Don’t wait until you get hacked: A guide to Web3 security

avatar
TechFlow
02-24
This article is machine translated
Show original
The losses I have suffered, you do not need to suffer again.

Author: Ye Su

After Bybit was hacked for $150 million, the credible infini was also attacked by hackers.

I also suffered significant losses due to hacking a few years ago. The company is conducting internal security training this morning, sharing some personal lessons and prevention guidelines:

Emerging Modus Operandi in the Past Two Years

1. Impersonation of Friends (Social Engineering)

Hackers often obtain your private key or seed phrase by impersonating customer service, celebrities, friends, or investment opportunities. Stay alert and do not click on unfamiliar links.

This is the most difficult attack to defend against. Our company was impersonated by hackers on Twitter/Tg for phishing scams. Hackers usually impersonate and claim to have a phone call to discuss investment opportunities, sending fake decks, zoom links and URLs to plant viruses.

2. Internal Infiltration

The ultimate killer move of North Korean hackers, shared by the founder of a leading cex. Hackers infiltrate the company by applying for jobs, usually in asset management, security architecture or finance departments. They carry out internal operations after half a year.

3. Similar Addresses

Hackers can generate addresses with the first 5 and last 5 characters completely identical within seconds, such as 10 addresses starting with 0x1234 and ending with 56abc.

Hackers often mimic transactions of large wallets, using similar addresses for phishing. Be sure to verify the Txid and at least 5-6 middle characters of the address for each transfer.

4. Public WiFi

Avoid using public Wi-Fi to prevent asset theft due to malware or Trojans. Wi-Fi can be hacked directly into devices, hotels, parties, and even someone else's wifi, so be cautious. Use your own hotspot as much as possible.

Principles to Establish

1. Zero Trust Principle

In the blockchain world, do not easily trust anyone or any tool. All transactions and signing operations should be independently verified to ensure the source is trustworthy.

Even if your homie messages you to advance some money, you should confirm with him by phone/video/offline.

2. A Gentleman Does Not Stand Under a Dangerous Wall

At the first sign of rumors (theft/loss), immediately distance yourself from the risk location, and only consider other issues once safety is guaranteed.

Never believe in "too big to fail". FTX collapsed, and ArkStream and I avoided disaster by withdrawing on the first day.

For the remaining basic preventive operations, you can refer to the Slowmist Blockchain Dark Forest Self-help Handbook.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
1
Add to Favorites
1
Comments
Relevant content
Followin logo
loading indicator
Loading..