Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Building an Institutional-Grade Security Practice
Recorded: June 4, 2025 Duration: 1:02:54Space Recording
Short Summary
In a recent discussion, industry experts highlighted the evolving landscape of security in cryptocurrency, emphasizing the need for proactive measures against emerging threats like phishing and social engineering. They underscored the importance of integrating security from the inception of projects and fostering collaboration within the security community to enhance overall resilience.
Full Transcription
Thank you. Thank you. Doing a quick mic check.
Can you hear me okay?
I hear you perfect.
Thanks Ryan. Thank you. Thank you. Just doing a quick mic check just to make sure everything's working.
I can hear you.
Yeah, same here. here Thank you. . Thank you. Thank you. All the speakers are here.
We're just going to give it about three more minutes for a few more people to come in.
So we'll start right at the top of the hour. Thank you. . Thank you. . Thank you. All right, let's kick things off.
Thank you, everybody, for coming.
Just want to note that this will be recorded.
So if you hear something in here that you think you want to share with some of your colleagues, just let us know and we can get you a recording to do that with.
So we're here to talk about some of the challenges that we face as security professionals in
cryptocurrency, especially when you are joining a company and you're one of the only security
professionals. I think that's the case with a lot of us. So I'm here. I've been in cybersecurity for about 20 years now.
The last four years, I've been in crypto, setting up security teams among several, at least four,
cryptocurrency projects. And I'm joined here by folks from XeoShadow, Seal, and HyperNative.
Just talk about how you can set up a security program at your project.
So some quick introductions around the table.
We can start with, I'll just go in the order they show up on my screen here.
Fives, if you want to introduce yourself briefly.
Hi, my name is Fives.
I'm the initiative lead for SEAL Intel at SEAL.
We take care of, within my initiative, we take care of ISAC, which is the information sharing and analysis center.
As well, SEAL has a whole host of different initiatives that can help the community, like SEAL 911, which deals in emergency fund reclamation.
We have our safe harbor, protecting of white hat rescuers.
We have war games and certifications,
which are somewhat self-explanatory.
Frameworks, which is basically a how-to guide for Web3 security,
which is a new initiative that has come up.
So that's us in a nutshell.
All right, Tal, do you want to do Zero Shadow
and your colleagues?
Howdy, yeah, my name is Tal.
I am head of BD, go to market at Zero Shadow.
Zero Shadow, previously, we kind of started out
as an incident response firm.
I've done a ton of more like proactive security
in the space.
We continue to work on reactive incidents in the space. So, you
know, when funds get stolen or an exploit does take place, our team of global investigators
comes in to try and triage and, you know, do our best to recover the stolen funds. I'm
joined by two of my colleagues, Julia, one of our co-founders and Ziggy. So I'll let
them introduce themselves as well.
Thanks, Tal. I'm Julia. As Tal said, I'm a co-founder of Zero Shadow and also leading up our investigations team, so mainly focused on the tracing and recovery of stolen funds.
Hey, my name's Ziggy. I work at Zero Shadow as well. I describe myself as a human attack
surface specialist here at Zero Shadow. What that means is I focus on how people, rather
than just code or infrastructure, can be targeted, manipulated or exploited themselves. So that's
whether that's phishing, social engineering, insider threats, and even things like robbery,
kidnapping. You know, attackers are always constantly looking for ways to bypass technical defenses
and going after people is a good way to do that.
So it's my job to help stop that through education and remediation,
which is a big part of what we do here at Zero Shadow as well.
All right. And finally, last but not least, HyperNative.
Hi, I am Gal, CEO of HyperNative.
HyperNative is a real-time security and fraud prevention company detecting real-time risks and then responding and preventing them.
Excellent. Thank you, everybody.
So we'll jump right into it because I want to be mindful of time.
So let's start with an introductory question. What makes DeFi security fundamentally different from traditional fintech security? And we'll start with hypernative, please. There are three things probably that makes it different. One is the definition of security.
I think when we started hypernative and we went to a protocol, for example,
security was audit and maybe a bug bounty or formal verification.
I think over the years, security has evolved because it's a much bigger thing than just code-based.
The other thing that I noticed is that DeFi organizations or protocols or DAOs are a very unique kind of an organization, right? They have the perimeter of the security, who is in, who is in
charge, who are the people that are part of it,
what is the IT that is part of the development
or the internal. It's very different than
an organization that has a security and has employees and
has computers that are and devices that are owned by the organization.
And all of these processes and when there is a very fluid perimeter, then there are additional risks. And the other aspect is that DeFi security includes all web two or traditional security from
application security to people send devices, but it also has on-chain security, which is related
to smart contract, how they are deployed on-chain and how they are interacted. And Solidity is a very low level language
that helps you make a lot of big mistakes.
And the time of an attack, of an on-chain attack,
is really, really quick when you compare it
to traditional security attacks
that usually takes sometimes hours, sometimes even minutes where an on-chain attack
can really end in a transaction.
And a lot of times it's transparent to everyone.
So having the means to detect these
and react to these automatically is very, very critical,
especially in DeFi.
Okay. And for the Zero Shadow folks, we have some builders in DeFi. They're starting their
first projects. They're just getting their first bit of TVL. And you guys engage with a lot of
these projects. So when do you think they should start thinking about security and start looking
about security and start looking for you know set up a security program
for, you know, set up a security program?
yeah i think uh the question is uh always today rather than tomorrow uh there's never too late
but in my opinion too late is sometimes when you're already live and handling real user funds
at that point you're not just taking risks as an organization or project you're also gambling with
your users trust at that point and so i think from day one as soon as you begin you should be thinking about how security fits
into everything that you're building going forward and that doesn't necessarily mean hiring a big
team right away but what it does mean is designing your system with safety in mind
and you know you should be using things like well-authored libraries and keeping things modular
and you know not reinventing the wheel unless you absolutelyored libraries and keeping things modular and and you know not
reinventing the wheel unless you absolutely have to and you should try and get someone involved
quite early on whether that be a developer with a security mindset or an external advisor
but someone who's security minded and you can flag risks early on in your project security really
should grow with your project and you shouldn't be chasing after it after the fact and it's way easier to build things you know right from the very beginning than it is to patch them
later under pressure all right seven thanks for that now i'm going to start with seal on this
question but i want to hear from everybody what are you folks see as the biggest threats right now
to defy protocols go ahead fives uh well at point, from what I'm seeing, I would say the biggest threat right now is
phishing and social engineering.
This is where it all, for me, what I'm seeing, it really starts.
And it's not necessarily the big transactions and the big thefts that are going to happen
after this, but it's the multitude that are happening right now.
And it's, I mean, it's the age old thing of tricking humans into making mistakes.
And even some of your big stuff like Bybit and all those huge thefts start with that
social engineering, that phishing, all of that, you know, getting the humans to make
mistakes that ultimately cost hundreds of thousands, millions and more when it comes
to DiFi.
So to me, that's the biggest thing right now.
And Julia, you're dealing with a lot of instant response.
Are you seeing that same trend?
Like what are you seeing as the instigator for a lot of these threats?
Yeah, definitely. I think the idea of everything coming back to
social engineering is a really good one because we are seeing that human element really being
an issue. And one of the attacks that we see over and over is a privacy key theft because of malware being added into someone's systems. to be an investor or maybe give them a job opportunity or even just provided them a website
that they thought was going to do one thing but was really an info stealer and then
didn't even realize that they had compromised their entire system.
So that human element is definitely something critical and something that I don't think
gets as much attention as it always could.
Awesome. And Gal, so you guys often see the hacks once they hit the chain.
When you're tracing those things back, those exploits you see when the funds are being stolen,
where do you see it originating from? Is it like contract exploits,
Is it like contract exploits, a lot of social engineering?
a lot of social engineering? What's your take?
What's your take?
Yeah, I think we see the same sentiment,
like operational security and human factor
are very big factors and big attack vectors today.
We also see a lot of misuse of third parties
from oracles and different kinds of integration
that lead to attacks.
And of course, vulnerabilities in the code.
What I've seen is, right, like attackers are trying to find the weakest link at any time.
So when people are focusing more on auditing, formal verification, then the human factor becomes easy.
And the way that you would like to think about security is that the risk can come from different angles
and you want to really be able to essentially identify and monitoring all of these different kind of angles.
all of these different kinds of angles.
Okay, so now that we have a brief understanding of the threat landscape,
and we can go into some more detail a bit later.
I find a lot of projects are struggling to hire in this space.
They want to hire a security lead or someone to run security,
but they're not sure what to look for in that person.
So, and this is a question for any of the speakers here.
What do you recommend founders look for
when they're trying to hire their first security hire?
I'll take it first.
I think it's a great and challenging questions, right?
Like it's the same for, I think, DeFi protocols and, you know, startups and alike.
Head of security is something that is sometimes I feel people are a bit late to hire.
And it's a very important function
because you have all of these different things
that you need to consider.
You can't really consider them yourself.
Even with one person that is joining,
that person will need to essentially manage
the budget that you're allocating to security
and be able to identify the points that they want to really focus on.
And a lot of it comes from, I think, understanding the risk landscape.
So you want someone that has a background in security.
I feel that you want someone that also has background in traditional security because
of all the points that we touched, that a lot of the incidents that happens are also operational
and malware related and things that are related to the Web2 part of the protocol. But then you
also want optimally someone that understand the different nuance of the risk
vectors and where you want to focus.
And to me, it's like bringing that full-time person is usually something that you want
to do earlier and do when working with consultants and when the work flows and the amount of risk is at the point
where you are now in a production environment and leveraging a consultant is just not enough.
Right. So let's talk a little bit more about that because I find a lot of folks are struggling with budget too. Like how do you build out a security program? Where do you spend your money? What's the most effective way to spend that budget, especially when it's limited? So Tal, you've dealt a lot with like the sales part and engagement. Where do you expect to see security leads spend their first bit of budget? Like what are the things they have to get first to get off the ground?
Is your question more so like what do they have to do before they start thinking about like security budget spend?
Or is it more so like at what point, like what's the nexus?
So when they like pull that trigger.
Yeah.
So let's talk about like if you're just walking into a DeFi project,
you know, this new coin and you're the head of security and you're just starting fresh,
like here's the, what's the first few things that, that you're going to do,
where's the first places you're going to locate your budget to get the most bang for your buck?
Totally. Yeah. It's a good question. Um, I think oftentimes people start with like a, maybe like a smart contract audit, right? They look at like their exposure on chain.
I think that's like a really good place to start.
And I think most projects, you know, tend to begin with that.
I do think that as time goes on, they start to think about like more proactive approaches,
especially like the more mature security leaders.
And that's where they tend to engage with like platforms such as hyper native,
which is really great.
But they also have to think a lot about like their infrastructure, right?
Like I think something that people don't necessarily take into account from the
jump is that there's a bunch of web two architecture.
That's like super important when it comes to your security practice.
And so I think like just being open to those types of conversations early is, you know,
going to prevent any major compromises in the future. And so I think like, um, specifically
in def, I would say, you know, probably right before mainnet is where I see a lot of, uh,
conversations taking place. Like, I feel like from my perspective, I'm having conversations with founders or CTOs or head of security folks probably 30 to 45 days before maybe a TGE or
before a mainnet. That's kind of what I'm seeing at the moment.
Okay. Now, I see a couple of people in the audience who do a lot of work with Discord
hacks and Telegram hacks.
Um, how do you guys see dealing with that sort of stuff? I'm a bit off script here,
but this is something that's on my mind a lot. Like you're in a brand new company,
you're thinking, okay, I need on chain monitoring. I need like EDR. I need, you know, audits. But then
you have employees who are, you know, on, on X, on Telegram, on Discord, and these are all
places where we could potentially be hacked and lose control of some bit of our comms.
Baby Fives, do you have any thoughts about how can we tackle that challenge of all these
platforms that we don't necessarily have control of?
That's a great and big question.
Realistically, that becomes the human element again.
We can put so much technology at defending people's machines when it comes to trying to protect them from them.
Well, I hate to say it, but sometimes from themselves.
You get too trusting of people online
and that leads again to that social engineering,
which then leads to compromise,
which then leads to loss of funds and other things.
So, I mean, realistically, the biggest thing is education and building, to me,
building when you build security in from the ground up and you get people thinking
about security and you get people thinking that, you know what, I really can't trust
anyone and it may be a little bit of a paranoid way to look at things.
But when it comes to all these people that you're engaging with, what's that level of trust that you have in those people?
And it's getting people to think about that. Knowing that when you're talking to people on
these platforms, if you don't know that person, at least you need to have people that know that
person. You have to have that sort of vouching.
So before you're engaging with these people
or getting them to help you with any of your projects,
you need like two or three people
to be able to vouch for that person,
to know that that person's real.
And even then, trusting that person
is still something that you've really got to be very careful with
because it's so easy to be able to get into some of these groups
and be that bad guy behind the lines
and compromising people and doing all the bad things.
It really is.
It's a tough, tough thing to completely secure.
And I don't know that we'll ever get to the point
we'll be able to completely secure it.
But I think education is the key thing here
and it's building it in.
And like I say, if you build it in from the ground up
and don't tack it on later,
you get your people thinking about it from the ground up.
Because ultimately what ends up happening if it's something
that's put on later and you're like okay don't do these things right it's that much harder because
people like oh it's so much easier if I do it this way instead of following all of these steps
so as you know if you can get it from the ground up and get them thinking about it then it just becomes part
of their workflow and when something's part of your workflow there's not even a thought
to what you have to do because you're already doing it okay anybody else have any thoughts
on like social media accounts again i'm talking like discord telegram um x um it's a little like Discord, Telegram, X.
It's a little tangential, but just something that I wanted to bring up with this is that there's really like two other elements of the social media side
that I think are important to think about in a protocol,
which is, first of all, who you're hiring.
So there's a lot of DPRK IT workers that will come around in a protocol, which is first of all, who you're hiring. So you'll have,
there's a lot of DPRK IT workers that will come around and reach out via
telegram or discord and offer to work for your company and provide KYC
documents that actually, I guess not KYC,
but they'll provide like documents for themselves that actually can pass some low level verification. So just that the idea that Fives was saying about trying to
verify who you're talking to and get one or two people's
verification before you just like run with something is really important. And then the
other thing that we've noticed in a lot of exploits is that
there will be some kind of suspicious Discord user who asked about an attack vector,
and that happens to be the same one that gets used. So not that you can predict the future,
but just keeping an eye on when you have some random users coming and asking questions that might be out of the ordinary for a typical user.
So when it comes to hiring, this is one that worries me a lot, especially in crypto, where it's not unusual to be hiring folks who are very privacy conscious.
So you have, you know, either they just don't want to be known very well, or they want to
be completely anonymous.
Do you guys have any advice for, for when you're hiring?
Like, how do you, how do you deal with that?
Where you want to get the best talent, but sometimes the best talent just wants to be,
or have some amount of anonymity.
well i can add a bit of my two cents into this in that and and i understand that again
i'm fives is that my given name absolutely not so there you have to have that that ability
within this space to have that but at some point somebody has to know who you are and it comes down to in my
whenever i bring somebody in whether it's directly in or as a volunteer or or or whatever
i have to see your face i'm sorry i have to see your face and i have to know you're a real person.
And it may not, everybody may agree with that, but that is to me, one of the big steps that I go through when, when looking at bringing somebody in is like, I don't need a copy of
anything. I don't need, I'm not going to store anything. I have to get on a meeting. I have to see who you are. And from then on,
I don't care what you call yourself. I will call you whatever you want me to call you.
And I will introduce you as that. But to have that knowledge right from the start that, hey,
I'm talking to a real life person. It's not some, you know, GIF or some, you know,
some, you know, GIF or some, you know, AI created, you know, persona, I know that I'm talking to that
person. So it and it doesn't have to be a whole bunch of people that know who that person is.
And it doesn't have to be shared across everything. And all the all of your, you know, executives or
whatever. But to have that knowledge of that person
just makes that verification step that much better. I mean, you're never going to be 100%,
but that's a huge part of it for what I believe anyway. And for the most part, I haven't had any
trouble with that in any of the people that I've brought on.
It is interesting.
Oh, sorry, go ahead, please.
Sorry, just to interject, I 100% agree with Fives there.
You know, you look at a lot of us who work in this industry,
and many of us will use AI-generated profile pictures.
We won't reveal our full names.
We do so for good reason.
We care about anonymity, and we care about our own privacy,
and we don't want to make ourselves a target for these sort of for actors and but someone does have to know us for
us to be hired in the first place someone has to understand who we are and understand our reputation
if not our identity now reputation used to be an easier thing to sort of use to validate someone
but we have seen a lot in recent history
you know dprk profiles fake it workers that have got reputation they've given you they've gone away
and they've got good githubs that have become respected they've already worked for a company
and someone can vouch for them but they're playing the long game they want to get inside of the next
company they've built that reputation so they can get that next job,
so they can infiltrate the next big company.
So reputation counts for a lot, but don't necessarily always trust it.
You should always try and have a face-to-face with someone,
and even that is getting harder.
We talk about deepfakes a lot in this industry as well now,
and they are getting so much better day by day.
So it's something you always have to be aware of, unfortunately.
And to add to that as well, that face-to-face coupled with several people who can vote for that person,
that again builds that amount of trust that you're actually talking to the right person.
that amount of trust that you're actually talking to the right person.
And to me, putting all those pieces together
gets you good people and
lessens your risk of bringing in that bad actor.
Yeah, for sure.
And just kind of an antidote before I move on to some technical stuff with instant response.
It is interesting within our security community.
So each speaker here I've met except for Ziggy.
And it turns out within the security and within crypto security, there's actually a lot of people who will be willing to do a face to face and meet you if they ask. They're not going to like publish a lot on LinkedIn or they're not going to like divulge it willingly to everybody.
LinkedIn, or they're not going to divulge it willingly to everybody.
But once you build that trust with a few people, it's actually a reasonable
question to say, hey, let's meet up at a conference and actually talk face to
face. It's not completely out of the blue.
Like I say, all the speakers here I've met, except for Ziggy.
And because I know Kyle and Julia, well then, I can trust that they hired
Ziggy so I can trust Ziggy.
It's like this kind of, you know, this circle of trust that you build with folks.
Okay, let's move on to instant response, though, because this is what keeps me up at night
all the time is trying to figure out how quickly me and my team have to be able to respond
to an incident.
So from the time we see something unusual on chain to the time we can actually, you know, get the people from Multisick together to take action.
It can be very tricky. So I'm going to go to Gal for this.
What is your expectation for how quickly a company has to be able to respond to an anomaly on chain?
on chain? I think it comes down to, you know, the previous question also that you asked,
right? Like we want to have an on chain is not different than any other, right? Like attack
vector. You want to think about all the different attack vectors where on chain is one of them.
And then you want to be able to have a plan, right? When something goes wrong,
how do I react to that? And how do I react really depends on your role access and how you
think about risk. We are working today with protocols that give hypernative, for example,
full give hyper native, for example,
full permission to trigger an emergency action on chain,
based on a hyper native detection.
And that could be even in the same block or one block
after the hack transactions.
So very, very quickly, we do have other organization, right?
That wants a more, as you said,
the multi-sig people there and they want people to approve the decision.
In the end, it's a balance between how secure you want to be and how sure or how access is being handled
with the protocol.
For us, we always prefer the fastest methods.
And I think from a technology point of view,
we do see that in many, many hacks,
a very fast response can really prevent,
if not all, then a considerable amount of
the funds that are lost.
So very critical to respond as soon as possible,
with other limitations,
of course, that you want to enforce on yourself.
Okay, so one of the things I struggle with, and anybody can follow up with answering this.
So I get like an alert through Opsgenie at, you know, two o'clock in the morning
that says something unusual is going on, Shane.
It might take me, you know, two, three minutes to wake up.
In a typical Web2 scenario,
I could take maybe up to an hour to respond to something
and then analyze it, try to figure what's going on,
and then respond just because there's no real funds,
well, at least in Web2.
The likelihood of funds being gone within an hour
are somewhat limited.
Now, that's different in crypto.
So if you were to give like a number,
anybody here, how quickly do you think I have to be on the phone with instant responders
from the time I get the alert from per se, if I have like an overnight team who's watching alerts?
So the threshold that we recommend is 15 minutes. And while that too, well, it's, it's obviously as soon as possible,
because there's always the chance to, to, to try to stop the future losses, like I was talking
about. What we've noticed is that, in addition to the ability to ability to shut down a protocol, it's also super important to
actually follow any funds that have been taken in an illicit manner as quickly as possible,
because that can be the difference between freezing at a specific exchange versus the
funds really spreading out and going to mixers and becoming just
commingled with other things and just harder and harder to recover. And so that's something that
at least we're always trying to do is we have a global team. So there's always someone that's
awake and we're trying to keep to that 15 minute rule.
And following from that, what's kind of our expectation? I know there was a time,
like even just four years ago in crypto, where the idea of freezing funds was just like,
no one wanted to do it. No one wanted to touch that. Like, pausing a protocol was just a crazy
idea. I feel like sentiment is changing a bit
within the last, especially within the last year or so,
where we're starting to see layer twos
who are more willing to freeze funds on chain
through the protocol itself.
We have exchanges who are being required to freeze funds.
We've got Circle who can, you know,
basically at any time, just like, you know,
rug the USDO from under
people if they wanted to, not being in a mean way, in a good way, because it means we can
secure funds.
What should our expectation be as security folks for protocols and apps to actually be
willing to enable to help us stop funds from moving. No one wants to go on record with that there?
I can start it. I think Taylor Monaghan has said this very well in the past, which is
if you have the ability to do something, then really we are under the thought that you should do something.
So if you are fully decentralized and you really do have, you don't really don't have control over
like any of the elements of your protocol, then that is one part of it. But there are a lot more instances where there is more centralization
than it might look at first glance.
And so I think the ethos has really changed towards trying to
actually try to stop an incident or stop illicit funds from moving
if there is the option to do so.
And I think another element as well is that a lot of times
we are interacting with crypto via websites
and not directly to the chain.
So there is still some kind of element where you can
at least make it harder to move funds,
even if you're not able to explicitly stop them.
Okay. Now, part of this is having, I suppose, like a plan in advance, right?
So I'm very biased on this topic with instant response plans.
I think everybody should have them.
But I'm wondering if anybody can talk about the difference between when you're working with a company that has an instant response plan in place
and one that hasn't set one up at all just just kind of like
you know doing it as you go like what what sort of differences do you guys see
in the ability for the company to actually you know get a good result out of a happy
and i can speak on that one a little bit and so without the plan um it's basically chaos um you
you're trying to find the right person the person who has the answers on how to shut things down or solve problems.
You're trying to reach people who may be asleep.
You don't necessarily know the phone number for them or how to get in touch with them,
whether it be a Telegram handle or a Slack channel or anywhere else.
And without that plan, it's very much chaos.
And you're trying to solve problems on the fly,
and that's never the best way to do things,
especially when things like money are on the line.
If you've got the plan in place,
it makes everything much more straightforward,
especially if you've wargamed it ahead of time.
You've put it to the test, you've simulated a breach, an incident,
and you've been able to test.
This all works perfectly.
And if it didn't work perfectly,
what do we need to improve going forward?
If that plan's in place, you know who to contact,
how to contact them and who's doing which job
and how you resolve this as quickly and as easily as possible.
And it should also include things like communication
to the user base, to the community,
especially if it's something that could be assured for
or something that could be used to target elsewhere.
Communication is also key as part of instant response plans
it's all about reaching out and knowing who it is often
if i can add also i i think first we talked a bit about traditional finance right like
in a lot of other industries incident response is is a legal obligation that you have to do.
And incident response is not just about an on-chain incident response.
We mentioned before Telegram or Discord hacks, right?
Like every area of security risk, you really need to come prepared with a plan.
And to me, that's the flow of security.
You understand the flows and the systems that your organization or your protocol is using,
whether they are Web 3 or Web 2.
You analyze the risks in these flows.
Then you monitor because some of the risks you take, you understand that they are not bulletproof.
So you keep monitoring these different risks, the ones that you can solve with policies or processes you solve.
And then you do have this incident response plan where assuming the worst is happening,
where assuming the worst is happening, you know what you are going to do
and how you are going to react and who are the people that you are going to call.
So you will resolve swiftly and avoid unnecessary damage
because doing something that you know how to act in will be in any area of your risk is going to be much better
than thinking about it in real time.
Okay, now talking about instant response plans,
one of the things I never or I didn't often do in Web2 security
was worry about the physical attacks as much.
Like I didn't have an instant response plan
for if one of my executives were going to be kidnapped
because the likelihood of that happening in Web2
was just rare.
I don't know.
It probably happens.
I never hear about it.
But Ziggy, let's talk about physical security specifically
because I think a lot of people
are starting to worry about that.
I worry about it now
that I have very forward-facing executives
and senior leaders who are out there at conferences, they're on podcasts, people just
know who they are. And I worry about it a lot more than I used to. So talk us through, what does an
instant response plan look like for physical security and how do you prepare your executives
for physical security? Yeah, so first of all, I'll just talk some stats. So, you know,
we're halfway through 2025, we're in June. We've had 29 confirmed physical crypto incidents in that
time across the world. There were 32 last year in the whole of the year. So, you know, we're already
on our way to doubling the amount of incidents. So it's definitely a growing issue and you know it's grown since the very beginning um you know back in 2014 was the first recorded bitcoin in person
theft and now we're at you know double digits you know we're looking like we're going to be
close to 50 60 incidents this year so it's definitely a growing problem it's one that every
you know project every organization in Web3 needs to think about.
I think the first thing is awareness.
These things are real.
They are becoming more and more common.
And understanding that sort of overexposure that we might do to ourselves accidentally and sometimes on purpose is part of the issue.
We perhaps share too much on social media.
We have data that's involved in data leaks we use you know the blockchain itself is transparent and that's
why we love it so much but it's also you know a double-edged sword someone might be able to
discover on net worth if we've not you know obfuscated our cold wallet correctly or using
services to do so so a lot of that is around personal awareness around those
sort of exposures that can make us a target and then it's also planning for these things so when
people go on trips are they doing a you know a travel risk assessment that's something that we
do here at zero shadow for many of our clients you know say someone's traveling to paris next week
we will do a travel risk assessment we will tell them there's been 11 incidents in france that
have involved physical crypto attacks and that's a true statistic we will tell them where they
occurred places that they might want to avoid and we will recommend services to help improve their
physical security whether that be actually things like bodyguards which seems you know very extreme
but unfortunately it's part of the world that we're moving into we're seeing a lot of you
know violent incidents and but it's also you know understanding that if someone is taken
who do we contact to try and minimize the impact you know do we have you know ransom insurance
that is a thing you know do we have contact information for you know law enforcement did
we make people aware ahead of time?
Did that person take, you know, a GPS tracker?
That is something we think about and it's something we do tell our clients about.
We do work very closely with, you know, third-party security organizations.
So it's all something that people have to be aware of now and have at the front of their mind,
especially when they're traveling, but also at home as well.
We recommend that people never share their location.
We recommend people don't let people know where they live because data leaks are everywhere.
And it's so easy now to uncover information about people just by doing a simple Google search often.
It's another thing we do here at ZeroShadow.
We do personal threat assessments where we look at all of the data that's out there about a VIP at a company.
And we then try and mitigate that.
We try and get it removed.
And if not, we try and teach them how to avoid those things in future.
It's so well said.
And I just wanted to add one more element and really want to echo everything Ziggy just spoke about.
I think another key piece in all this is I don't think folks sometimes understand that like they have exposure not by directly through their online presence, but perhaps through their families.
Right. Like if you're really great about your OPSEC, you never know if your daughter tags you in something, your sister posts about something, your mom posts about something, you know, Facebook, Twitter, LinkedIn, there's so many different platforms where things exist. And, you know, we at ZeroShadow also do, in our threat assessments,
we uncover a lot of these vulnerabilities that you might not consider, you know, and the way
that you can get doxxed and your location can be found, right? So, you know, a couple weeks ago,
we saw this attempted kidnapping
of the daughter of you know crypto executive um really scary um you know and i think folks have
to take into account that it's not just them online that it's their their entire uh you know
connection so people want to take advantage of you know they're obviously terrible people out
there there are people want to take advantage of your loved ones and that's how they can get to you. So, um, yeah, it's just scary stuff and
things you just have to consider. Yeah, absolutely. Um, yeah, stuff that I, like I say, I never really
thought about before. We could probably do a whole spaces on just physical security. I think it's a
lot of stuff that we don't often talk about, uh, in the community or maybe we do, but I mean,
more recently we're talking talking about a lot more.
I guess one of the things that struck me right away, just out of curiosity, and then we'll
move on to some other topics, but I thought about, should I hire from my executives, or
should I look at hiring my executives and bodyguards?
That seems like, I've never thought, like, I know how much EDR costs.
I know how much,r costs i know how much
you know on-chain monitoring costs when you talk about physical security what are the what are the
costs associated with like how much would it cost me to have a bodyguard follow around an executive
in france while they're at etc
um it's certainly not a cheap thing to to to do and what we will always say is it has to be risk-based
now if we are talking about france because of the heightened issues that are going on in france at
the moment and you know you'll see in the news lots of people have been arrested in relation
to the most recent kidnappings and and robberies but unfortunately the people who've been arrested
are you know the low-lying members of that organized crime group they're're not the leaders. They're not the orchestrators of these plans.
Those people are still out there, and they will continue to do so because it's so lucrative to target crypto professionals.
You've got to see this as you're investing in your people. You want to keep them safe.
If someone gets their crypto stolen, that's a big loss.
If you're paying for bodyguards, it's hopefully a lot less than that.
But more importantly,
if someone loses their life
or gets severely injured
as part of one of these incidents,
can you deal with that
as a leader of a company
because you wanted to save a few thousand dollars
because you didn't want to pay for a bodyguard?
Now, in saying that,
if someone's going to travel to somewhere else
that we haven't got the intelligence to suggest
there is these organized crime groups
that are targeting crypto professionals,
we will always be honest and say, you don't need to invest in such heavy security.
Here's just a security review.
Here are perhaps some areas to avoid and some things to be aware of.
But security is not needed in this case.
We're never trying to upsell people.
We just want to keep them safe.
I just want to sit down and talk more about this, but we're coming close to time.
I just want to sit down and talk more about this.
But we're coming close to time.
So I'm going to, I'm going to, we're going to do something later where we can have you
on Ziggy and some folks from, from zero shadow and talk a lot about physical security.
Um, but yeah, let's, let's, yeah, let's pause there.
I want to get back to it at some point though, because there's so many fascinating things
we can talk about there.
Um, but because we're getting close to the end of time, I just want to give everybody
a chance to say like, what are like, take a moment to talk about what are the practical things
that security leaders in this space can do to help protect their companies. I'll just start with
Fives. Again, he's the person on my list here. Fives, just a few practical advice for security
leaders out there and what they should do to help protect their companies.
A big thing, and I mean, we talked about a lot already,
but getting and building relationships in the security community is a huge thing.
As much as you can having, like, for example, again, I kind of toot my own horn a little bit,
but with CLI SAC and having that data that we have and that we offer
I mean we're not the only people doing this there there are other ISACs there are other
databases of information but when you make those connections and get access to that
amount of data it can only help you secure your on chain your your companies, your web to all of that, that much easier,
because you've got that stream of data, whether it's, I mean, domains, like in fishing, I
mean, we're 500 a day, we're seeing different domains that are being used.
Whether you're seeing the latest and greatest
threats things that are already happening things that are about to happen i mean that all of that
data that you could be getting i mean it's invaluable so making those connections and working
as much as possible together in this space to defend i, I think that's a huge thing right now.
All right, Tal?
To me, there are two things.
One is educate yourself about the different solutions
and companies operating in the space.
Like, at least get to know all the different solutions and companies operating in the space, like at least get to know all the different solutions.
And that relates also to what Fives said, which can be right,
like create relationship that will reference or
tell you about the different solutions.
The other thing that I notice is post-mortem thinking. Use the team or yourself to think, okay, I got hacked, my smart contract got hacked, my Discord got hacked. Now go backward and think about, okay, how did it happen?
and then be able to surface in a document or in some way the different ways that you are exposed.
And when you're doing this process backward, you're able to essentially flag the different areas that you might have not thought about.
And then you will be able to look for solutions before it actually happens.
Yeah, for sure. Awesome. Julia?
Yeah, I think one thing that I wanted to bring up
is just this mentality of trust but verify.
I think that's become really important
and something we've talked a lot about today.
So whether that's people that you're interacting with, whether that's the actual transactions that you're signing, whether that's what kind of website you're logging into.
I think across everything, it's just taking that second step to think before you act.
Awesome. Anything to add, Ziggy?
Yeah, for sure.
So I think so often in Web3, we forget the origins of security in Web2.
We actually have a document in XeroShed that we share with clients,
and I'll try and get this shared as well for everyone listening.
We call it the five things to do right now document and it goes through like very basic web 2 security tenants
but like you know the first one's like positive security culture so we've talked a lot about
community and when people have answered this question but it's such a big thing it's we're
all learning together and while many you know organizations would traditionally see themselves
as competitors that's not really the case in many organizations would traditionally see themselves as competitors,
that's not really the case in Web3.
We often see ourselves as one big community working against fractures.
We're all trying to build something.
And the fractures are the enemy.
We're not enemies of each other.
So there's a lot of community sharing.
There's a lot of intelligence sharing in this community.
And that's such a big thing, building that positive security culture.
And then it's simple Web2 basics like managing access,
things like password managers, multifactorial authentication,
things like using VPN and DNS filtering to block out those known phishing websites,
those known impersonations,
things like enforcing the principle of least privilege within the states,
things like Google Workspace.
Not every single person needs to be a super admin, for instance.
Um, as simple as things like BYOD, bring your own devices.
So prevailing in web free, but we can still do things like, you know,
mobile device management to try and guard rail against vulnerabilities that
are introduced in that way.
Uh, and last but not least things like accreditation.
So that's been such a big thing in Web 2 traditionally,
things like ISO 27001 and SOC 2,
but it's also relevant in Web 3.
If you build these things in from a very early stage,
you can harden down your environment,
you can harden down your infrastructure
and make it much, much harder for those,
for actors to find a foothold and get in.
And then lastly, coming back to web3
it's treasury management you know so often we see organizations and projects which haven't got
treasury nailed down straight away and that's a weak point they could lose funds quite easily
just through a seed phrase loss but you know they could be using things like npc and multi-sigs and
and stuff to really lock that down and make themselves much more secure.
stuff to really lock that down and and make themselves much more secure
Awesome.
That's all great stuff.
Really appreciate you all coming and chatting with me here.
There's just, yeah, it's a great space.
And I encourage anybody who listens to this, if you are part of the security community,
just get to know AirBales and the security community.
It is such a welcoming space of people.
You know, get involved with SEAL, talk to other heads of security.
Everybody wants to talk about this stuff.
And the one thing I wanted to point out that Ziggy mentioned is we don't compete in security.
Within the security space, everybody wants to share.
It's not as aggressive as some of the other industries were in Web2.
Here in crypto, we're all inundated with work.
We have so much to protect that we're all willing
to really cooperate.
So please reach out, talk to other folks
in the security community and just, yeah,
get to know people, go to spaces, go to conferences.
On the one hand, we want you to protect your personal identity.
On the other hand, we really want you to go out there
and get to know some of these folks. So thank you everybody for joining and hopefully we do
this again sometime. Cheers. Thanks so much, everyone. Thank you.
