Summary7 min read

Unchained Podcast Episode 987 Summary

Title: How Crypto Users Get Rekt and How You Can Stay Safe
Host: Laura Shin
Guests: Pablo Sabatella (Founder of OpSec, Member of SEAL) & Isaac Patka (Certifications Initiative Lead at SEAL, Founder of Shield 3)
Date Released: December 24, 2025

Overview of the Episode

This episode focuses on the evolving landscape of crypto security threats, recent high-profile hacks, and practical advice for both individuals and crypto companies on how to better protect themselves. Laura Shin hosts a timely discussion with security experts Pablo Sabatella and Isaac Patka, who share their insights on social engineering, operational security, the role of organizations like SEAL, how North Korean actors infiltrate companies, best practices for self-custody, and what to do if your crypto is stolen.

State of Crypto Security

[04:05] – [09:18]

Shift in Attack Vectors:
- Earlier years: Predominantly smart contract hacks.
- Now: Attackers exploit operational security weaknesses with "Web2" tactics—private key leaks, phishing, malware, account takeovers, social engineering.
- 99% of stolen funds stem from opsec issues, the vast majority starting with social engineering.
- Pablo: “A threat actor just needs to find one [weakness].” [00:19]
Social Engineering Threats:
- Fake job interviews, reporters, and podcast invitations are top attack routes.
- Even seasoned users and OGs are targeted.
- Attackers often “flatter your ego” to lower defenses.
- Isaac: "I've seen so many people become victims... a moment of panic, and they’re told, ‘just download this driver onto your computer’...” [05:48]

SEAL (Security Alliance): Role & Initiatives

[09:19] – [13:48]

About SEAL:
- Originated to improve response to protocol hacks—chaotic “war rooms” highlighted readiness gaps.
- SEAL911 is a 911-style Telegram bot connecting victims with volunteer responders.
- Other arms: SEAL Intel (information sharing), SEAL Frameworks (free best practices), Certifications, and Safe Harbor for white-hat hackers.
- Safe Harbor: On-chain legal agreement protecting white hats who rescue stolen funds.
- Isaac: "911 is this group of super talented volunteer emergency responders..." [11:19]
- Laura: Relates this to the 2016 DAO hack crisis. [12:39]

North Korean IT Worker Infiltration

[15:13] – [28:54]

How North Koreans Get Hired:
- Two goals: Steal funds from within, and earn multiple overseas salaries.
- Apply en masse (40–50% of Web3 hiring applications may be North Korean, by some estimates).
- Highly qualified applicants, never complain—a red flag for fake or overqualified talent.
- Use sophisticated methods: Laptop farms (U.S. IPs), fake identities, paid U.S. proxies to appear on camera.
- Recruiting real Americans as fronts during interviews (send scripts, appear on video).
- Pablo: “They generate very good code, they work a lot, and they never complain...” [17:01]
- Laura: “How is North Korea finding that person in the U.S.?” [20:50]
Detection Challenges:
- Once embedded, often in key roles with high privileges—removal is risky, can trigger sabotage.
- Typical attack: Private key leaks or deliberate code vulnerabilities.
- Information sharing, in-person vetting, and background checks help but are never foolproof.
Prevention Strategies: [26:34]
- Only hire with personal recommendations or connections.
- Always mandate video calls, surprise checks to beat video filters (e.g., cover your face).
- Check for language/cultural consistency.
- OSINT (Open Source Intelligence) on candidates: Check for internet history, leaks.
- Monitor employee wallet payout addresses for suspicious patterns.
- Pablo: “If you are a founder from a company, you should know everyone, in my opinion, in person.” [17:42]

Internal Company Security Practices

[33:59] – [49:20]

Best Practices:
- Minimize operational “blast radius”—don’t concentrate all funds and privileges in one place.
- Implement multi-sig wallets, slow down high-impact actions so issues can be caught.
- Avoid admin “laziness”—give only essential permissions, including for founders (“least privilege”).
- Isaac: “There are a few principles ... all about minimizing the blast radius…” [33:59]
- Pablo: “...even founders...should not have direct access to funds.” [47:09]
Test Transactions:
- Controversial. Relying on sending $1 as a “test” can be risky due to address poisoning.
- Use address books with verified addresses instead.
- Isaac: “...test transactions are a place to introduce the risk of an address poisoning attack...” [36:52]
- Laura: “I would never copy from the transaction, I would use the original copy.” [38:10]
Incident Response:
- Training and tabletop exercises are essential: Practice what to do if hacked.

How Everyday Users Get "Rekt" & Protection Tips

[50:31] – [68:00]

Common Attack Vectors:
- Isaac: “Back when airdrops were happening...people would click on a malicious airdrop link…”
- Impersonation: Hackers take over real accounts to trick friends/colleagues.
- “Level up” attacks: Hack lawyers, accountants, then use them to phish high-value targets by sending expected documents.
Key Protection Recommendations:
Pablo:
- Antivirus/EDR: Even on Macs—most hacks could be avoided if users had basic protection ($30/year).
- Hardware Wallets: Store >$2,000 in a hardware wallet, never a hot wallet like MetaMask.
- Seed Phrase: Only ever on paper, never in a password manager or digital form.
- Operational Security: Multiple emails for different purposes, especially private ones for sensitive accounts.
- Diversify Custody: No all-in on one method—split funds between multi-sigs, Ledger, and custodians if needed.
- For hosted wallets: Use strong, unique passwords, no public phone numbers, enable hardware keys (Yubikey, Titan).
Isaac:
- Minimize blast radius: Don’t store your life savings in wallets you use for daily transactions. Accept the risk for “degen” wallets; secure savings separately.
- Wallet Hygiene: Shake out old wallets periodically; use portfolio tools with caution as leaks can expose holdings.
- Email Hygiene: Use unique, private emails for Apple IDs, crypto portfolios, and password managers; never reuse emails or phone numbers widely.
Memorable Quotes:
- Pablo: "9 out of 10 cases in crypto that we see nowadays could be avoided just because of having an antivirus, right?" [54:17]
- Isaac: "...imagine if when you went to pay for a coffee with your debit card, you could accidentally pay with the deed to your house. That's what happens if you have all of your money in one wallet in crypto..." [58:27]

Hosting Providers & Insurance Considerations

[62:31] – [67:13]

Selecting a Custodian:
- Prefer reputable, long-standing brands with insurance coverage.
- Split assets across multiple hosts/types of storage.
Best Setup:
- Private/non-public email for account creation.
- No phone number, or if required, use a private, non-public one.
- Strong, unique passwords everywhere.
- Hardware-based 2FA keys (FIDO2, not SMS or Authy/Google Authenticator—these can be phished).
- Consider a security advisor for substantial assets.

Privacy in Crypto: Blessing or Curse?

[70:11] – [73:36]

Implications for Users & Law Enforcement:
- Privacy tech can help protect user assets (privacy pools, proof of innocence).
- Tools exist to balance privacy and compliance—new systems (privacy pools) allow users to prove their funds aren’t tainted.
- Pablo: “We need to solve issues with technology. That's why we are here.” [73:26]

What to Do If You’re Hacked

[73:38] – [76:39]

Immediate Actions:
1. Contact SEAL911 via Telegram bot for emergency incident response.
2. Disconnect your device from the internet.
3. Recover your seed phrase to a new (safe) device and move assets immediately.
4. Change all credentials.
5. Report to your company/employer—breach may affect organizational security.

Further Resources

[76:39] – End

frameworks.securityalliance.org for free opsec and security guides.
Guide: “Opsec While Traveling” by DLN/Red Guild.
Save Seal911 contact for crisis help.
Consider donating to SEAL if they help you recover assets (non-profit, all volunteers).

Closing Thoughts & Notable Quotes

Even experts fall for attacks—don’t feel guilty if it happens to you.
- Isaac: “Everyone's being targeted all the time. It happens to everybody, so don't feel like you messed up. If it happens to you, it happens to everybody eventually.” [77:47]

Key Timestamps

[04:05] – Crypto security’s evolution: From smart contracts to operational threats
[09:20] – SEAL’s mission and major initiatives
[15:45] – North Korean IT workers’ tactics
[26:34] – Company hiring best practices
[33:59] – Company security configuration advice
[39:38] – Dissecting the Bybit hack
[47:09] – Least privilege and founder opsec
[50:31] – Most frequent ways users get rekt
[54:17] – Vital software and hardware advice for individuals
[62:31] – Custody, choosing safer providers, best practices for hosted wallets
[70:11] – Pros/cons of privacy in crypto: law enforcement and user risk
[73:38] – Immediate actions when hacked, reporting, escalation
[76:39] – Further learning resources and final notes

For listeners:

This episode delivers a comprehensive set of security heuristics, practical warnings, and a healthy dose of realism—crypto security is relentless, but layered precautions and community knowledge can keep you much safer.

Loading summary

Transcript96 lines

[00:00]
A
With a crypto startup, you can go from like just launching to suddenly being in charge of tens of millions of dollars of people's funds kind of overnight without kind of a gradual buildup of a internal security capability. And so it's really hard to have somebody on staff that's like just focusing.
[00:19]
B
On this stuff when you protect the company. When we do, for example, the audits, you have to find all the weaknesses, things, all the holes. You have to find all of them. And a threat actor just needs to find one.
[00:36]
C
Hi everyone. Welcome to Unchained, your no hype resource for all things crypto. I'm your host, Laura Shin. Thanks for joining this live stream. Just FYI that it was pre recorded before we get started. A quick reminder, nothing you hear on Unchained is investment advice. This show is for informational and entertainment purposes only and my guests and I may hold assets discussed on the show. For more disclosures, visit unchained crypto.com Mantel is launching the Global Hackathon 2025 to accelerate the future of real world assets. With a $150,000 prize pool, backing from a $4 billion treasury, and direct access to Bybit's 7 million plus users, this is the ultimate ecosystem for builders. Are you a builder who needs to add on chain trading to your product? The Uniswap Trading API from Uniswap Labs offers plug and play access to some of liquidity in crypto. It's on chain execution at an enterprise level. More liquidity, less complexity. Visit hub.uniswap.org to learn more. Today's topic is how to keep your crypto safe and how to keep all of crypto safe. Here to discuss are Pablo Sabatella, member of seal, the Security alliance and founder of opsec, and Isaac Patka, Certifications initiative lead at SEAL and founder of Shield 3. Welcome Pablo and Isaac.
[01:59]
A
Thank you. Very good to be here.
[02:01]
B
Thank you, Laura.
[02:03]
C
So we're releasing this show shortly before the holidays and I understand it doesn't seem like a cheery topic. However, if you either receive crypto or you buy crypto with holiday money, or if you are giving crypto to someone who, especially if they're a newbie and you want them to keep it safe, then this episode is for you. It is also for any crypto OGs and crypto companies since as we all know, even, even people, years of experience in this industry can get hacked, including companies. I'm sure people remember that in 2025. This was very early in the year we saw the bybit hack for $1.5 billion. That was not only the biggest crypto hack ever, but it was also the biggest hack ever in all of history. We saw also a Ledger executive become a victim of a physical ransom attack, and the attackers actually cut off one of his fingers. A few months ago, Balancer was attacked on very old, trusted smart contracts that shocked everybody. Recently, Anthropic showed that AI agents can easily hack a number of smart contracts as well. And for those of you who might have seen on the timeline recently, Jill Gunter, who's been in crypto for a decade, was hacked for 30k. Okay. It's obviously not a huge amount of money. However way that happened was it stemmed back to a transaction of $5 that she did, you know, ages ago. So, you know, on top of all this news, Chainalysis reported recently that North Korea had hacked $2 billion worth of crypto this year, and that a total of $3.4 billion in crypto was stolen in 2025. So, you guys, you know, this. This industry is. Yeah, it's more than a decade old, but clearly we. We don't have the security thing down. So. Pablo and Isaac, given all this and numerous other incidents I did not even mention, how would you describe the state of crypto security today? And Pablo, why don't we start with you?
[04:06]
B
Okay, thank you, Laura. Well, I would say that crypto security changed a lot the last years when crypto started, we had basically smart contract hacks. The industry, the security industry and blockchain got far better regarding smart contract security. And then third actors seeing this started to change their strategy, so they started to attack Web three with Web two hacking techniques. Right. That's classical hacking. So we are talking about private key leakage, soldier engineering, malware, zeroD exploits, phishing in swaps, account takeovers, domain hijacks. Basically, most of these attacks, like today, 99% of funds stolen are due to operational security issues, not smart contract hacks. And from that 99%, I would say that also 99% of those attacks start with soldier engineering. Right. What is soldier engineering? It's the art of making someone do something against their interest and in the interest of the attacker. Right. And they would say that today all of those cases could be avoided if we do something as simple as verifying who we are talking with. Right. Even if we are talking with someone we know or someone new, we don't know, most of that cases can be stopped like this.
[05:46]
C
Isaac, what would you add?
[05:49]
A
Yeah, I totally agree with Pablo about kind of the root causes of Most hacks that are happening these days. One of the ones that I'm most nervous about, and specifically was nervous about today, um, is like, fake podcast interviews and fake reporters reaching out. Like, right before this call, I was on my. My weekly call with a security alliance, and I was like, hey, guys, in case I reach out to you urgently, I have this interview that I think is with Laura Shin. But, like, I'm. This is the URL. I'm pretty positive this is what's happening to me. That's one of the scariest ones, because I. I've seen. I know so many people personally that are. Have become victims of, like, maybe they're applying, they're trying to get investment for their company, they're trying to get grants. People reach out and they say, hey, we want to highlight you. We want to give you this grant. We're so excited about what you're doing, and it can go on for weeks and weeks. And then in like, a moment of. In a moment of heightened panic or heightened pressure, say, hey, oh, we can't hear the interview coming through on your. On your device. Just download this driver onto your computer. And so if you ask me to download any drivers, I will probably say no during this interview. And if anybody is on any interviews or any zoom calls or things and see stuff like that happening, just take a step back. Yeah. So, like Pablo said, we've moved farther away from smart contract hacks because the industry has gotten so much better at that, but moved much more towards the operational side of the industry. Somewhat interestingly, though, is the last few months, like, we've seen some exploits on, like you said, old code. And so I think that there's also a resurgence of people going out there and figuring out what they can scrape from, like, earlier days of smart contracts and seeing what exploits they can perform on perhaps the. The less. The. The contracts that have less attention on them at the moment. So that might cause a bit more of an increase in traditional smart contract hacks. But, yeah, as Pablo said, it's mostly operational these days.
[07:47]
C
Yeah, I mean, I think that the social engineering piece really is based around the hacker just gaining your trust. That's really what it's all about. And, you know, for those who are familiar with the pig butchering hacks, the pig butchering is basically a subset of this, you know, whole social. Social engineering bit. And that's exactly like what Isaac was talking about, if you're. Because I also have received, you know, requests in my DMs to be interviewed by, you know, like, TechCrunch or Bloomberg or whatever. And there's. Because I'm a journalist, there's something about the message. Before I knew that this was like a hacking thing, I was just like, it, like, like, what is this? And I just somehow could sense, like, this is not a real journalist or something. And I. And anyway, I just get so many messages, I just didn't respond. But that's another thing. It's like, it brings your defenses down. You know, it's almost like flattering your ego a little bit. And so then that just makes you more willing to trust because there's, like, you think that there's going to be something beneficial to you. So, yeah, basically, that's how social engineering works. It's preying on the. The f or the fallibilities of human psychology. So you both do work for seal. And I actually wasn't sure, like, you know, what type of organization SEAL is in terms of, like, you know, whether you're, like, literally employees or what that relationship is. But go ahead and explain what SEAL is, the security alliance, and, like, what are the different services it provides, and then also talk about, you know, your work there.
[09:21]
A
Sure, I'm happy to take that. Yeah. I've been with SEAL since, like, very early days. So I heard, like, back when SEAL was forming, I just heard that there were these. These, like, this nascent initiative around trying to fix all of the things that are broken in security in crypto. And at the time, I had. Samson had reached out to me through. Actually, through a friend of a friend or somebody else had put us in touch because one of the main issues that he was trying to solve was, like, war rooms and incidents when, like, crypto protocols get hacked were just not going very well. Like, teens were not very prepared. People were panicking. People were not, like, ready to contact the people they needed to contact. And they didn't know what to say to the community on their Twitter when these hacks were inevitably happening. So in the earliest of days, I was. I came in to help out with this initiative called the War Games Initiative, where we just were doing Internet response training for protocols. We would do simulations to help them just prepare for the inevitable, which is, as a crypto protocol in this space, you will inevitably have some sort of incident. And so we were helping them prepare. So that was one of the earliest initiatives. And then a lot of what SEAL has evolved into is just trying to fill in all the various gaps. And so one of the most visible initiatives within Seal, I'd say, is Seal911. And so 911 is this group of like super talented volunteer emergency responders that if you are under attack or you're a protocol that's under attack, or if you've recently been hacked, you can reach out to this telegram bottom and immediately get connected to the right, to the right team that can help you solve that issue. That solved a really big problem for a number of cases where before there were these big like, like crypto security telegram groups where somebody would go in and be like, hey, does anybody know someone at X protocol? And that set up a lot of alerts for a lot of people because there were white hats in these chats and there were also black hats in these chats. And so one of the problems was like, okay, how can we, like, if we think there's a hack going on, get the right people connected to the right folks to hook coordinator response. And so 911 has become a huge resource for the community as the 911 responders learn a lot about what is happening on the front lines of crypto hacks and security. And so a lot of that also gets fed into another relatively newer initiative called SEAL intel, which coordinates information sharing of hack data and exploit and coordination between wallet companies, centralized exchanges protocols throughout the space. The best practices that we learn as SEAL from all of these different initiatives all get fed into something called SEAL Frameworks, which is like open source, free to use, best practices on how not to mess up on all things security. And now the latest initiative which I'm leading around certifications is like taking everything that we've learned, try to come up with some standard for like benchmarking. Like, this is what like proper security policies look, look like in this space. Uh, oh, yeah. So in summary, like frontline responders, incident response training. I didn't even mention Safe harbor, which is legal protection for white hats, which would be an interesting. Yeah, once I stop this monologue, we can perhaps come back to Safe harbor, because that's an interesting one as well. So that's seal. I am employed by SEAL to lead certifications, but I also run my own company, Shield3, which now does incident response training as a service.
[12:40]
C
Okay, yeah, for anybody who read my book, they might remember this moment after the DAO attack where the white hats had figured out how it had happened. But then there was this gigantic pool of money that was still sitting in the vulnerable smart contracts that anybody could steal once other people figured out how the hack worked. And so they had this kind of like debate, I guess you could call it. About, like, should they just go in and steal the money the way that the hacker had stolen the money? Because. Because they knew how to do it. And they were like, well, you know, we could just tell everybody we're doing it to be white hacks and rescue the money, or white hats. But then other people were like, oh, right. But since we're doing the same thing that the black hat did, like, what if we go to jail? And so they waited until it started to be hacked again, and then they realized that they could use this justification, like. Like exigent circumstances, like, you know, know, urgent circumstances require them to. To rescue this money. So anyway, so that Safe harbor thing is meant to address situations like that, I would imagine.
[13:49]
A
Exactly. And one of the other triggers for that was the Nomad Bridge hack, because that was one where similarly, money just started being drained. And then people realized, like, wait a minute. This is not some sort of sophisticated attack. I can just go to this contract and say, please send me all of the bitcoin inside of you, and it would do it. And so that was one where also white hats were like, I'm not sure. Should I do this? I even. I have, like, one incident in which I White hat sort of, like, hacked a. A contract online where some. Somebody had to put up this kind of canary deployment contract where it's like, okay, there's some funds in here. If these get hacked, maybe it means our system isn't safe. And so for me, like, there was no safe harbor at that time. And so I just kind of tweeted at the person I thought deployed the contract and said, hey, I'm hacking you right now. I'm happy to return these funds if. If you would like me to. But, yeah, White Safe harbor provides an actual, like, on chain guarantee from the protocol. In fact, I think Lido just adopted yesterday as of recording this, Lido adopted so late, you know, December 2025, and there's now, I think, over 50 billion in TVL under this protection. It was used for the first time during the Balancer hack. So this was the first time that during the Balancer hack, there were some white hats that were able to actually rescue funds under the. The Safe harbor agreement because Balancer had adopted this on chain legal agreement.
[15:14]
C
Oh, great. Okay, so let's now talk about something that's not only been a huge trend in crypto, but pretty much all of tech, as far as I can tell, which is that companies are accidentally hiring North Koreans. So explain, you know, more about this trend. Why is it that North Koreans are going after these jobs. What are the ways in which once they have them, they are either stealing crypto or enabling crypto to be stolen by other North Koreans, you know, when they are employed.
[15:45]
B
Okay, good. I can take this one. Basically, dprk, from what we know and what we see, what we research, has two goals. When they, when they, when they make an IT worker. How we, how we call North Koreans that get hired by these companies? Be hired by companies, right? One of the goals is to hack that organization, right? To steal some money from that organization or from their users or clients. And then they have another goal that is to earn the salary, right? Because many times they have one IT worker working for five different companies and getting five salaries. So they, they also make use of that, right? So they have these two goals then inside the organization. Let's say that they have two levels of people, right? IT workers. Level one is people that go and get hired, right, by these companies or people that go and do soldier, engineer, to infect our people, right? So the goal here is to put the first foot in their infra, right? So let's say some company is looking to hire a solid developer. This. We think that today between 40 and 50% of applications received by web3 organizations are from North Korea, nearly half of the applications received. And these applications look very good. But one of the biggest red flags is that they know all of the languages and they are a 10 at everything, right? So they basically get hired, right? And they put their. Their first, their first foot inside the infra, right? So they have some access, right? Because now they are employees. And then after having this initial access, they, let's say, pass the task to someone who is more advanced. And these people know how to move laterally in any organization and to start doing privileged escalation, right? How to, how to scale. And from there the goal is to steal as most money as they can, right? You know that the number of the biggest reasons why North Koreans are not detected usually is that they are very good at what they do. They generate very good code, they work a lot, and they never complain, right? That's the number one, the three biggest reasons why they are not detected. So this also changed a bit. In the past, we used to see that most of the organizations were DPRK people were detected, were organizations that had hired someone that was anonymous, right? Because it was something very common in crypto to have unknown employees. I think that that cannot be done anymore. I mean, if you are a founder from a company, you should know everyone, in my opinion, in person. If you don't know someone in person, you should not hire them and not hire anons. Right? So then this started changing a lot. Companies started hiring people that they could see in an interview like this or that they could do a background check. So North Korea also changed their strategy. So first they started carrying laptop farms in the U.S. right? What is it? What, what is a laptop farm is basically some US citizen or someone that lives in the US who is sent a laptop from North Korea or from China. They have to turn on their, these laptops, connect them to the Internet from their homes. So you have an IT worker connecting remotely from North Korea and working from this device. But then the company that has hired this North Korean thinks that this guy has an AP from the US Right? So next step was that they.
[20:00]
C
I'm so sorry, I don't know if I fully understood that. Like, so they get hired somewhere, but then north. But sorry, sorry. So the North Korean person gets hired and then they get a computer, but that computer has an IP from a.
[20:15]
B
From.
[20:15]
C
From the US Or. I didn't follow.
[20:17]
B
Yeah. So they get hired, let's say by Apple, right? So then after being hired by Apple, they send a laptop from themselves to the U.S. right? To some, to. To some guy that lives in the US this guy connects this laptop from North Korea in his home, right? And now North Korea connects to this computer remotely, right? But they work for Apple from this device showing that they have an IP from the U.S. right.
[20:51]
C
And how is North Korea finding that person in the US to take the employee to take the land?
[20:57]
B
Well, these people that first they used to do laptop farming and now they are also selling identities. They don't know that they are working for North Korea. They just think that they are working. They are helping someone from Singapore or, or from South Korea or from the Philippines that they are helping them land a job in the US that they cannot land because they do not live.
[21:22]
C
In the US So how do they do they connect? Like on a message board or like where, where are they finding these random American.
[21:29]
B
Usually they are like telegram groups, Reddit groups, but most of this stuff happens in telegram groups. I mean this is also something that is used by legit people, right? That live in some country, but they get a job that says that they have to live in the US Right? So they do this and they are not IT workers. They are just people that are not following all the laws from these companies. But this is something usual, right?
[21:57]
C
Wow.
[21:57]
B
But this was, this was the first step, then this changed, right? Because companies started doing better background checks and also asking you to have your camera on all of the time. Right. So these guys now pay US citizens to go and do the interviews. They sell, they send them the script, they do the background checks, they do the KYCs, they connect to the daily calls, to the weekly calls, and they have a script of what they have to say. So you have a company and you have hired someone from the U.S. you, you did the background check, you see them in calls and everything. But the real person working behind that is an IT worker. That's super scary, quite sophisticated and not so easy to detect.
[22:47]
C
Wow. Okay, that. That is crazy. Okay, so I mean, for crypto companies, how can they avoid hiring this type of person who like, you know, or it's really a duo at that point.
[23:05]
B
Yeah, yeah, totally. Because one more thing, and I let you, Isaac, talk about this, one more thing that it's very important to know is that once you detect, like from sil, we detected, or many people detected lots of IT workers working in different companies. Once you detect that some company or some protocols has a native worker working there, it's not so easy to remove them. It's not even easy to report that because maybe it's the CTO or maybe it's someone that has access to everything. So if when you report that this person gets to see the report in some way and they know that they have been found, they will get or do as most harm as they can. Right. So whenever they are detected, it's also very, very difficult to remove them because most of the times they have lots of access. Yeah.
[24:00]
C
And actually wait, before, before you answer how to not hire them, let's do. So once they get in the systems, how are they taking the crypto?
[24:09]
B
Well, most of the times it's private keys, private key leakage, or sometimes it's introducing vulnerable code in contracts and then making use of this code that has not been detected. But most of the times it's private key leakage. Right.
[24:28]
C
Okay. Like, meaning the company's assets, not user assets. Okay.
[24:32]
A
Yeah.
[24:32]
C
Okay.
[24:32]
A
Maybe the developer that you hired. Again, these are talented developers. They might be. Had done a great job for a long time developing your smart contracts. And then one day you wake up and all of the money is gone because, you know, they held the key to the contract. And there are ways of kind of protect, like through proper company operations around containing access control risks and stuff like that. There's ways of minimizing that, but it really just is. Yeah, it's super challenging to, to Deal with. There's one thing that the Security alliance published recently is a website called Lazarus Group, which is kind of funny. It's like a parody consulting website of all of the profiles of known IT workers. And so highly recommend, go to that site, look at the team page, and if you recognize anybody on that page, you might have a IT worker at your company. So, yeah, it's just as Pablo said, they're getting more and more sophisticated, so it's quite challenging to do. But at least like some companies I speak to, have now policies where they have to meet somebody in person at an event somewhere in the world. But these are, you know, increases recruiting budgets, and that's even more challenging to do. So information sharing between companies can help, but it's the, it's, it's far from a solved problem.
[25:46]
C
Yeah, I mean, I think, like, what the issue would be too, is that there's so many new crypto companies that are popping up all the time, and it could be people who maybe, you know, don't have as many connections in the industry, or like, they haven't been in the industry very long, and so they're like, not as aware of these issues. So you could just. Yeah, see, yeah, see this happening more like on the fringes. All right, so what, what, what would you recommend that crypto companies do to not hire either North Koreans or basically any bad actors whatsoever? Although, yeah, maybe let's start with North Korean, since there I. It sounds like there are particular, you know, kind of traits of, of those workers.
[26:34]
B
Well, I would say first of all, if you're hiring someone, that person should be recommended by someone else. It's true that we have lots of new people coming into the ecosystem, but you should have always someone in common, some connection or someone who can vouch for you. Right? That's thing number one. Number two, as I was saying, obviously making calls with live video and checking that the person on the other side looks legit, fake video today looks very, very good. In fact, something that we recommended to our clients is that during every call, when the call starts, even if it's with people from your team or people you don't know, everyone should do this. When you have, when you have a filter that changes your face, which are very, very good today when you do this, that filter breaks. Right? So that's one of the of the things to check that the person on the other side is legit, then language and cultural consistency. Right. Many people say, okay, yeah, I live in Singapore or I live in Canada, and you make basic questions about the city, where they live or what they do. And you find that there are lots, lots of gaps, right? Then, as we were saying, I think that every call, every daily, weekly or anything, they should always have cameras on for everyone. It doesn't matter where you are, if your house is tidy or not, cameras always on. We know that they can fake this, but we make it more complicated for them, right? We never have 100% of security. Security is about adding layers. So the more complicated you make it for them, the less return of investment that they have. Then also something very important is cross verifying identity, right? For example, doing, aside from doing an interview and a background check, doing osint right, on this person and finding maybe that you are interviewing someone who doesn't have a history on the Internet. Like this person did nothing on the Internet from 2000 to 2025. There's nothing about this person.
[28:55]
C
Wait, and I'm sorry to go back. You said to do OSINT on the person, what does that mean?
[29:00]
B
OSINT stands for Open Source Intelligence, right? And this a technique used by law enforcement agencies, three letter agencies, investigators, people working in security. And it's basically finding anything about a person, both in the Deep Web, Dark Web and Surface Web, leaked credentials, passwords, KYC information, passports, where you live, your work address, lots, lots of data. And if for example, you don't find anything leaked about someone, that's a red flag. It's full of leaked information about all of us, right? So that's something very, very useful. And then something. Two more things that I want to add that are pretty simple is that many times we have seen that after IT workers have been detected, when the addresses where they are paid are checked, we find that then they consolidate all the money in one same address or that they send us to some exchange in China. So for example, you are seeing that you're paying your employees in some addresses, have those addresses checked with some tool like Chainalysis, Elliptic TRM or something like this. And also check where those funds are being sent. Because if you are hiring someone that supposedly is Canadian and lives in Canada, why are they sending the funds to an exchange in Russia or China, right? And then one last thing is post interview, you did an interview to someone you really liked it wait three days and check if the profiles still exist, if something changed, right? Because usually these guys create lots of profiles. When an attack is successful, they delete it, right? And while they are doing an interview with your company, they are doing interviews with 10 more companies too. And many times to. To. To erase the traces, they, they delete these profiles or they change a name or something. So do an interview, wait three or four days and check if everything still looks the same.
[31:14]
C
Wow. Okay, that, that is, yeah, that, that's really interesting. All right, so in a moment we're going to talk a little bit more about, you know, what it is that crypto companies can do in the hiring phase to prevent these situations. But first we're going to take from the sponsors to make the show possible. Mantle has entered a new phase as the distribution layer connecting TradFi and on chain liquidity. To accelerate this vision, the Mantle Global Hackathon 2025 is inviting developers to build scalable RWA and DeFi products. Why build on Mantle? It's an ecosystem built for builders. You get direct access to Bybit's 7 million plus users for potential listing exposure, support from the $4 billion mantle treasury, and mentorship from top VCs like Spartan and Animoca brands. With six tracks, prioritizing RWAs and RealFi, and a $150,000 prize pool plus grants, this is your chance to deploy on a high performance modular L2 register. Now the link is in the show notes. Hey founders and developers. If you're looking to bring on chain trading to your product, wallet or platform, check out the new Uniswap Trading API from Uniswap Labs. It's your plug and play gateway to global on chain liquidity. No deep crypto experience required and no need to manage complex integrations or ongoing maintenance. With the Uniswap Trading API, you'll get enterprise grade on chain execution, combining both on chain and off chain sources for the most competitive prices. Simply put, more liquidity, less complexity. And this isn't just any API. It connects directly to the Uniswap protocol, which has securely processed over $3.3 trillion in total volume with zero hacks. So stop worrying about liquidity infrastructure and focus on building your product. Get access to the same liquidity that powers billions in swaps through one powerful API. Visit hub.uniswap.org to learn more. Back to my conversation with Pablo and Isaac. So, as we mentioned, there's a high probability that at least some people that any crypto company is interviewing are North Koreans. And so for that reason, I would imagine that you would advise them to almost like assume they have somebody like that on their team, you know, just to be super safe. So like, what other practices should they follow to make sure that even if they had someone like, like that on their team, that no user funds or none of their funds would be lost.
[34:00]
A
Yeah, I think that part of the problem here is that in a, with a crypto startup you can go from like just launching to suddenly being in charge of tens of millions of dollars of people's funds kind of overnight without kind of a gradual buildup of a internal security capability. And so it's really hard to have somebody on stuff that's like just focusing on this stuff. But there are a few principles to take when just setting things up. Which part of it is just, you know, housekeeping, but like really important housekeeping of how you're configuring things. And to me it's all about kind of minimizing the blast radius of one of one specific thing going wrong. And so if for example, you have multi sigs in your protocol that are holding all of the funds you raised from your investors and they're controlling all of your smart contracts that can upgrade all of them and has all these emergency functions to, to like pause things and withdraw things. Pretty bad idea to have all of that concentrated in one place. It's much better to spread things out and make it just harder for everything to go wrong all at the same time. Also introducing slowness and friction as a feature in places where it makes sense. So if you are doing things that like, if there's an ability to completely upgrade your protocol and steal all of the money, making it so that one developer can't just do that without you even seeing a transaction go on chain and being staged to do that. So making it so that things that should take a long time are enforced to be slow so that you have opportunities to catch things and having proper controls around access control even on your other infrastructure. And so a lot of this stuff, it's very easy as like a developer in a startup to get a little bit lazy and just think, okay, onboarded this new developer, I'm just going to give them root admin access to everything on AWS just so that I don't have to deal with like giving them access to this and this and this. And it's hard not to be lazy, but it's really important to actually minimize like even for. Because it's not just against like a malicious, malicious actor. It's also maybe you make a mistake at some point and so always think about like, do I really need everything to be like upgradable in one instant and have like one access point for in our entire infrastructure? Or are there places that I can introduce friction to make it so that if something goes wrong, it doesn't all go wrong all at the same time.
[36:30]
C
Yeah, I mean, and we can talk a little bit more about what happened on the gnosis safe side, but I just wanted to call out something about what happened with Bybit, which is just like it always blew my mind that they didn't even do a test transaction. Like, they just did 1.5 billion all at once. Like I like. Because doing a test transaction does not take very much time. It adds maybe like a minute.
[36:52]
A
It doesn't. But I have a bit of a controversial take that I sometimes advise not doing test transactions because. Just because of address poisoning. And so to me, like, the proper way of doing a secure transaction, like when I talk to people that are receiving funds from investors or doing or setting stuff, they're like, how do I properly verify this address of this thing that I'm going to send money to? If your process is you, the collective you, if your process as people that hold crypto is send a test transaction for a dollar, wait to be received, and then send the full amount, that's not sufficient because where are you getting that address the second time? It's really important not to copy that address from your wallet transaction history. And so for me, sometimes I feel that test transactions are a place to introduce the risk of an address poisoning attack. And instead what I would do is like, have different controls where, like, I have an address book that I verified a signature from the person that is receiving the funds and I've put that address into my address book and I only ever copy it and I only ever do it from my address book from inside the wallet. And I never. So I personally rarely, if ever do test transactions just because there's other parts of the process that I think are more robust.
[38:11]
C
Oh, interesting. Yeah, I guess I would never copy from the transaction I would copy from. Like, I would use the original copy.
[38:21]
B
Yes.
[38:21]
A
Which is good. But like, there's, there's ways, there's so many places that can go wrong. We see, I mean, somebody lost, what, $50 million last week because of this, because they did a test transaction, copied it, copied it from the Etherscan transaction history or their Metamask transaction history and pasted it in. I don't know if it was MetaMask, copied it from their wallet transaction history and pasted it in to send the rest of the amount. And it's getting like, worse and worse. Like, I had a friend who I being in security, I often get a lot of DMS from friends being like, I'm about to do this really High value transaction. Can you just watch me do it? And I watched them do a test transaction, and then I saw immediately, within seconds, their wallet just populated with so many spam addresses. And they knew. They were like, okay, I'm not going to copy from those. I'm going to go back to the invoice and copy from the invoice again. But it's just like, it's. Yeah, I wonder how much money has been lost because somebody did a test transaction instead of just, like, not doing it.
[39:15]
C
Oh, wow. Okay. Interesting.
[39:18]
A
Yeah. And we could go into the root cause of Bybit a bit more, because I think it's interesting, like Pablo and I, some, for a while, we were just doing these, like, weekly calls where we just kind of hang out on a Friday morning, have coffee and, like, look at SAFE and think, like, what can we do to, like, hack safe? Or how can we make the safe Wait, wait, wait.
[39:36]
C
Before the Bybit attack or after?
[39:38]
A
Because after the Bybit attack, Pablo and I started getting a lot of requests from people like, hey, come train us on our multi zigs. And so we thought, let's just, like, have a fun, like, morning every week where we just, like, play around with SAFE and see what we can do to cause it to go wrong. And so we went in really deep on, like, root calls on what happened there, which a test res actually would not have saved them to. To summarize.
[39:58]
C
Yeah, well, go ahead and tell us what you learned because so I'm going to reveal that they were supposed to come on the show to talk about it. Martin Koppelman of Gnosis reached out saying that they wanted to do it. And then when we kept trying to, like, actually nail down a date and time, like, then, yeah, they. They just stopped responding. So, yeah, so there's a.
[40:23]
A
There's a few different parts of the. Of the root cause of, like. And I'll just say there's multiple places that this could have been caught before. Before it. Eventually, before it happened. One thing to be cautious of on root cause investigations, on Twitter especially, or X, is that everybody wants to be the first one. So, like, always be skeptical of the first root cause investigation you read after an incident. Um, like, I remember after Balancer, people were like, oh, they didn't have access control. That was not the root cause. And so what I'll say is just like, what I know about Bybit is based on what I understood from what happened on Chain, plus some stuff that I just kind of read in reports online. And so take some of it with A grain of salt. But the, from my understanding, like they will. Bybit was particular, was specifically targeted. There was a compromise in SAFE's API infrastructure, but it was specifically Bybit that was targeted. The attackers could have targeted a lot more people, but there the code was specifically targeted to change the ui, to change the interface of Safe when the Bybit people were going on to do their transaction. And I think that the way that that happened, or a valid way that that could have happened, is basically somebody reached out to one of the developers at Safe was like, hey, can you help me with this engineering problem? Oh, sure, I can help you with this engineering problem. Like, people want to be helpful. That's the problem with social engineering, is like, it exploits the fact that people generally want to help each other. So if some developer reached out to me and said, hey, I'm having trouble compiling this code, can you download this repository and see if you're getting the same error? My instinct probably a while ago would have been, yeah, I'm happy to do that. People on the Internet helped me when I was learning how to code, so I want to help other people learn how to code. But that is a way where if you run this code on your device in an unprotected way, that can like, then get a backdoor into whatever company's infrastructure is that you're working for. And that is one valid way of how this exploit could have been introduced into Safe's API, which made it so that when the people working for Bybit went on to do their transaction, they saw this, this transaction, the transaction that they thought they were signing is not the transaction that they were signing. And the transaction itself is actually very sneaky. I think that the, the method. So when you're doing a transaction, the data that shows up on your wallet is. It depends on a few things. It depends on like the, the way that the method is named in the smart contract. And so like, what I mean is like, if you're doing a transfer of tokens, a transfer will generally always show up as like similar encoded data on your, on your wallet, no matter what, whether you're sending usdc, USDT or anything else. It's just all using the standard. So the attackers made a, made a function called transfer inside of their exploit contract. But what that transfer function actually did wasn't transfer tokens. It was to do some really sneaky upgrade of like a specific piece of storage inside of the smart contract of this SAFE that changed the implementation to a malicious one that allowed the attacker to take all the Money. And so it wasn't a simple like, oh, we sent the money to the wrong place. It was that they called transfer on a contract that wasn't verified on Etherscan. And they called it using a delegate call instead of a call, which is another, like, technical thing. You would never delegate call a transfer. It's a weird tangent, but like the Bybit folks could have called it if they were doing transaction verification. But it was also very sophisticated in how it was engineered to get around a lot of safeguards that if they even had the safeguards in place, like maybe if they had, you know, call data decoding, it would have decoded as a transfer. Which is like a weird, like, edge case about this investigation as well.
[44:05]
C
Oh, wow. So even then. Wait, and. But I need to understand that. So basically it's just that it either used the word transfer or it literally looked like a transfer. But actually what was happening on the back end was that the smart contract was being upgraded to a malicious contract.
[44:25]
A
Yeah, it looked like a transfer to like a certain. Depending on how the wallet worked, the data that was included in that transaction would have show. Could have shown up like, oh, this looks like a transfer. Like it might have just kind of, if you hovered over the data, like some of these things that are like, hover to decode data that are there to help people because you can't just read hex. It might have tricked something like that to be like, oh, this looks like a transfer. There were other flags. Like there was a something that should have been a zero, was a one, but that's hard to detect and other things like that. But like, yeah, it was made to be very, very hard to catch.
[45:03]
C
Wow. Oh, my God. Yeah. I guess the thing is, like, any one person working in crypto is working on security, like, for part of their job or like, or just for whatever is in their control. Whereas North Korea has, you know, some army of people that are working on it all the time and know how it's all interconnected. So, like, even if, you know, you have your little fiefdom, you know, locked down, like, anytime you transact with another person's fiefdom or another company's fiefdom, then they can use that to hack you. So.
[45:42]
A
So yeah, there's no hiding. There's no. There's no hiding at any scale. Right. Like, the second that you've deployed anything, you're a target.
[45:49]
C
Okay.
[45:50]
B
Yeah.
[45:50]
C
This reminds me. Oh, go ahead, Papa.
[45:52]
B
So something that I was going to say about that is that when you protect the company, when we do, for example, the audits, you have to find all the weak things, all the hordes, you have to find all of them. And a threat actor just needs to find one. And that's something very, very important. And then something key here is that you can have the best teams, the best systems, the best everything. If you don't train your team in order to understand and to be able to recognize soldier engineering, it doesn't matter what you have, your company will eventually be hacked. It's not a matter of if you will be hacked, not it's when. Right. And then before you, when we talked about what companies can do regarding IT workers, I wanted to add something interesting. That is, there's something called least privilege policy. Right. Least privilege policy is basically a concept where any user or any application should have the minimum permissions that they need, right. Even founders. Right. It's very common when we do these audits to see that the founders have access to everything. Right. And we should know that anyone in an organization could be hacked. Anyone could be threatened or coerced physically to do something, or anyone could become evil. Right? Or anyone could be an IT worker. So if you design your security framework knowing that, that anyone can be. Can be evil, basically, because choosing to do that or being coerced, then you configure everything in a very different way. For example, me or anyone that we advise working in crypto or founders should not have direct access to funds. If I want to move funds, I cannot do that. Most of the physical attacks that we have been seeing lately is because of that, that people usually have direct access to move all of their funds. Right? So when you are developing a good security policy, you should know that, no, I must not be able to move important funds. Because if you can, the day that you have gun pointed to your head, you will do it. Obviously, you will do anything that you. That you can.
[48:15]
A
Yeah. And just one further step is it's one thing to have these rules in place, but someone once told me something that sticks to me is like the most, the place to look for, and the place that I always start when I'm doing an audit of a company is who has the power to change the rules. And so it doesn't matter if you have the rules set up in the right way. If the access control to change those policies is still highly concentrated, you're just as like, you're just as. Just as bad off as if the policies weren't there. And so we see that a lot when, when Pablo and I talk to companies that want us to look at their, like, custody configurations for. For their custody tools like Fireblocks and Fortify. We always ask, like, who. Which account has the policy to change these policies? And. And like, how many confirmations does it require to change these? And sometimes they're like, oh, like, yeah, we just kind of. The account, they can change the policies. We make it this dead account that, like, nobody can even access. And it would take 30 days to access this account. Like, that is. It's really important to also think about, like, the power, where the power lies to change the rules that you've configured in your organization.
[49:21]
B
Yeah. And. And then I would add one more thing that is one thing is to have a plan and a playbook, but it's very, very important to train it, to test it, to do, like, a library. Okay, let's simulate that we were hacked. Or let's simulate that you wake up and your Google account was empty and your metamask is. What do you do? Okay, I will do this. Okay, go and do it. Because if you don't practice it, then it doesn't work. And I will give you a very simple example. Three months ago, I got the pepper spray to have with me in my car when I drive. Right. I have it there by me. The other day, I was in a traffic light with my kids in the car. A crazy guy, he was crazy, came to my window and started punching the window. And I didn't remember that they had a pepper spray in that moment because I was never trained to do it. So having rules, having playbooks, having policies, but also doing these real trainings and tabletop exercises. It's key.
[50:22]
C
Yeah, yeah, yeah. This reminds me of like. Yeah. Just basically any anytime you.
[50:31]
B
You.
[50:32]
C
Yeah. Know that you need to do something at a certain point, like knowing it intellectually and knowing it like, in your body, it's like, I totally didn't running. So. Okay, so we. We're. We're actually like, well into this episode. We have not gotten to everyday people, which we definitely should talk about. So let's just talk so. Because all of that was, you know, companies. So let's talk about the most frequent ways that people get their crypto.
[50:56]
A
Swell.
[50:56]
C
And I know we. We kind of already talked about social engineering. I don't know if there's, like, more that you want to add on that, but then, you know, obviously we should go into various tips.
[51:05]
A
Yeah. Pablo might have probably. Pablo probably has a more comprehensive list to meet than I do. But, like, at least of the ones that come to my Mind are like drainers. Um, and so back when, like, airdrops were happening more frequently in crypto, I mean, I guess they're still somewhat happening, but it was very common that, like, people would click on, you know, a malicious airdrop link or like, or somebody posts, like, a company post something on their Twitter in crypto, and then somebody replies with like, a. Like, a company could be disclosing a hack and they're safe. And then some attacker comes in and says, hey, submit your claims here to get your money back from this attack. And so, like, just clicking on these malicious links that trick you into signing malicious transactions is. Is quite a common one, which kind of falls into social engineering, but it also falls into just like, you know, clicking on the wrong thing, whether it's a malicious Google Ad or a malicious airdrop link or something that somebody DM'd you on telegram pretending to be somebody else. But yeah, Pablo, what do you. What are your, like, top ways that, like, normal people get rekt.
[52:07]
B
Yeah, what we're seeing is, first we have the classical soldier engineering cases that are. Founders are being approached by fake VCs, devs are being approached by fake recruiters, recruiters are approached by fake candidates, VCs are approached by fake startups, and key opinion leaders are approached by media and podcasts. Right, Fake. That was level one. Level two is they don't create a fake Lora Sheen profile to contact people, but in some way they hack your Telegram account, your Twitter account, and from your real account, from your real Telegram, they start contacting people. That's happening a lot. So you say, okay, I'm receiving a message from Laura Sheen. It's her profile. Yeah, it's her profile. She's been followed by anyone. Okay, this is legit. And she's offering me an interview. It's legit. So that's something that has been happening a lot. So even if we are contacted by someone and that contact comes from a verified account, an account that we know or someone, we talked. Let's say that I met Isaac in fcc, we took a photograph, we started talking in Telegram, and then he sends me to go into a call that could not be him. In fact, something that they are doing today is this. I meet someone at hcc, we take a photograph, then this person in some way is hacked through what? Through a fake job interview. Right. When they are doing the job interview, they record this person. Right? So then when this person had his Telegram account hacked and they contact me, they invite me to a call, I get into the call and I see the video of the other person talking, but I do not listen. But the video is real because it was recorded from the original time. They hacked this person. So he tell me, hey, I cannot see your WhatsApp. I cannot listen you. They put in the chat, what do you say? Okay, I know this person in person. We took a photograph. It's her or him in the video. This is totally legit. I will download the driver. That's it. So this is getting more sophisticated. And something that they want to adhere to, to understand the sophistication is imagine this. Someone says, okay, we want to hack this founder from this if I protocol. But we know that he's sophisticated. He will not be falling to the trap of the meeting or this and that. So what do we do? Okay, lawyers and accountants, they have very bad security. So they hack the lawyer, they get into the lawyer's inbox and they see that this founder is waiting to get an agreement from this lawyer about a safe or something next week. So next week, the day that this founder is waiting to receive this agreement draft, that exact day, and from the lawyer's email, they send the document, but it's infected. So you receive something from someone you trust, you receive something you're expecting from the real email and everything is legit. Is there something to be suspicious? No. And that's the reason we say that we should like everything is come until proven otherwise. And you should have second barriers of protection. Right? And here is where I go to the recommendations for people. Eventually we are all going to be soldier engineered. Me, Isaac, Samsung, anyone? It doesn't matter how sophisticated you are. We are going to be search engineered. We are going to download some malware. So that's why we should first of all try to do interviews or calls in a separate device or something like that. But also something as simple as have an antivirus or pay for an EDR antivirus are $30 per year. People think that because of having a MacBook, there are no viruses, no malware, nothing. That's a myth. Pay $30 for antivirus. 9 out of 10 cases in crypto that we see nowadays could be avoided just because of having an antivirus, right? So that's first thing. And second thing is we keep on seeing people losing millions of dollars because of having money in hot wallets. Metamask, Ravi, Wallet, Exodus, whatever. That's not. That's not smart, right? If you have more than $2,000, please get a Harbor wallet, transfer it there. And now the important thing, the seed phrase. Where do you Put the seed phrase all in paper, all in paper and that's it. No other complex single or nothing. We are seeing lots of cases. I personally estimate that 20% of people in crypto saved the see the phrase were in a password manager, right. And we saw that three years ago LastPass was hacked. And from that LastPass bridge, as Taylor Monaghan from Metamask has been tracking and researching, more than $300 million have been stolen. Right. So. So my two takes there. One, get an antivirus and two HAR wallet and your seed phrase only in paper. And if you're not 100% sure. Oh yeah, I think I put it in a paper, but maybe I took a photograph, I put it in. If you're not sure, create a new address and move everything. And I know that this may seem basic, right. And we are talking about the first thing that they tell you when you get in crypto, like have your seed phrasing paper. But we, we keep on seeing millions of dollars being stolen because of this, right. Daily.
[57:54]
C
And what about the new setup where a lot of it is biometric? Like what do you. So obviously you know, there, there will still be a seed phrase associated with that. But like do you feel like that is safer or, or are there still a lot of pitfalls?
[58:10]
A
I personally like stuff like that for convenience. But it's all about like limiting blast radius. Again, it's like don your entire life savings in one in like the biometric controlled thing in your, on your, like on your hot wallet, on your phone.
[58:27]
B
Move.
[58:28]
A
Have these things in, in, in multiple places. One, because you might make a mistake one day and accidentally send it. Like I also heard, I was at a security conference and somebody told me this kind of funny, not an anecdote, but imagine if when you went to pay for a coffee with your debit card, if you could accidentally pay with the deed to your, your house. Like that's what happens if you have all of your money in one wallet in crypto and you go to do one thing and suddenly absolutely everything is gone. So both to avoid the mistakes and to minimize the blast radius, just spread things out. Use custodial tools if you want use, use like, use a safe for your own account with like multiple wallets. If you have like long term savings, just. Yeah, if you're on your phone all the time and you need to be constantly like betting and like degening into various things like then you kind of have to accept that as your risk. But if like you want to keep things a bit more long Term, then yes, spread things out and actually be careful.
[59:29]
C
And how do you guys manage having so many different addresses and wallets? Because you know, if you're putting in a spreadsheet but then your Google account is hacked or whatever because that's another thing. It's like I don't know how many times I've heard somebody say oh, I randomly found an old wallet, you know, and oh, I had, you know, X amount of money in there. And it's so clear that like yeah, you can just end up with so many wallets. And so I'm sure people are organizing them but when they do it, that could be another attack factor.
[59:59]
A
It could be I'm a little, I'm, I'm unsure about that because I personally like, I've, I've had that issue and if I call it like shaking out the crypto couch cushions once in a while where it's like, oh, like I should go through all of the random old accounts from six years ago and see, see what's in these. There are like, you know, portfolio tracking tools that yes, are kind of, if I enter in all of my addresses now, they're correlating all of those addresses back to me. Is that a risk? I think so. But also like yeah, I mean that's just a normal kind of hygiene and laziness is like I know that having all this stuff spread out is like potentially more annoying. But yeah, they're are portfolio tracking tools that make it easy enough.
[60:41]
B
Yeah. I also think that many times we try to over complex some stuff and the cases that we see are very basic how they are happening. But anyways, regarding tracking, I agree with Isaac. You have apps that help you do this. But what is very important is to know that then we have leaks, right. For example CoinMarketCap, the database was leaked. So in CoinMarketCap, you have the portfolio version, the portfolio section feature, which is great. But if you have your portfolio there and then it's leaked, you're done. Like with the ledger leak, the tresor.
[61:20]
A
Leak, and they don't have your money. Just like you're a target.
[61:24]
B
Yeah, sorry, now you are a target. So something that they highly recommend is everyone should at least have three email addresses. Your personal email address, your work email address, a private email address you don't share with anyone and doesn't have your name. And what do you use this address for? For example, to have a spreadsheet with all your crypto assets, but also to use this email, in your password manager, in your Apple id, in your two FA application. Right. You should not use your public email in a password manager or as your Apple id. Your Apple ID should be private. Nobody should know which one it is. And then to also have another email addresses, another address for just signing up in crypto events or buying stuff or this or that. That can also be replaced by this Apple relay service where they change your email address. But having that in a separate, let's say identity. I think that it's very, very important.
[62:32]
C
Okay. And so all of this is around self custody. But then obviously there are a lot of people that choose to go with a hosted setup where they are trusting a company to secure their crypto. So you know, what would you advise users to kind of like check either when they're, you know, deciding which company to go with, but then also when they set up that account to make sure that, you know, that doesn't get hacked.
[62:59]
A
To start. I think that probably might have some good advice on things like, you know, pass keys and stuff. But for me it's like this is a case where I would probably try to go as name brand as possible. Like if there, if you need to go with a big custody provider for, you know, setting up some long term account for a future inheritance of your grandchildren, like maybe go with a company that's been around at least five years maybe or like have a really good reason for going with a different one they should have. You know, the potentially, you know, I. Something that I would probably look at is looking at things like you know, insurance do that these custody providers have insurance against like operational failures. But yeah, on the account setup itself probably you might have some advice on things like you know, pass keys and stuff like that.
[63:43]
B
Yeah. First of all we should know that it's not an all in or I have everything in my ledger or I have everything in multisig or I have everything in a custodial. No, I think that first of all it depends on your knowledge. If you are not technical, you don't want to handle a hardware wallet or a multisig or whatever. The best thing for you probably is a custodian. Right. But then it's also a very good idea to say I will have 25% with a multisig with safe, 25% in a ledger and 50% with a custodian. I think that that's very, very good. Diversification is always great. And then about creating these accounts. Yeah. As Isaac was saying, first of all, do it with a private email. Right. Not your normal email. Second, try not to put your phone number Anywhere. Do the exercise of waking up. And your phone number is not your phone number anymore. It has been SIM shot, now it's controlled by someone else. So no phone number. And if your phone number is mandatory, your phone number should be private, right? You should not have a phone number that you're using. Important things like a custodian or your Apple ID under your name, right? No, third is unique password. This is very basic, but we are seeing a lot of people having a very complex password but repeating it everywhere, right? So what happens, you have the same password in some very big custodian or an exchange and also in some event that you sign up for some crypt event or in eventbrite or this or that. So one database is leaked, that password is leaked, then they are going to try it everywhere. And then last thing. Well, one More thing is 2fa, right? Two factor authentication. We do lots of research on this. So the summary or the take is first of all, never do it with phone number, obviously no sms. People are very used to thinking that the proper way to do2fa is Google authenticator, Microsoft Authenticator or Authy. That's not true anymore. Why? If I send you a phishing website of Coinbase prime, you enter the phishing website and you put your username and your password and in the next screen I asked you for your two FA code and you go to Google authenticator, you choose, you check the code and you enter it. You are giving the first and second factor to a third actor, your account is taken over. Right? The only thing that is anti phishing resistant regarding 2fa are hardware keys, right? UE keys for example, or the titan keys from Google. Those keys, they are like 60 bucks when they are properly configured with something called Fido 2 that is basically storing a passkey inside these devices that cannot be phished. That's the most secure thing. So in a summary, private email, no phone number, unique password, yubikeys. If you do that, you should be totally fine. And the most important thing, as Isaac was saying, insurance. I would choose one of the three biggest providers and they will check that they have a good insurance policy.
[67:13]
A
Yeah, and this is a. I know that this all sounds very daunting and it makes you might not even want to hold any crypto whatsoever. And just to be clear that all of these rules to me are like this is the stuff that you want to hold onto for a very long time and it's like relatively cold storage and you really care that you don't lose it. It's also fun in Crypto to have a hot degen wallet that you use for random stuff that if it gets hacked, you're not about, you know, it's not going to ruin your life. And so like, use the right tool for the right thing. Use all of these, like high security, put up all the walls around the stuff that you really care about. Um, but if you also have, want to just have a really low friction thing for when you're like messing around with new apps, that's not against the rules. There are no rules. It's just accept the risks of, of, of like what you're using each wallet for.
[68:01]
C
Okay.
[68:01]
B
Yeah, yeah. And also know that as we all know, we, we all have like a physician and we ask this person about our body. We have a lawyer that advises us on law, we have an accountant. The attack surface, and this is not only about crypto, it's about everything. Technology. The attack surface is growing. Our assets are now mostly digital. We have banks, we have fintechs, we have crypto, we have stocks, everything. So the attack surface keeps growing. Threat actors are getting more sophisticated. So I think that if any person that has relevant money should, should have a security advisor, an operational security advisor or something, and they should know that this is key. Right? Because if not, eventually with time, we are going to lose our money either with a bank or with crypto or whatever. And it's important to know that you cannot know everything. We go to a doctor because we don't know about how the body works. Well, in the same way you have lots of money, you are going to do a setup that you want to be the best setup out there and to keep this money for 50 years for your kids. Okay, go hire someone or ask someone or do your research, but spend resources, let's say that can be time or money.
[69:34]
C
All right, so, so we're a little bit over time, but I do have two more questions for you guys if you have time. Oh, okay, great. So one other thing is that I'm sure you're very well aware that privacy is going to become a much bigger trend in crypto. We're already seeing that there is a resurgence of interest in privacy. And Ethereum announced that prior that, you know, privacy is now one of its priorities. So I wondered, you know, if you thought that would affect our ability to go after bad actors or whether it could also be used to help keep people's assets secure.
[70:11]
A
I think I can start. I think that for me, yes, like there, there, there is potentially a risk on, on, on the tracing side, but I think that that is, I think that we actually have the tools now where that's not really as much of a concern. Like as far as like mixing services to kind of break the link between source and destination wallets, tools like Railgun or, and privacy pools and even actually original Tornado had the ability to export kind of compliance, compliance like notes to show like where my money actually came from in case you got audited. So I think that like, that's a question of making sure that whatever, like kind of regulations and rules match what the technology can do. I think the technology is there and it's sufficient to make it so that like we can have both pro privacy and accountability and, and have sufficient screening on these services, at least the ones that function as mixers, but they shouldn't have issues like the previous generation of, of services have. As far as like the fully private chains. I'm not sure. I'm not, I'm, I personally am not a CL911 fund tracing expert, but I'm, yeah, I, I'm excited to see that all of these privacy tools are coming in and I haven't seen a ton of pushback from the folks that actually do that tracing saying like no, we can't have privacy because then we can't trace anymore. But that's more of a personal layman's opinion than somebody who's an expert in tracing.
[71:40]
C
I'm pretty sure that they know that if they were to say that then the crypto community would turn on them more than some of them already have. So.
[71:50]
B
Well, I agree with Isaac. I think that the work from products like privacy pools is key here because from on one side we want privacy for the users, for example, to stop $5 range attacks. Right. So that it's easier for a day to day user to have funds and not everyone knowing how much funds they have. Right. So but on the other side you don't want North Korea to be able to use these systems to move solar money. Right. So products like privacy pools that allow you to deposit assets and then take them out from the, from to another address through a mixer and without being able to show traceability, they have a very interesting feature that allows you to, to have something called proof of innocence. Right. So proof of innocence means let's say that we have a pool with 100 depositors, right. And one of those depositors is North Korea. So when I deposit money and then I withdraw it from the other side, I am able to demonstrate right to verify that I am part of this set of 99 addresses and not this one. So I can prove that I am part of these 99 addresses that are clean. Right. So in that way you are able to give privacy to users and not privacy to threat actors. I think that that kind of solution, I think that it's great. I love. That is the thing that we need, right? We need to solve issues with technology. That's why we are here.
[73:37]
A
Right.
[73:38]
C
All right. So hopefully all the tips that we gave people will protect them from becoming victims. But if somebody's crypto gets stolen, what should they do at that point?
[73:51]
B
Perfect. Well, first thing is contacting Seal911. Seal911 has a telegram bot where you can basically open a ticket there and explain what happened to you. And there you will have people that will help you do whatever is needed. Right? So, for example, they will help you try to understand what happened. They will help you save assets that were not stolen yet. For example, they will help you secure all of your infra. And then maybe if you, you were stolen lots of assets, you will be contacted with a company that will then help you try to freeze those assets. Right. Most of the times when we see money being stolen, it cannot be freezed or recovered or anything. But sometimes, right? 15%, 20% of those funds can be frozen sometimes. So, yeah, that. So first thing, contacting C911. And then if we are talking from the technical point of view, what I would say, if you are in an interview or something and something happened, first of all, disconnect your computer from the Internet. Second, get a different device and export your seeds into this new device. So let's say that you had Metamask in your computer. You disconnect the Internet from your computer, you check the seeds from MetaMask from your compromised device, you enter it in a different device and you move your assets to a new address, right? To have them safe. Because after your computer was compromised, they steal all your private keys, but they are encrypted, so they need to decrypt them. So they need sometime these threat actors. But if you leave your computer connected to the Internet and you enter your metamask password, you are making it easier for them. And then you will have to change all your passwords and everything. And the most important thing, and they wanted to talk about this, is report it to your company. You may think that you were targeted individually because they just want some money from your hot wallets, but maybe when they did that, you work for some defi protocol or some company and they also got some credentials or some access to this company. So if you don't report it and then the company where you work was compromised or the first foot in your infra was done because of something that they got from you and you don't report it, you're making things worse because that will be known in the future. Right. So you're putting at risk your reputation and the reputation from your company.
[76:39]
C
Okay. All right. So you guys, this has been an amazing conversation, but are there any other resources that you think people should check out online so they can learn more about how to stay safe?
[76:50]
A
Before we wrap, I would just another plug for frameworks.securityalliance.org, free resource of all of the tips on how to stay safe as a user, as a company. During DevConnect. Mata from DLN from the Red Guild also published this guide called I think it's like opsec while traveling, which I think you can also find online linked from SEAL Frameworks, which is like how to stay safe when you're a crypto person who's traveling around. Yeah. Have Seal 911 saved so that you can contact them if you need to. And then just a brief plug for the fact that all of these responders are volunteers and SEAL is a nonprofit. So if they help you save money, also feel free to consider donating to seal.
[77:36]
C
All right, well, thank you both. This has been just. Yeah, just chock full of information and I hope it keeps people from having their crypto stolen and companies.
[77:48]
A
Yes. But if it does, don't feel bad. Everyone's being targeted all the time. It happens to everybody, so don't feel like you messed up. If it happens to you, it happens to everybody eventually.
[77:59]
B
Yeah, exactly. It's more common that we think. Think.
[78:02]
A
Yeah.
[78:03]
C
Okay. All right, well, thanks so much for joining us today, everyone, and happy holidays.