Connect with us

Coin Market

Web3 has a metadata problem, and it’s not going away

Published

on

Opinion by: Casey Ford, PhD, researcher at Nym Technologies

Web3 rolled in on the wave of decentralization. Decentralized applications (DApps) grew by 74% in 2024 and individual wallets by 485%, with total value locked (TVL) in decentralized finance (DeFi) closing at a near-record high of $214 billion. The industry is also, however, heading straight for a state of capture if it does not wake up. 

As Elon Musk has teased of placing the US Treasury on blockchain, however poorly thought out, the tides are turning as crypto is deregulated. But when they do, is Web3 ready to “protect [user] data,” as Musk surrogates pledge? If not, we’re all on the brink of a global data security crisis.

The crisis boils down to a vulnerability at the heart of the digital world: the metadata surveillance of all existing networks, even the decentralized ones of Web3. AI technologies are now at the foundation of surveillance systems and serve as accelerants. Anonymity networks offer a way out of this state of capture. But this must begin with metadata protections across the board.

Metadata is the new frontier of surveillance

Metadata is the overlooked raw material of AI surveillance. Compared to payload data, metadata is lightweight and thus easy to process en masse. Here, AI systems excel best. Aggregated metadata can reveal much more than encrypted contents: patterns of behaviors, networks of contacts, personal desires and, ultimately, predictability. And legally, it is unprotected in the way end-to-end (E2E) encrypted communications are now in some regions. 

While metadata is a part of all digital assets, the metadata that leaks from E2E encrypted traffic exposes us and what we do: IPs, timing signatures, packet sizes, encryption formats and even wallet specifications. All of this is fully legible to adversaries surveilling a network. Blockchain transactions are no exception.

From piles of digital junk can emerge a goldmine of detailed records of everything we do. Metadata is our digital unconscious, and it is up for grabs for whatever machines can harvest it for profit.

The limits of blockchain

Protecting the metadata of transactions was an afterthought of blockchain technology. Crypto does not offer anonymity despite the reactionary association of the industry with illicit trade. It offers pseudonymity, the ability to hold tokens in a wallet with a chosen name. 

Recent: How to tokenize real-world assets on Bitcoin

Harry Halpin and Ania Piotrowska have diagnosed the situation:

“[T]he public nature of Bitcoin’s ledger of transactions […] means anyone can observe the flow of coins. [P]seudonymous addresses do not provide any meaningful level of anonymity, since anyone can harvest the counterparty addresses of any given transaction and reconstruct the chain of transactions.”

As all chain transactions are public, anyone running a full node can have a panoptic view of chain activity. Further, metadata like IP addresses attached to pseudonymous wallets can be used to identify people’s locations and identities if tracking technologies are sophisticated enough. 

This is the core problem of metadata surveillance in blockchain economics: Surveillance systems can effectively de-anonymize our financial traffic by any capable party.

Knowledge is also an insecurity

Knowledge is not just power, as the adage goes. It’s also the basis on which we are exploited and disempowered. There are at least three general metadata risks across Web3.

Fraud: Financial insecurity and surveillance are intrinsically linked. The most serious hacks, thefts or scams depend on accumulated knowledge about a target: their assets, transaction histories and who they are. DappRadar estimates a $1.3-billion loss due to “hacks and exploits” like phishing attacks in 2024 alone. 

Leaks: The wallets that permit access to decentralized tokenomics rely on leaky centralized infrastructures. Studies of DApps and wallets have shown the prevalence of IP leaks: “The existing wallet infrastructure is not in favor of users’ privacy. Websites abuse wallets to fingerprint users online, and DApps and wallets leak the user’s wallet address to third parties.” Pseudonymity is pointless if people’s identities and patterns of transactions can be easily revealed through metadata.

Chain consensus: Chain consensus is a potential point of attack. One example is a recent initiative by Celestia to add an anonymity layer to obscure the metadata of validators against particular attacks seeking to disrupt chain consensus in Celestia’s Data Availability Sampling (DAS) process.

Securing Web3 through anonymity

As Web3 continues to grow, so does the amount of metadata about people’s activities being offered up to newly empowered surveillance systems. 

Beyond VPNs

Virtual private network (VPN) technology is decades old at this point. The lack of advancement is shocking, with most VPNs remaining in the same centralized and proprietary infrastructures. Networks like Tor and Dandelion stepped in as decentralized solutions. Yet they are still vulnerable to surveillance by global adversaries capable of “timing analysis” via the control of entry and exit nodes. Even more advanced tools are needed.

Noise networks

All surveillance looks for patterns in a network full of noise. By further obscuring patterns of communication and de-linking metadata like IPs from metadata generated by traffic, the possible attack vectors can be significantly reduced, and metadata patterns can be scrambled into nonsense.

Anonymizing networks have emerged to anonymize sensitive traffic like communications or crypto transactions via noise: cover traffic, timing obfuscations and data mixing. In the same spirit, other VPNs like Mullvad have introduced programs like DAITA (Defense Against AI-guided Traffic Analysis), which seeks to add “distortion” to its VPN network. 

Scrambling the codes

Whether it’s defending people against the assassinations in tomorrow’s drone wars or securing their onchain transactions, new anonymity networks are needed to scramble the codes of what makes all of us targetable: the metadata our online lives leave in their wake.

The state of capture is already here. Machine learning is feeding off our data. Instead of leaving people’s data there unprotected, Web3 and anonymity systems can make sure that what ends up in the teeth of AI is effectively garbage.

Opinion by: Casey Ford, PhD, researcher at Nym Technologies.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Coin Market

OKX suspends DEX aggregator to stop ‘further misuse’ by Lazarus

Published

on

By

Crypto exchange OKX has temporarily paused its decentralized exchange aggregator to prevent “further misuse” by North Korean hacking collective Lazarus Group.

“Recently, we detected a coordinated effort by Lazarus group to misuse our defi services,” said OKX on March 17.

“After consulting with regulators, we made the proactive decision to temporarily suspend our DEX aggregator services. This move allows us to implement additional upgrades to prevent further misuse.” 

The OKX helpdesk confirmed that the DEX aggregator was temporarily suspended for an “internal review and upgrade” but did not provide a timeline. 

It added that crypto wallet services will remain available to all customers, but it will “pause new wallet creation in select markets during this time.”

Source: OKX

On March 11, Bloomberg reported that European Union financial watchdogs were investigating the firm’s DEX aggregator, called OKX Web3, and its wallet services for their alleged role in laundering funds from the Bybit hack.

“Over the past few days, we’ve faced targeted media attacks questioning our integrity and operations,” the firm stated in a blog post. It added that it “can’t ignore the fact that these attacks are happening at a time when we are actively fighting against financial crime.”

According to Bybit CEO Ben Zhou, nearly $100 million from the $1.5 billion Bybit hack had been laundered through OKX’s Web3 proxy, with a portion of the funds now untraceable.

OKX responded on March 11, stating that the “Bloomberg article is misleading,” saying that when Bybit got hacked, OKX reacted in two ways: by freezing associated funds from moving into its CEX, and developing the new hack detection features.

Related: Lazarus Group sends 400 ETH to Tornado Cash, deploys new malware

OKX stated that the goal is to ensure that explorers properly highlight the actual DEX processing trades “rather than mistakenly identifying our aggregator as the point of trade.”

The exchange has already deployed a “hacker address detection system” for its DEX aggregator in addition to a system to track the hacker’s latest addresses and block them on its centralized exchange in real time.

“We already rolled out a lot of controls for OKX Web3 to fight with the misuse, including prohibited markets’ IP blocking and real-time black address detection and blocking system,” said OKX CEO Star Xu on March 17.

The firm also clarified that the OKX Web3 DEX aggregator is not a custodian of customer assets, adding that its function is to provide access to liquidity across multiple protocols. However, “some have deliberately misrepresented our platform,” it said. 

Magazine: ETH may bottom at $1.6K, SEC delays multiple crypto ETFs, and more: Hodler’s Digest

Continue Reading

Coin Market

Bank of Korea to take ‘cautious approach’ to Bitcoin reserve

Published

on

By

The Bank of Korea says it is taking a “cautious approach” to potentially including Bitcoin as a foreign exchange reserve.

Officials from the Korean central bank said in a March 16 response to a written inquiry that they have not looked into a potential Bitcoin (BTC) reserve, citing high volatility. 

Responding to a question from Representative Cha Gyu-geun of the National Assembly’s Planning and Finance Committee, central bankers said that they have “neither discussed nor reviewed the possible inclusion of Bitcoin in foreign exchange reserves, adding that “a cautious approach is needed,” according to the Korea Herald.

“Bitcoin’s price volatility is very high,” the central bank noted, before adding that “in the case of cryptocurrency market instability, transaction costs to cash out Bitcoins could rise drastically.”

Over the past 30 days, Bitcoin prices have swung wildly between $98,000 and $76,000 before settling at current levels of around $83,000 in a 15% decline since Feb. 16, according to CoinGecko. 

The decision comes amid increasing global discussions on the role of crypto assets in national financial strategies, sparked by US President Donald Trump’s executive order earlier this month establishing a strategic Bitcoin reserve and digital asset stockpile.  

At a seminar on March 6, crypto industry lobbyists, and some members of Korea’s Democratic Party urged the country to integrate Bitcoin into its national reserves and develop a won-backed stablecoin. 

However, the Bank of Korea emphasized that its foreign exchange reserves must have liquidity and be immediately usable when needed, as well as a credit rating of investment grade or higher, criteria that Bitcoin does not meet, in its opinion. 

Professor Yang Jun-seok of Catholic University of Korea concurred, stating “it is appropriate for foreign exchange to be held in proportion to the currencies of countries with which we trade,”

Professor Kang Tae-soo from the KAIST Graduate School of Finance commented on the US being likely to leverage stablecoins rather than BTC to maintain dollar hegemony before adding, “Whether the IMF will recognize stablecoins as foreign exchange reserves in the future is important.”

Related: Democrat lawmaker urges Treasury to cease Trump’s Bitcoin reserve plans

Earlier this month, South Korea’s financial regulator examined the Japanese Financial Services Agency’s legislative trend toward crypto assets as it mulls lifting a ban on crypto exchange-traded funds in the country.

Magazine: ETH may bottom at $1.6K, SEC delays multiple crypto ETFs, and more: Hodler’s Digest

Continue Reading

Coin Market

Crypto users report new scam emails spoofing Coinbase, Gemini

Published

on

By

Crypto users have reported a rise in scam emails made to look like they’re from crypto exchanges Coinbase and Gemini that attempt to get users to set up a new wallet with pre-generated recovery phrases controlled by scammers.

In several examples posted to X, the email claims to be from Coinbase, asking users to transition to self-custodial wallets and providing instructions on downloading the legitimate Coinbase Wallet, giving a deadline of April 1 to make the switch.

Source: Steve Kaczynski

However, it also provides pre-generated recovery phrases. Once users open a new wallet with those phrases and transfer funds, all the assets will be available to the threat actor, who could drain the wallet.

The email mentions a class-action lawsuit against Coinbase alleging it has sold unregistered securities, which has resulted in a court mandating users manage their own wallets.

“Coinbase will operate as a registered broker, allowing purchases, but all assets must move to Coinbase Wallet,” the phony email says.

The US Securities and Exchange Commission dismissed its lawsuit alleging Coinbase was an unregistered broker and selling unregistered securities on Feb. 27.

Coinbase told Cointelegraph it is aware of the scam and pointed to its March 14 post to X, saying, “We will never send you a recovery phrase, and you should never enter a recovery phrase given to you by someone else.” 

Source: Coinbase Support 

Crypto exchange Gemini has also been spoofed with the same recovery phrase email scam, using the same tactics and claiming users need to set up a new wallet because of a recent court decision.

Gemini was being sued by the SEC for allegedly offering unregistered securities through its earn program. The regulator opted to end the legal action on Feb. 26.

Source: Sukesh Tedla

Gemini didn’t immediately respond to Cointelegraph’s request for comment. 

Blockchain security firm CertiK’s annual Web3 security report flagged crypto phishing attacks, which cost users $1 billion across 296 incidents, as the most significant security threat for 2024.

Related: California financial regulator warns of 7 new types of crypto, AI scams

The email scams come as at least three crypto founders have reported foiling an attempt from alleged North Korean hackers to steal sensitive data through fake Zoom calls.

Scammers have been targeting crypto founders by offering a meeting to discuss a partnership opportunity, but once the call starts, they send a message feigning audio issues and a link to a new call that installs malware. 

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis

Continue Reading

Trending