By Clementine Gazay

2022 will surely go down in the books as the year Web3 became ubiquitous, or at least seemed to appear in every title on your LinkedIn feed. The term has been used loosely to describe all of the next generation’s ongoing efforts to decentralize ownership, financial instruments, systems, and information to the web. Naturally, these developments have massive implications for the cybersecurity of individuals and businesses.

In common perception, the Web era1 has allowed us to access information through the Internet. The Web2 revolution has given society the tools to read and “write” information through content production and management. Web3 goes even further: authenticated ownership, community and activity are now possible. The numbers confirm the bullish sentiments on growth: market researchers estimate that the global Web3 market will reach USD 81.5 by 2030, registering a CAGR of 43.7% during this forecast period.

One of the obstacles to this growth will undoubtedly be cybersecurity threats to Web3 applications. Yet as they continue to develop, Web3 technologies are being hailed as a new era of cybersecurity innovation. In the Web3 world of tomorrow, individuals have control over their data. Hackers cannot alter information stored in decentralized systems by design. Smart contracts leave no doubt as to the ownership of virtual (and physical) assets. Your indecipherable “seedphrase” protects your crypto wallet, keeping your money safe.

It didn’t take long for the internet to prove this to be a naive point of view. A NASDAQ source report notes that “$2 billion was lost due to protocol attacks and despite the bear market, losses from hacks this year already surpassed that number in September 2022.”


Market research estimates that the global Web3 market will reach USD 81.5 by 2030, registering a CAGR of 43.7% during this forecast period.


At the end of 2021, a gallerist tweeted virally that he had been the victim of a virtual art theft. His highly publicized Bored Ape collection, estimated at $2.2 million at the time, had disappeared from his digital portfolio. Eventually he picked them up with the help of other tweeters and the OpenSea platform. But the Internet is eternal, and its cry for help now lives on in perpetuity – as NFT.

Besides providing an amusing anecdote, this story (one of many) proves that there are inherent cybersecurity flaws in the Web3 economy. The question is: what are they? And where are the business opportunities?

The increase in high-value Web3 assets means more sophisticated attacks directed at valuable targets.

Web3 assets are no longer limited to decentralized financial components (DeFi). Web-based valuables include your cryptowallet, but have expanded to encompass NFTs and access to NFT communities. These high-value assets will undoubtedly be prioritized as targets of attack, as hackers go where the reward meets the effort. High value assets will be targeted with precision resulting in sophisticated and highly specialized and personalized attack campaigns. People who invest in Web3 assets must be prepared to fend off these custom attacks. Discord accounts and activity are a source of information and inspiration for these growing attackers, as they are the central point of information about NFT ownership. If you invest in high-value NFTs with an active Discord profile, you open a museum of fine arts in a (theoretically unbreakable) glass display case in a public place. People will still try to break that glass. As an individual, expect an increase in advanced phishing attacks on all of your connected devices.


These high-value assets will undoubtedly be prioritized as targets of attack, as hackers go where the reward meets the effort. High value assets will be targeted with precision resulting in sophisticated and highly specialized and personalized attack campaigns.


Applications and APIs using blockchain technologies will be considered the weakest links.

Decentralized blockchain resistant to hackers and inherent integrity attacks may not be the direct target, but applications associated with more traditional cybersecurity weaknesses will be. According to a Forrester report on Web3 security, “Attackers deploy a range of common and custom exploits to find and take advantage of code weaknesses and software vulnerabilities in web applications and APIs. [They] also look for flaws in container or cloud workload configurations and deploy bots to mount attacks such as credential stuffing and DDoS attacks. The entire ecosystem around Web3 applications will be considered when planning an attack. Efforts aimed only at securing front-end applications can end up being circumvented by related application attacks.

Advanced Persistent Threats (APTs) will not go away and their consequences could be more severe.

APTs are highly sophisticated cybersecurity breach attempts carried out by skilled actors over long periods of time, often nation states or large criminal organizations with resources to spare. They are among the most feared attacks by cybersecurity professionals, because APTs have a high potential for disaster; their orchestrators will not stop until they have succeeded. In 2022, the famous Lazarus attack responsible for stealing $620 million from Ethereum was attributed to North Korea by the FBI. As long as there are Web3 assets with enough political, social, and economic significance, APTs will proliferate. Something to consider for El Salvador, which made Bitcoin the official legal tender in 2021.


As long as there are Web3 assets with enough political, social, and economic significance, APTs will proliferate.


By taking these lessons and putting them into terms of business lessons, attractive markets include:

  • Personal security and anti-phishing solutions for people with valuable Web3 assets;
  • Enterprise tools that analyze and assess Web3 security risks from third-party applications or Web3 security standards compliance certifications;
  • Highly personalized threat detection and threat intelligence services aimed at spotting APTs.

All in all, the Web3 era is synonymous with increased cybersecurity needs. They can manifest in ways we have never seen before. This could mean less attention paid to integrity protection, as transactions are now open to the world for verification on distributed ledgers. It could also mean more time-consuming personalized phishing attacks against people with high-value targets. And, building on what we’re already seeing, developing sophisticated ATPs targeting politically valuable Web3 assets.


Clémentine Gazay ’24 is a Franco-American MBA student and venture capital fellow at Columbia Business School. Before business school, she was a cybersecurity consultant for Deloitte in Montreal and Paris, carrying out mandates for major clients in the financial, industrial and telecommunications sectors.

Source link

Leave A Reply