A Brief Discussion on Recent Cryptocurrency Security Incidents: The Harm of Hackers is Far Less Than the Evil of Human Nature

Written by: Haotian

It is often said that hackers treat the crypto space as an ATM, dragging down the development of the crypto market like peeling an onion. While this statement is not entirely wrong, the harm caused by the ugliness of human nature to the crypto space far exceeds the evil of hackers. From the perspective of a security practitioner, here are my thoughts.

1) The threshold for hacker attacks has been continuously raised. Since 2018, various types of contract reissuance attacks, overflow attacks, replay attacks, rollback attacks, random number attacks, etc., have gradually "disappeared," because the white hat forces in blockchain have grown into an unstoppable iron army. With their continuous contributions, the overall code quality of the industry has improved, and security awareness has been cultivated significantly, raising the threshold for hacker attacks. Nowadays, if hackers want to succeed in attacking the crypto market, they need to conduct more meticulous vulnerability research, comprehensive attack scanning, or find breakthroughs upstream at the server supply end. The "investment" required for successful attacks is gradually increasing. If a project does not disclose any details about the attack and merely mentions a hacker attack in passing, you might want to question the "hacker" attribute here.

2) In the past year, I have seen too many private keys being cracked, contract permissions being controlled, Oracle price attacks, multi-signature breaches, governance token attacks, backdoors, rug pulls, etc. To be honest, many security incidents seem quite surreal at first glance. Questions like "How could project xx have such a small issue?" or "How could a cold wallet be attacked?" stem from a respect for blockchain "technology," as people are reluctant to classify these bizarre security incidents as human nature bugs. However, when these behaviors of soft rug pulls that are adept at using hacker tactics become a trend, it will be the greatest tragedy in the crypto space. After all, technical bugs are easy to eliminate, but human nature bugs are hard to address.

3) An incomplete statistic shows that phishing, Ponzi scams, and other forms of fraud have long surpassed hacker attacks as the biggest poison in the crypto industry. Pure hacker attacks can often be divided into smart thieves and foolish ones; when encountering some legacy vulnerabilities, a shout-out might even lead to a refund. After all, illegal profits gained through hacker attacks like Trojan implantation can receive some judicial protection. But phishing and Ponzi schemes are something most people can only consider as a "cognitive tax," leaving them utterly helpless. The individuals who set traps for scams in bulk and those who study vulnerabilities for actual attacks are essentially two different groups. Hackers might find it amusing and happen to succeed in their attacks, while those who professionally exploit human vulnerabilities for scams are quite different.

4) The Mixin incident worries me more than previous hacker attacks because of its user demographics. Most of its audience comes from master classes, OG believers, early adopters who sign in to earn Bitcoin, and diligent investors hoping for a future through dollar-cost averaging. They are all fresh blood newly onboarded and could very well become the backbone of the future bull market. Now, with this blow, they may helplessly return to the factory to tighten screws, ride their little electric scooters again, and leave this field, which once held a glimmer of hope, in anger, further amplifying the stereotype that "the crypto space is all a scam." Sigh, the "tuition fee" for entering the crypto space is too expensive.

5) After years of shouting for Mass Adoption, whether it’s ERC-4337 account abstraction, MPC multi-signature solutions, or intent-centric approaches, everyone originally shared a common belief: to lower the participation threshold for users. Concepts like private key sharding, email registration, social recovery, and automatic execution by programs sound cool, but why do they seem so much like scams? Although this is extreme, it reflects an objective fact: if someone uses language that most can understand to reassure the majority, the one who is most untrustworthy might just be that person. After Mixin, I cannot say for sure, but most projects aiming for Mass Adoption may be implicated, and popular science bloggers will have to work harder to recharge the crypto faith. This is the wickedness of human nature.

Over the years, crypto technology has grown, security defenses have strengthened, the regulatory environment has become increasingly complex, and the evil of human nature has intensified. However, one could say that this is also a sign of the crypto world becoming more robust. After all, there is only one form of heroism in the world: loving life even after recognizing the truth of existence.