who masters programming languages, including malicious individuals. Several scenarios can then take place:
- An attacker discovers a flaw in the code of a blockchain and will seek to exploit it as discreetly as possible to steal customer information or hijack transactions.
- An attacker decides to create the flaws at the source by injecting malicious code (e.g., diverting money to another recipient) into the open-source blockchain protocol, which will then be used in all transactions.
In addition to these common attacks, many hackers working for large criminal organizations (e.g. Italian mafia) or on behalf of a state (e.g. Russia, North Korea) seek to defraud crypto-currency holders by setting traps: fake website posing as an official NFT exchange site, phishing, etc.
Cybercrime against blockchain is particularly profitable because it requires relatively little effort for hackers for particularly large loot. As an example, the largest crypto-currency theft, which took place in August 2021 against PolyNetwork, was estimated at $610 million. Regularly, crypto-currency exchange platforms (DeFi platforms) are targets of attacks: approximately $2.2 billion worth of crypto-currency were stolen over the course of 2021. Threat actors are therefore becoming increasingly specialized and professionalized in Web 3.0 cybercrime: cybercriminal groups post recruitment ads on Telegram channels and the darkweb, sell their software to steal crypto-currencies with associated customer service, etc. In addition, state actors, such as North Korea through its hacker group Lazarus, are known to specialize in stealing crypto-assets to fund their illegal activities, such as the development of nuclear and ballistic weapons. By creating more than 500 phishing websites and exploiting security loopholes, the Lazarus group has managed to steal NFTs and crypto-currency tokens totaling $620 million over the year 20225https://cointelegraph.com/news/north-korean-hackers-stealing-nfts-using-nearly-500-phishing-domains , an increase of more than 50% over 2021.
3/ Faced with a growing criminal market, DeFi companies deploy limited means of protection
The victims of these attacks are diverse: from the crypto-currency influencer to the average citizen who wanted to discover and experience the “crypto” trend, via DeFi platforms, these categories of victims are directly affected by cyber attacks. Indirectly, these attacks can affect projects funded by crypto-currencies, which collapse as a result of large hacks on the protocols: once the tokens are stolen, they are resold in large quantities, causing the prices of crypto-currencies to fall.
The current situation is all the more critical because a key issue currently seems difficult to solve: the lack of professionals trained in blockchain cybersecurity. According to KPMG, only 1,000 to 1,500 people worldwide have this expertise6https://kpmg.com/fr/fr/home/insights/2022/06/cybersecurity-for-blockchains-and-cryptos-2022.html . In addition, DeFi platforms invest very little money in securing their protocols and perform few cybersecurity audits. Nevertheless, states are slowly adapting their legislative arsenals to extend their expertise into the world of decentralized finance. In 2022, the French parliament passed the Law of Orientation and Planning of the Ministry of the Interior (LOPMI), allowing, among other things, to extend the means of fighting cybercrime by recruiting cyber fighters and giving them the ability to seize crypto-assets upon simple authorization from the public prosecutor or the investigating judge. However, there is no law governing crypto-currencies in France. In the United States, the White House had published in September 2022 a report7https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/16/fact-sheet-white-house-releases-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/ on the supervision of crypto-currencies, asking in particular the Treasury Department to evaluate the risks of crypto-assets by July 2023 and wishing to extend the prosecution capabilities of Justice. While states are beginning to take into account the cyber issues of Web 3.0, they are far from filling the gap in expertise in this area.
To conclude, the cybersecurity of Web 3.0 is today a very little known subject and yet essential because cybercrime is particularly flourishing there, and this is likely to get worse without action in this direction. Indeed, more and more people are investing in crypto-assets without being armed to deal with it. More crypto asset holders therefore means more potential victims. States and companies invest too little in this topic today and a clear effort in this direction is absolutely necessary to protect companies and citizens: invest in the training of cyber fighters but also raise awareness of citizens and companies to these issues, set a regulatory framework to limit and sanction cybercrime, etc. These investments are becoming all the more urgent as the prospect of metaverse approaches: these decentralized, potentially uncontrolled universes, developed without taking cybersecurity into account, could multiply the risks of fraud, swindles and cyberattacks on the Web.
Written by Camille MAINDON
