As cryptocurrencies become increasingly accessible to consumers, businesses and individuals need to be protected from newer and more sophisticated threats in the metaverse.

Cryptocurrencies have become increasingly accessible to consumers, what with recently launched crypto-funded payment cards.

From ‘rug pulling’ to fake crypto marketplaces to unregulated crypto trading, the lure of crypto riches in the nascent world of DeFi – blockchain-based decentralized finance – is fraught with cyber traps.

For instance, in 2021 alone, the Singapore police reviewed 393 crypto-related cheating and fraud cases, three times the number in 2019. It is estimated that Singapore retail investors have lost around S$29 million, largely due to ponzi schemes, bad investments in obscure projects and ‘pump and dumps’ where investors push the price up and dump it right after others start buying.

Businesses and individuals in Asia Pacific need to be protected from the newer and more sophisticated threats, scams and potential attacks arising from the emerging cryptocurrency-dominated metaverse.

CybersecAsia discussed the threats and possibilities with Tony Jarvis, Director of Enterprise Security, Asia Pacific & Japan, Darktrace:

As cryptocurrencies become increasingly accessible to consumers, what are the threats that businesses and individuals need to be aware of?

Jarvis: Relatively ‘new’ and complex cryptocurrency remains the wild, wild west. Novice users may get more easily scammed simply through their own lack of understanding of what everything means, and organizations may not have security in place that is capable of detecting these unusual and novel cyber-threats.

Criminals also benefit from crypto’s anonymity factor. It makes it significantly harder to trace funds if they have been fraudulently acquired and an attacker can disappear into the ether once the deed is done. Ultimately, transactions are only as secure as the user accounts that own them, despite blockchain itself providing additional transparency and a permanent ledger of transactions. 

Crypto-mining malware can disrupt or even crash an organization’s digital environment, if unstopped. Across our global customer base, our AI technology has discovered and interrupted hundreds of unusual cyber-threats where devices are infected with crypto-mining malware, including a server in charge of opening and closing a biometric door, a spectrometer – a medical IoT device which uses wavelengths of light to analyse materials – and even 12 servers being used for crypto-mining under the floorboards of an Italian bank.

As threat actors continue to proliferate and devise new ways to deploy crypto-mining malware, it is crucial that organizations are armed with cutting-edge technology that is capable of not only spotting the subtle, anomalous behaviour indicative of this threat, but taking targeted action to block this activity across the digital business.

What are the cyberthreats and financial scams to protect ourselves against in the metaverse?

Jarvis: Any discussions about cybersecurity in the metaverse should be prefaced with the acknowledgment that the concept remains very abstract and difficult to make informed predictions about. Nonetheless, there are vulnerabilities in all commercial-grade software, and once it reaches a certain threshold of users, bitcoin wallets, and financial information, these vulnerabilities become more lucrative for cybercriminals. 

We should expect to see advanced forms of social engineering, whereby the immersive experience provides a more evolved scam than a 2D email phishing attempt – body language, tone, and different level of datapoints will all make these much harder to spot than traditional phishing emails. Cybercriminals will always look for new ways to maximise their return on investment, and with property in the metaverse already thriving, cybercriminals will be able to make big bucks from these attacks.

Another concern for the future lies in the practicalities of the metaverse. If third-party software is required to access the metaverse or new devices, these will offer those with criminal intent many points of vulnerability that may be tested in an attempt to exploit the metaverse.

Tony Jarvis, Director of Enterprise Security, Asia Pacific & Japan, Darktrace

In the metaverse, how should organizations in Asia Pacific protect their online assets, and their customers’ information and identities?

Jarvis: Attackers use the same techniques to breach companies providing metaverse products and services as they do to breach more traditional companies. 

APAC organizations should think about where their metaverse assets and services take place and what security is required around it: is it their own environment, is it partially in a third-party cloud? Where are the actual NFTs being stored, and how are they secured?

In terms of security, these assets should be regarded like other financial assets and therefore highly protected with cutting-edge technology like AI – which is capable of stopping the most sophisticated and novel threats out there, even in the most exotic digital environments.

Strong identity security also needs to be in place to protect users from more mundane attacks such as scams – multifactor authentication and easily available education on metaverse security will be among the basic elements of cyber hygiene.

Since many non-technical people will use the metaverse, it is imperative to protect these users against scammers and cybercriminals – security must be baked in from the get-go. 

How can AI be leveraged to support crypto-security and cybersecurity in the metaverse?

Jarvis: Even if the metaverse feels novel to end users, most of the underlying technology is still traditional. Crypto assets are digital objects that have to be stored and secured somewhere – either in the hosting company providing metaverse assets or services, or in a common platform’s cloud environment. We are already starting to see attackers go after NFT exchanges and their supporting infrastructure with traditional attacks such as phishing or other forms of social engineering.

We’ve existed in many iterations of the metaverse for some time, whether that be the now ubiquitous videoconference, online role-playing games, instant messenger chats, or even email. Human and device interaction is still broadly the same across those different media, and provides data points for an AI engine to determine what it would expect to see as part of ‘normal’ day-to-day interactions or whether something is different among its peers, acting in an unusual way that could be malicious.

AI can therefore be leveraged to protect the metaverse’s underlying plumbing in the same way it already does for thousands of organizations around the world – by understanding ‘normal’ for an organization’s entire digital estate and using this to detect and respond to the subtle anomalies indicative of an emerging threat.