Web3 technology users face new and recycled security risks, study shows

The world's transition to Web3, which is being driven by blockchain technology, presents security experts with a new set of unique challenges along with recycled threats, according to a study by Cisco.

Bad actors on the internet are particularly focusing on the metaverse, along with its underlying technology, the California-based network gear maker said.

“The metaverse landscape appears ripe for cyber criminals,” Fady Younes, cyber-security director at Cisco Middle East and Africa, said in the report.

“Whether they are translating old threats in the new metaverse space, leveraging time-tested social engineering and phishing techniques of the past or beginning to craft new technical attacks to make money in new ways, the cyber criminal game is growing.”

Web3 is the emerging new concept of the World Wide Web, with blockchain, decentralisation, openness and greater user utility among its core components.

Its market size is expected to be valued at about $6.2 billion in 2023, and is projected to grow at a compound annual rate of 44.6 per cent from 2023 to 2030, according to Market Research Future.

Web2, the current iteration that emerged in the mid-2000s, resulted in the rise of more interactive web pages, with millions of people around the world able to view user-generated content in an instant.

It further exploded with the advent of powerful mobile devices, social networks and other media platforms.

Its mid-1990s predecessor, Web1, used static pages with limited interaction and functionality. Although content creation was in its infancy at the time, it boosted online banking and trading.

According to the Cisco study, cryptocurrency-related verticals and methods of attack are being exploited, including Ethereum Name Service (ENS) domains, social engineering and the so-called whales.

ENS is a service that simplifies blockchain-backed crypto addresses, similar to how sites such as bit.ly shorten URLs.

Since these domains are easy-to-remember names, this has led to popular ones being trademarked and resold by third parties.

“As a result, nothing prevents the owner of an ENS domain from using that name to trick unsuspecting users into believing that they are dealing with a legitimate organisation,” Cisco said.

Social engineering attacks — or “human hacking”, a manipulation technique exploiting human error to gain private information — account for the vast majority of security incidents among Web3 users.

One of the most dangerous cases of fraud committed through this technique is tricking users into sharing their “seed phrase”, a 12-to-24 character code that is basically a user's private key that can be used to recover a crypto wallet if it is lost or destroyed.

Hackers can use a seed phrase to clone a wallet and use it as their own.

The social engineering threat has also spawned another challenge: people that pose as customer support agents who respond to user requests on social media platforms such as Twitter or Discord.

Bad actors monitor these channels and will contact users to offer “help” — but with the ultimate goal of coercing them to share their seed phrases.

Meanwhile, whales are high-profile crypto accounts that hold a large amount of digital assets. Cyber criminals monitor these accounts — it is estimated that about 40,000 whales own 80 per cent of all non-fungible token value — then attempt to strike with a social engineering attack that convinces users to invest in their fake projects.