MEDIANAMA – What’s Making Crypto Exchanges Vulnerable to CyberAttacks

The cryptocurrency industry is grappling with a rising issue: stolen assets from high-profile cyberattacks, with users often unable to recover their funds. This ongoing problem has highlighted significant security vulnerabilities within crypto platforms, leading to the loss of millions of dollars in digital assets. 

In this interview with MediaNama journalist Sharveya Parasnis, Hilal Ahmad Lone, Chief Information Security Officer (CISO) at Liminal Custody, discusses the challenges of securing the crypto space and preventing such breaches. Lone explains how Liminal Custody’s holistic approach to security, incorporating technical, operational, and compliance controls, helps protect digital assets from cyber threats. He also compares the security frameworks of traditional financial institutions with the evolving practices in cryptocurrency, stressing the need for stronger governance and regulations. Addressing the rise of state-backed cyber actors like North Korea’s Lazarus Group, Lone shares his insights on the future of crypto security and the steps needed to safeguard users’ assets from theft and fraud.

Watch the entire interview:

Excerpts from the Interview With Hilal Ahmad Lone:

Sharveya: Hello, and welcome to Media Nama. This is Sharveya, and today I’m speaking with Hilal Ahmed Lone, the Chief Information Security Officer at Liminal Custody. Liminal is a tech company that creates secure wallet infrastructure for its clients, many of whom are in the cryptocurrency and Web3 space. The cryptocurrency industry is currently facing a crisis with numerous incidents of cyber attacks against notable exchanges, leading to the theft of hundreds of millions of dollars globally. We will be speaking to Hilal about the challenges of ensuring security for crypto firms and how the industry can deal with such serious problems. Thanks for being here, Hilal.

Hilal: Thanks for having me. It’s a pleasure being here.

Sharveya: So, in simple terms, how does liminal custody help ensure the security of its customers’ platforms?

Hilal: That’s a loaded question. So I think it’s a holistic approach. So we consider security and trust to be basically the funding and building blocks of the business. So we take it extremely seriously. And the way we do it is through a holistic approach. So we have technical controls, we have operational controls, we have regulatory and compliance-related controls, as well as basically having processes in that is supported by the technology to support basically getting all these things done and helping ensure that the controls are working properly. So it’s a combination of both technology processes and basically having to make sure that it’s all something that’s built into the design of the business as well as the product.

Sharveya: Okay. Could you go a little bit into detail about what your wallet infrastructure is like? Because I understand that’s one of your main products or services, right? How exactly does it function and what exactly does it provide to your clients?

Hilal: Okay. So a wallet in the crypto world is basically where you store a digital asset. So you have three different types of wallets. One is the hot wallet, which is consumer-facing. The consumers use the hot wallet and you do transactions on the fly. Then you have warm wallets. Warm wallets are not implemented everywhere, but they are like an intermediary, where you need access to assets or funds or any other assets. So you get a warm wallet as an intermediary between your cold wallet, which is the third type of wallet. Cold wallet is where you keep your assets for a basically storage as well as for instant custody. So in that aspect, the cold wallet is where you keep your majority of the sets and which are not necessarily required by the exchange or by the clients in a moment’s time. So it takes time. So we operate at the cold wallet level. So we actually rehydrate or repopulate the hot and warm wallets. And in terms of basically when the fund trading or the transaction is initiated by the client, if the hot wallets, they do not have enough funds basically available at the moment, so they will get rehydrated from the warm and cold wallets. So that’s how the cold wallet infrastructure works. Of course, there’s a lot of technology and supporting infrastructure that’s actually behind all of that. But on a very high level, this is how basically wallet infrastructure works.

Sharveya: I wanted to speak a little bit about some of the cyber security challenges that many of the cryptocurrency exchanges, not just in India, but globally, have been facing. To set some context, in March earlier this year, hackers broke into CoinDCX, which is India’s first crypto unicorn, and stole the Rs. 368 crore via a server breach. Earlier the same year, ByBit actually lost $1.5 billion in another cyber attack, which actually makes it the largest crypto heist in history. And the year before that, WazirX, which was then India’s largest cryptocurrency exchange, lost $230 million or around half of all of its reserves. So I just wanted to get your perspective on some of these recent incidents because it does seem as if there has been a trend towards a large number of cybersecurity incidents and cyber attacks, specifically targeting the cryptocurrency industry. I wanted to get your perspective on this trend.

Hilal: The recent incidents and incidents in the past indicate that there is a serious challenge with cybersecurity and the prevention of fraud and abuse on the crypto platform. Because this is very public and makes a lot of noise, we tend to basically see that going on and on, and there seems to be no end to that. But that’s actually something that you see from a lens that’s actually directed towards crypto system. So traditional infrastructure and the FinTechs and financial organisations suffered similar attacks, but at a much, much higher volume. And the transactions and the fraud are not of that scale because here, for example, you mentioned CoinDCX, you mentioned ByBit, and all of those. So all of the incidents were very high profile incidents because it took very little amount of time and the sophistication of the hack was very interesting. So that’s why it was so media friendly. On the other hand, there are amounts of fraud and abuse that happens in the traditional fintech side, because I have been there. I was the CISO of RazorPay earlier.

So I know exactly how fraud and abuse works in the traditional financial industry as well. So now, why there’s a lot of noise and why there’s a lot of focus on cyber security on crypto systems? The fact is that these incidents point to an ongoing trend of similar hacks getting executed because if you look look at DCX or you look at ByBit, you look at some other hacks, right? Most of them stemmed from basically some lack of process and governance. So there has been a substantial amount of people being ignorant or overlooking some of the processes that they have to follow. For example, DCX hack basically was social engineering. Similarly, ByBit was social engineering. The private key was compromised after one of the systems was compromised. Similarly, other attacks had the similar attack vectors. So the attacks were not necessarily very different or the modus operandi was not very different. It’s just that we did have controls around it, but it the fact is that the effectiveness of those controls was not tested. Which actually brings us basically a lot more in news, because of these high profile incidents that happen.

But of course, there are a lot of things that crypto industry as a whole suffers from, like the immaturity of the tooling around it. So for example, we don’t have a lot of mature tools, threat intelligence, and all those things in crypto that we do not have right now. So I do believe that there’s a lot of improvements to be made. But at the same time, some of these things happened not because of lack of security, but because of negligence and that needs to be actually addressed.

Sharveya: Thank you for your response. I noticed that you mentioned that there was a general lack of process and governance in the cryptocurrency space. Do you think that the traditional banking and finance industry, which, as you said, is also subject to its own fraud and abuse, is something that has managed to evolve a much higher standard of processes and cybersecurity governance than the cryptocurrency industry? If so, how exactly can the cryptocurrency industry catch up to the traditional banking and finance space?

Hilal: So you’re right. On one hand, the regulated entity is like the banks and other financial instruments like insurance and all that have very mature regulatory and compliance frameworks. So you know exactly the environment in which you are supposed to operate. And if, for example, there is negligence or lack of due diligence from any of the operators, their business actually becomes basically vulnerable. They [regulators] can stop the licensing, they can stop them from operating from a particular geography, or they can put suspension on the services and things like that. So there’s enforcement in the traditional financial industry. So the crypto standards do not actually have any centralized regulation organizations or any traditional frameworks that actually support it. So a lot of it stems from the fact that there’s a lack of enforcement in terms of basically the regulation and compliance. There’s no global or regional standards that the crypto industries can actually adopt. So while we are actually working on it, it’s still some way – because I don’t think, and if we can point out one regulatory standard that the crypto has to follow, it will be very difficult.

I will be surprised that if you know exactly the standards that you should follow. So which means that there is a lack of awareness, there’s a lack of a lot of these things that we need to have in place to be able to match the standards that are there in the traditional financial instruments. Now, the challenge is that the crypto industry or the crypto systems were built with decentralization. It used to be autonomous and anonymization and things like that. So which are principles it should be based on. So a lot of these regulations and all of this will be actually contrasting with the principles for a crypto industry. It’s kind of like saying, what I started with, I’m not going to continue with that. So this is generally the sentiment in the industry, adopters as well as the founders, that there are some regulations that may be applicable and some may not be applicable, particularly stopping fraud and abuse. For that we have basically AML checks, which is money laundering checks. We want to make sure that people do not abuse the platform. So we have other things in place which do actually take care of most of these things.

But we have a long way to go to get standards or regulations in place to match what the traditional security is there in the financial system that follow the traditional methods.

Sharveya: So I noticed that you mentioned that the cryptocurrency industry is something that is built around decentralization as opposed to a central bank. There is no central bank for Bitcoin or any cryptocurrency like that. Do you think that, shall I say, the foundational philosophy of cryptocurrency is something that could end up actively harming cryptocurrency users today because it might prevent cryptocurrency firms from coming together and forming, say, a self-regulatory body or coming up with some industry standards that everybody has to follow, even if it’s not a top-down policy that is set out by the law.

Hilal: See, there is no question about basically ensuring that there is some way to regulate the money flow or regulate the contracts. Otherwise, there will be an influx of fraud and abuse in the system. We want to make sure that that does not happen. Given that situation where we want to make sure that the platforms that we built or we operate are not abused, we need certain controls in place. But at the same time, we also do not want to compromise on the principles on which it was built because then it loses the functionality that it was supposed to offer. So there has to be a compromise between functionality and the regulations. So while we cannot go full throttle or we cannot go all in on the regulation, we want some way to make sure that we are basically not being used for any abuse. So in terms of basically, will it harm this crypto industry? I don’t think so, because the industry itself is a bit more mature than it was before.

And the decentralisation is still there for a reason. So we don’t want somebody to make decisions for somebody else. So everybody needs to have a say in how the chain operates, how the contracts actually flow. So I don’t think that’s actually a desirable outcome of this. But I do believe that there has to be some compromise made, which balances the control with the features that make up the blockchain or cryptocurrencies, for example, the decentralization, anonymity, autonomy, and all of the basically native features that blockchain offers. I don’t think that should be compromised.

Sharveya: Now, if I could ask you to point out, according to you, if there’s a single biggest security change that you think Indian exchanges must make so that similar things such as the WazirX or the CoinDCX [hacks] don’t happen again. If there’s a single change that they can make, according to you, what would it be?

Hilal: Unfortunately, there’s no single thing that can prevent all of these things because like I said in the beginning it needs to be holistic. By holistic, I mean, it has to be a combination of different things. You need to put a process in place where you ensure that a single person getting compromised does not lead to a wider impact. You need those processes in place. You need to make sure that you have segregation of duties. One person should not be the approver as well as the reviewer of the transactions. Similarly, we have technology in place. For example, Liminal offers basically multi-signature wallets, which require at least three to four signatures for it to be executed. Or basically, we have MPC, which is multi-party computing, which means that the key is divided into multiple parties so that a single person cannot become the victim of that. So in that context, people have to adopt those strategies and ensure that a single compromise should not lead to a massive hack. And I think if one thing they can do is they need to basically double down on key protection, making sure that the keys are not compromised.

And to be able to do that, they obviously need to change the culture as well as the technology that they operate on. So in summary, I think it’s a combination of things, but most important, how they protect their private keys and how to ensure that the roles are selected based on principles like segregation of duties and two man control and a multisignature wallet. I think that will help the exchange a lot.

Sharveya: So I wanted to bring in a global context now. In January this year, there was a joint statement issued from the governments of the United States, South Korea and Japan, which blamed North Korea’s state-backed actors for carrying out cyber attacks on crypto currency exchanges across the world and stealing around $659 million in 2024. This included the infamous WazirX hack. How do you see the rise of state-backed threat actors targeting the crypto sector and what are some of the additional challenges that come with dealing with such parties?

Hilal: In cybersecurity terms, we call them persistent threats or targeted attacks. Meaning that somebody from North Korea, like the Lazarus Group, which is responsible for more of the most of the crypto hacks. They operate in a certain way, but they are adaptable and they actually change their modus operandi from time to time. It’s always important to understand that we have to make sure that there is a strategy to counter any advanced persistent threats or any targeted attack. So we have to be able to do consistent visibility and consistent monitoring on our infrastructure that actually supports wallets or supports blockchains. So the idea is that some of these processing threats are not very noisy. They don’t actually work day in, day out. So they will carry out one activity today, and three months later, they will conduct one more activity. So there are a lot of different ways they operate. So meaning that it’s very difficult to basically create a pattern or create a monitoring dashboard for us to be able to basically track them effectively. So we need to rely on a lot of causal analysis.

We rely a lot on basically a deep threat intel and indicators of compromise as well as signals coming from different sources. So to be able to track these groups like Lazarus and all that. So we have to be constantly analyzing that data. And once we analyze the data, we come to know whether we are being victims of a persistent threat or not. So in order for us to be a step ahead of them, we want to make sure that we have taken care of the basics from our side as well as ensure that whatever modus operandi they’re going to be using, we are not going to be victims to that. So this requires basically a visibility into the signals that they are actually creating, as well as ensuring that we have a real monitoring and alerting in place to make sure that any persistent attack is not successful. Discovering the attacks is not very easy. Like I said, they don’t create a lot of noise, which means that we have to have really good infrastructure to detect that, meaning that we have to have analysis of data over months and months or years and years to figure out whether we are going to be the next targets or not.

Advertisements

So I think this is something that our organization has already adopted, but still there is a long way to go. I don’t think we have perfected it, but some basic controls are still being developed and some are being already implemented as well.

Sharveya: So you mentioned you might be able to predict whether you may or your organization, maybe the next target or not. But I wanted to know, let’s assume that, for example, you are able to determine that you may be a potential target for an advanced persistent threat in the near future. What exactly do you do then?

Hilal: Yeah, one small correction. So we don’t just say that we might be potential targets. We say that we are always going to be targets, meaning that we are in a state of always making sure that we are ready for any exigency that may actually arise because of persistent threats. So because we believe that we are in a, something called a breach-ready state, meaning that we believe that we are not going to be able to counter everything that they have. So we have to be ready all the time, right? So in order for us to do that, we want to make sure that there is nothing of interest for them. So I always get this analogy. To put out a fire, you either remove the oxygen or you remove the fuel. Only those two things can stop a fire. Similarly, when we want to basically make sure that we are ready for persistent threats, we remove the objects of their interest – what they can actually gain from compromising our systems. So we don’t want somebody to actually have access to sensitive information that they will want. So for example, I was talking earlier about securing your private keys or making protection of private keys a priority.

So in order for us to do that, we want to make sure that nobody actually has a key ever in plain text. It’s like a zero-knowledge system. Nobody has the knowledge about where the key is. So even if a persistent attack is successful, they have got nothing from it because they cannot exploit our systems. So meaning that when we remove things that they want, there’s no point for them to attack us over and over again because it’s an exercise in futility for them. They don’t gain anything from it. So that’s how we prepare ourselves. They want to execute transactions. We don’t allow transactions to happen from a key or from a single state actor. So we want to make sure that we have proper authentication authorization in place, which includes hardware-based authentication or a physical authentication. So meaning that when we have those controls in place, no matter what happens, we are not going to be victims in that. So when we actually mature our system to that level, we mature a process to that level, then it becomes rather straightforward to counter any attack that can come from institutions and these attack groups like Lazarus that come from North Korea and states like that.

Sharveya: Now, just to add one last question about some of these state-backed actors. Do you think that is there a particular reason that they’re specifically targeting the cryptocurrency sector more? Because I think that it’s comparatively rare to find examples of advanced persistent threats targeting banking or finance, for example.

Hilal: Absolutely. I mean, see, I can give a lot of examples. SolarWinds attack was there that compromised 75 % of the servers worldwide. CrowdStrike attack happened that compromised 80 % of the servers worldwide. So persistent threats can actually get prominence anywhere. But you’re right. The crypto industry is actually a juicy target, primarily because there is a complexity involved in the systems that gives rise to vulnerabilities and things like that. Also because of the lack of knowledge and lack of monitoring all of the cross-chain networks and things like that, because there’s no interoperability in terms of monitoring and things like that. So I do believe that it actually can be a juicy target for them. But at the same time, it’s very important to understand that it’s not just the persistent threats. The regular threats are also becoming a big nuisance, not just coming from Lazarus and all that, but coming from a very isolated incidents. They become a nuisance as well. And there can be potential for insider threats as well. An insider threat can execute a fraudulent transaction that could be in millions, and you will not be able to detect. So it’s a holistic thing.

I think it’s an all around thing for us to ensure that all of these things are accounted for. In terms of the ratio of persistent threat attacks against crypto versus traditional cyber systems, I think it can be 80-20. So I think 80 % of their attacks will be targeted at manufacturing, logistics, it will be health care, it will be IT. And then the 20 % of it is directed towards crypto systems. It’s just a matter of visualizing it and looking at it in a perspective that actually puts it in a very clear way, rather than saying that just because it’s noisy, it is more attractive to them.

Sharveya: Okay, I understand that. But also, I think most of these cryptocurrency attacks, they’re also more about stealing money, rather than infrastructural damage or causing some disruption somewhere. So do you think that is something that also plays a role?

Hilal: Oh, absolutely. Motivation for basically financial gain is always going to be there. And this is something that’s more or less going to be untraceable. So that’s a very big motivation factor for any hacker. So they want money and they can disappear with it. So, yeah, I think that plays a big role. And you’re absolutely right in that.

Sharveya: I also wanted to talk a little bit about the traceability of stolen cryptocurrency funds. Say, for example, an exchange that you’re working with is hacked today. For example, would it be possible for the users whose cryptocurrencies have been stolen to be recovered? And what are the realistic expectations that they should have?

It can be a yes and no. Yes, if that money trail is actually or the transaction trail is traced to the conversion place. Say, for example the wallet transaction actually flows down to Binance, then it can be traced. But if it goes to something that’s not traceable it cannot be traced. Usually, it’s the second thing that happens in hacks because they don’t go to your traditional exchange. They go to non-traditional exchanges. It’s a very sensitive thing to talk about, particularly when people would want to know if that money is safe or not. So you cannot just say that, it is 100 % safe or 100 % not safe. That’s not an answer. They are looking for a binary answer. Yes or no. And there is no binary answer. So I think that’s what Arnaud wants to point out.

Sharveya: I understand, of course, there cannot be a binary answer for something like this, but if you could illustrate some of the challenges that somebody who’s trying to trace some of these cryptocurrencies that have been stolen could face and if there’s any potential way that we can overcome those.

Note: Liminal Declined To Answer This Question

Sharveya: My next question is, if an exchange you work with is hacked today, what are some of the steps you need to take immediately?

Hilal: Yeah, that’s a great question. I think there are two things that we do, both on the prevention side as well as the detection side. So we want to make sure that on the prevention side, we want to see whatever our wallets were being compromised on that exchange. We want to add that to our blacklist so that they are not actually compromised again. And we have the facility to ensure that all those wallets are basically added automatically in our block list. And we blacklist all the transactions that are going on with them. That’s the first thing. And we isolate the exchange because we work with more than one exchange. So we isolate that exchange, preserve our transactions with them, whatever has happened. So that if we need to do an investigation, we have enough collateral to basically do our investigation properly. And then, of course, we want to notify those affected. If it was our responsibility to inform, then we inform the affected parties of the hack, which can be public as well as private. And if there is any notification that needs to be sent to any of the regulatory bodies – for example, in some geographies, we may be working with some regulatory bodies, and they may want us to inform them as well.

So we’ll inform them as well about it. Then the standard incident response basically playbook actually gets started. For example, the insurance actually happens. We want to make sure that we have started analyzing the origin and make sure that the exchange also gets help from us in terms of doing their investigation as well. So on the detection side of things, so we want to make sure that, okay, we get the forensic images of the system that are working with that exchange. We preserve basically the state in which they are actually operating at that time so that if the law enforcement needs it in the future, we can actually facilitate that. Apart from that, if there is any involvement for insurance, because the exchange will have some insurance and things like that. So we want to basically facilitate that as well if it is within our capacity to do so. Apart from that, we will also want to make sure that the exchange is able to carry out their own investigations as well. So we want to basically trace that as well. If there is a different types of logs that we can actually share, like the trace logs, the transaction logs, and things like that.

And if they have subscribed to a whitelist and blacklist, we want to update that as well. So there are a lot of different things that we do when exchange gets hacked. The most important of them is to isolate it and blacklist so that it does not continue to be exploited. So that’s the thing that we do in case an exchange gets actually compromised. The second, I think, point is that we want to understand the nature of the hack and put in policies in place and lessons learned from that and ensure that we bake that into the incident response to ensure that we are not victims of a similar attack as well.

Sharveya: All right. Thank you for this. Now, that brings me to my last question. So recently, the Financial Intelligence Unit made cyber security audits compulsory for all virtual digital asset service providers operating in India. So what is your perspective on this move? And what are some other policies needed to help crypto firms secure the customers’ funds?

Hilal: Yeah, I think this is a great initiative. Like the FIU sent a notice that regular audits were necessary. At Liminal, we have been doing it since our inception. I think it’s a welcome thing for us because we have been already doing it. So it becomes a natural thing for us to comply with that as well. It’s very fortunate that we have all the things ready for to comply with this order. So yeah, I think a very welcome change. I think it should be more frequent and there should be some way of surprise audits as well. I think that will help to make sure that people are maintaining due diligence and that they’re maintaining the baseline controls. So that will also allow people to map the requirements with the controls that are necessary. In terms of policies, I think we already have a lot of KYB and KYC requirements in place. I think that can be further strengthened to ensure that legitimate transactions actually to go through. And the auditability is very, very important. So the auditability from the baseline transaction is very important.

I think in other ways, what they can actually facilitate is basically the liaison between law enforcement agencies as well as the exchange. I think that will definitely help. If they bring in a simplified policy of how do we actually deal with it. If there’s a centralized database or a repository where people can share basically different incidents that they have faced, that actually will be very helpful.

Sharveya: Thank you very much for this enlightening discussion, Hilal. It was great. For more tech policy updates, please subscribe to MediaNama.

Also Read: