The sleuths who protect crypto from hackers are raking in money

At a time when many crypto companies have seen their fortunes plummet, one corner of the industry is thriving.

With criminals including North Korean hackers increasingly targeting the sprawling software infrastructure underpinning the cryptosphere, firms that sift through code for weaknesses and run bug-hunting sites are finding themselves with more business than they can handle. As mass firings become the norm elsewhere in crypto, they're boosting hiring, raising prices and taking in fresh funding.  

Their rising fortunes underscore how the industry is waking up to the threat of sophisticated hackers who have stolen roughly $2 billion from digital-asset protocols this year, according to researcher Chainalysis, which says such attacks show few signs of slowing. 

cryptocurrency-exchange-kiosk.jpg
Moe Zoyari/Photographer: Moe Zoyari/Bloombe

With so much at stake, crypto security services are moving from the "nice to have" spending category to the "must have" bucket, even for bootstrapping startups and community-driven projects. 

"We have spent sooooo much money on audits," Paul Frambot, chief executive officer of crypto startup Morpho Labs, said by text message. "Security is, in my opinion, not taken sufficiently seriously in DeFi," he added, referring to decentralized finance, where people trade, borrow and lend crypto without a central intermediary. 

Morpho has done more than 10 code audits in the past year, according to Frambot. 

Investors are taking note of the growing demand for protection. Venture capital firms have poured $257 million into crypto auditing and security companies so far this year, up from $185 million for all of 2021, according to CB Insights. 

Rising threat

Crypto thieves have stalked the industry for most of its roughly decade-long existence, from the Bitfinex exchange hack in 2016 to last year's exploit of the PolyNetwork protocol. 

But the problem has worsened recently, in part because of a relatively novel part of the ecosystem that's become a juicy target: so-called crypto bridges, software platforms that allow coins designed for one blockchain to be used on another. Hacks on crypto bridges accounted for more than two-thirds of the total value stolen in the first seven months of 2022, Chainalysis estimates. 

In March, hackers struck the Ronin Bridge connected to the popular Axie Infinity online game and made off with cryptocurrencies worth about $600 million at the time, one of the biggest hauls to date. The attack has been tied to the North Korean hacker group Lazarus

Sky Mavis, the developer of Axie Infinity, was forced to compensate players who lost money. The incident was also a publicity nightmare for Sky Mavis, as many of those whose coins were taken in the hack were gamers in low-income countries like the Philippines who played the game to bolster their modest paychecks

The threat isn't limited to bridges. Hundreds of millions of dollars have vanished in exploits of other projects, like DeFi apps. Many of these efforts rely on so-called smart contracts — code that automatically executes transactions in a way that can't be reversed — so design flaws can be especially costly. 

A hack, or even a major coding error, can spell the end of an app developers spent months or years building. 

"These protocols are not simply another service that may be disrupted for a while — for example, like not being able to watch TV for a few hours or longer," said Stefano Schiavi, an investor at bitscale.vc, a backer of crypto security firm Immunefi. When crypto protocols fail, "many people lose significant portions of their savings, and often they even lose everything."

The evolution of Web3, a version of today's internet built largely on crypto technology where ownership and control should be more widely distributed, means applications will increasingly be interconnected and span many blockchains, said Lex Sokolin, head economist at ConsenSys, which audits smart-contract code.   

"I think the more complicated Web3 becomes, the larger the surface area for these exploits," Sokolin said.

$400,000 salaries

Audits are essentially reviews of code by experienced developers who scrutinize it to identify bugs, security concerns and other issues that could make the technology run in unintended ways. In some cases, the protocol's developer can fix the weaknesses pinpointed, and then have those patches reviewed by the auditor. 

Some crypto auditors use automated tools that scan code. Others, like OpenZeppelin, deploy at least two auditors who go through the code, one after another, line by line. 

Salaries for experienced blockchain auditors can run as high as $400,000 a year, according to Zeth Couceiro, founder of crypto recruitment firm Plexus Resource Solutions. Their pay is typically around 20% above that of developers focused on Solidity, one of the biggest crypto programming languages.  

"The reason for that is the need to come from a coding background but also understand the architecture to establish vulnerabilities," Couceiro said. 

Long waits, rising prices

So far this year, 1,161 external projects have asked ConsenSys to audit their smart-contract code, close to the number for all of 2021 and up from 247 requests in 2020, according to the company. Clients can wait in line for audits costing up to $320,000 for as long as nine months.

At rival Trail of Bits, published fees have jumped about 20% to 25% in the last 12 months as rising demand put pressure on lead times, said Nick Selby, a vice president at the company. 

OpenZeppelin has expanded its workforce by 63% this year, scooping up specialists laid off by other crypto companies in the downturn, said Steve Grant, the company's head of growth. It plans to double headcount in 2022, according to Grant. 

There's another constituency benefiting from crypto's increasing need for safety: so-called "white hat" hackers who use their skills to help companies plug security holes, rather than exploit them.  

"Most hackers prefer to get clean and well-earned money and ease of mind instead of worrying their whole life if they will be caught for their crimes," said Adrian Hetman, tech lead of triaging at bug bounty hunter site Immunefi, whose clients include DeFi project MakerDAO. 

Rewards for identifying significant flaws can run as high as $10 million, Hetman said.

Bloomberg News
Audit Cryptocurrency Hacking Cyber security
MORE FROM ACCOUNTING TODAY