By Clementine Gazay

2022 will surely go down in the books as the year that Web3 became ubiquitous, or at least, it seemed to appear on every headline in your LinkedIn feed. The term has been used broadly to describe the entirety of ongoing next-generation efforts to decentralize ownership, financial instruments, systems, and information across the web. Naturally, these developments have massive implications for individual and corporate cybersecurity.

In the common perception, the Web1 era allowed us to access information via the Internet. The Web2 revolution gave society the tools to read and “write” information through content production and management. Web3 is one more iteration: authenticated ownership, community, and activity are now possible. The numbers support the bullish sentiments on growth: Market research estimates that the global Web3 market will reach US$81.5 by 2030, posting a CAGR of 43.7% during this forecast period.

Undoubtedly, a barrier to this growth will be cybersecurity threats to Web3 applications. However, as they continue to develop, Web3 technologies are being hailed as a new era of innovation for cybersecurity. In the Web3 world of tomorrow, people have control over their data. Hackers cannot tamper with information stored in decentralized systems by design. Smart contracts do not allow doubts about the ownership of virtual (and physical) assets. Its indecipherable “seedphrase” protects your crypto wallet and keeps your money safe.

It hasn’t taken the internet long to show that this is a naive point of view. A report from a NASDAQ source notes that “$2 billion was lost due to protocol attacks and despite the bear market, losses due to cyberattacks this year have already exceeded that number as of September 2022.” .

Market research estimates that the global Web3 market will reach $81.5 USD by 2030, registering a CAGR of 43.7% during this forecast period.

In late 2021, a gallery owner virally tweeted that he had been the victim of a virtual art theft. His high-profile Bored Ape collection, estimated at $2.2 million at the time, had disappeared from his digital wallet. Eventually, he recovered them with the help of other tweeters and the OpenSea platform. But the internet is forever, and the cry for help from it is now alive in perpetuity, like an NFT.

In addition to providing a fun anecdote, this story (one of many) demonstrates that there are inherent cybersecurity flaws in the Web3 economy. The question is: what are they? And where are the business opportunities?

The rise of high-value Web3 assets means more sophisticated attacks targeting valuable targets.

Web3 assets are no longer limited to decentralized finance (DeFi) components. Valuables on the web includes your crypto wallet, but has expanded to include NFTs and access to NFT communities. These high-value assets will undoubtedly be prioritized as attack targets, as they hackers go where reward meets effort. High value assets will be precisely targeted, resulting in sophisticated and highly specialized Y personalized attack campaigns People who invest in Web3 assets must be prepared to defend against these customized attacks. Discord accounts and activity are a source of information and inspiration for these growing attackers, as they are the central point of information about NFT ownership. If you’re investing in high-value NFTs with an active Discord profile, you’re opening a museum of fine art in a (theoretically unbreakable) glass case on display in a public place. People are still going to try to break that glass. As an individual, expect advanced and growing phishing attacks on all of your connected devices.

These high-value assets will undoubtedly be prioritized as attack targets, as they hackers go where reward meets effort. High value assets will be precisely targeted, resulting in sophisticated and highly specialized Y personalized attack campaigns

Applications and APIs that use blockchain technologies will be seen as the weakest links.

The decentralized blockchain that is resistant to hackers and integrity attacks by nature may not be the direct target, but applications associated with more traditional cybersecurity weaknesses will be. According to a Forrester report on Web3 security, “attackers deploy a variety of common and custom vulnerabilities to find and exploit code weaknesses and software vulnerabilities in web applications and APIs. [They] also look for flaws in cloud or container workload setups and deploy bots to mount attacks like credential stuffing and DDoS attacks.” The entire ecosystem around Web3 applications will be taken into account when planning an attack. Efforts aimed solely at protecting front-end applications can end up being bypassed by related-application attacks.

Advanced Persistent Threats (APTs) will not go away, and their consequences may be more serious.

APTs are highly sophisticated cybersecurity breach efforts carried out by skilled actors over long periods of time, often nation-states or large criminal organizations with resources to spare. They are among the most feared attacks by cybersecurity professionals, since APTs have a high potential for disaster; their orchestrators won’t stop until they do. In 2022, the FBI blamed North Korea for the well-known Lazarus attack responsible for the theft of $620 million in Ethereum. As long as there are Web3 assets with sufficient political, social and economic significance, APTs will proliferate. Something to keep in mind for El Salvador, which made Bitcoin official legal tender in 2021.

As long as there are Web3 assets with sufficient political, social and economic significance, APTs will proliferate.

Taking these lessons and putting them in terms of business lessons, attractive markets include:

• Personal security and antiphishing solutions for people with valuable Web3 assets;
• Enterprise tools that scan and assess Web3 security risks from third-party applications or certifications of compliance with Web3 security standards;
• Highly customized threat detection and threat intelligence services aimed at detecting APTs.

All in all, the Web3 era is synonymous with increased cybersecurity needs. They can manifest in ways we haven’t seen before. This could mean less focus on integrity protection, as transactions are now open for verification by the world on distributed ledgers. It could also mean more time-consuming, personalized phishing attacks on people with high-value targets. And, in a continuation of what we’re already seeing, growing sophisticated ATPs targeting politically valuable Web3 assets.

Clementine Gazay ’24 is a French-American MBA student and Venture Capital Fellow at Columbia Business School. Prior to business school, she was a cybersecurity consultant for Deloitte in Montreal and Paris, completing engagements for major clients in the financial, industrial, and telecommunications sectors.