How Cybersecurity is Bracing for the Web3 Age

The internet is undergoing an immense paradigm shift, with the implications of Web3 being widely discussed by tech entrepreneurs, investors and journalists alike. It’s set to be an evolutionary step every bit as world-changing as the rise of Web2, when static websites and largely passive internet activity (think GeoCities, visitor counters and guestbooks) gave way to the age of user-generated content hosted on social media networks overseen by a handful of tech behemoths.

Web3 is still ‘under construction’, to use that ubiquitous phrase from the Web1 days. But it’s generally described as being a new iteration of the internet which will be decentralised, powered by blockchain technology, cryptocurrencies and machine learning, and challenging the hegemony of ‘Big Tech’ by giving users greater ownership of their digital selves.

But, amid the promise of such fundamental transformations, one concern remains the same: security. Hackers and scammers have been active in the nascent Web3 space, with over $1 billion being lost to crypto scams between 2021 and 2022 in the US alone. The rampant threats mean that opportunities abound for Web3 cybersecurity startups.

A few key strategies have been used by bad actors looking to exploit the Web3 space. One is the 51% attack, also known as a majority attack. This is where a person or persons take control of more than 50% of the hashrate, or computational power, of a blockchain network. Those behind this kind of malicious takeover would be able to modify and even reverse transactions on the blockchain, allowing them to double spend their cryptocurrency. Think of it as the digital equivalent of counterfeiting banknotes. 

A monumental example of such an attack took place in March this year, when Ronin Network – an Ethereum-linked blockchain used to handle the transactions behind the popular NFT game Axie Infinity – was targeted. Wresting control of the network, the hackers were able to validate their malicious transactions and make off with a whopping $625 million in crypto. 

The age-old technique of phishing is also alive and well in this new era. There have been numerous instances of scammers zeroing in on Web3 users with legitimate-seeming messages, designed to extract information and money. Discord, the messaging platform popular with NFT communities, has been subject to countless phishing attacks in recent times. 

Hackers have commandeered bots in various Discord servers to block genuine moderators and send out phishing messages to communities. These messages have scammed users into following links for fake NFT giveaways and other apparent opportunities. 

A notable case unfolded in June, when Boris Vagner – social manager at the company behind the phenomenally popular Bored Ape Yacht Club NFT collection – had his Discord account hacked. The person(s) behind the attack then posted a hoax promotion which led unsuspecting users to link their crypto wallets through the phishing links, with a haul of NFTs being stolen as a result. 

During the long, gradual transition from Web2 to Web3, the onus is on networks to be alert to unscrupulous actors who will ruthlessly exploit both technical vulnerabilities and the potential for humans to make mistakes. Against this backdrop, it’s no wonder that cybersecurity firms have been enjoying big investments, even in the face of all the tech market turbulence in 2022.

“With security vulnerabilities dominating the crypto news headlines… the demand for Web3 security is only growing”. These were the words of one leading figure in Web3 cybersecurity, the ethical hacker Steven Walbroehl, who initially bootstrapped his startup firm Halborn. 

Fully remote, with staff based in nations as diverse as the US, Turkey, India and Peru, Halborn announced a $90 million Series A round in July. The company specialises in inspecting networks for flaws, and simulating techniques used by threat actors to pre-empt and safeguard against such attacks. Halborn has also been active as an M&A player, expanding its R&D division by acquiring Web3 automation and testing company Abyss Consulting in early 2022. This first acquisition has helped to consolidate Halborn position within the Web3 cybersecurity sector, with one of Abyss Consulting’s co-founders hailing Halborn as “absolute rock stars in the world of blockchain”.

Another major player is CertiK, a cybersecurity firm founded by a Columbia computer science professor which achieved a $2 billion valuation earlier this year after multiple funding rounds. Its soaring success has been fuelled by the equally soaring crypto losses of recent years. As a partner at Advent International, one of the leaders of a recent funding round, put it, “The decentralized Internet that runs on the blockchain has experienced high levels of security breaches and is in dire need of the kind of effective solutions that CertiK provides.”

These solutions include security audits of blockchain codes, attack simulations that can highlight problems in crypto exchanges and mobile apps, and a 24/7 threat monitoring service known as Skynet.

Even now, most of the way into 2022, Web3 isn’t a term that’s often used in popular, non-techie discourse. In March this year, a striking 70% of respondents to a poll by Harvard Business Review said they’d never even heard of Web3. 

But this is sure to change with increasing rapidity in the imminent future. Mass take-up of Web3 is coming. As the internet becomes more and more decentralised, and reliant on trustless networks which don’t rely on third parties to function, security solutions will need to be re-imagined to remain fit for purpose. The revenue potential for entrepreneurially-minded ethical hackers and cybersecurity experts is vast, and – with the global market expected to reach $376.3 billion by 2029 – we look forward to seeing exciting M&A activity in this space.