It seems inevitable that giving groups of very techno-savvy people powerful new cryptographic tools, opportunities to make generational wealth, autonomously and anonymously self-organise and assert economic influence will lead to the bad bits of humans rearing their ugly heads too.
I really enjoy learning about cybersecurity and crypto. This post is just a way to explore my thinking. I hope the things I’m writing about don’t happen. Maybe by writing about them I can help prevent them in some tiny way.
We already see all sorts of criminal behaviour in crypto: fraud (exit scams and rug pulls), people being conned out of their assets and the standard list of cybercrime like hacks, DDoS and malware that mines crypto (hilariously even antivirus software is doing this).
This is not a dig at crypto. Corporations and banks have been excelling at fraud and money laundering since well before crypto was a thing. Likewise cybercrime is hardly new.
Indeed crypto demonstrates a smaller % of use by criminals than the traditional financial system (data-walled.) But, criminals use crypto – crypto-related crime is a thing.
Sidenote: data breaches (the bane of traditional tech industries) don’t really affect crypto outside of centralised players1, 2, 3. Most blockchains are by design open ledgers – i.e. there’s no data to ‘breach’ as it’s already out there already. For privacy chains/coins, the data is both highly encrypted and highly decentralised so a ‘mass data breach’ feels both very difficult and far less attractive. If you can hack crypto wallets then you can access funds instead (surely a more direct way to revenue for most criminals other than nation states?)
Who are crypto criminals?
Traditionally cyber criminals have been grouped into 5 broad categories and there are examples of crypto-related crime in each category:
- Organised criminals
- Nation state actors (aka APT or Advanced Persistent Threat such as North Korea)
- Malicious insiders (the rugpullers)
- Script kiddies or lone hackers more generally
Risky Business (one of my favourite podcasts) makes the case that there is also a re-emergence of privateers in the cyber realm. Whereas historically, privateers would undertake piracy under the safe harbour (literal harbour) of a nation state, today cyber privateers undertake cybercrime from within jurisdications that are jurisdictional safe havens. Notably, Russia.
A privateer is a private person or ship that engages in maritime warfare under a commission of war.https://en.wikipedia.org/wiki/Privateer
A quick note (not solely to try to avoid getting Novichok’d) that whilst I don’t condone this new model of crime, it’s also utterly unsurprising that other parties will use asymmetric warfare to advance their agenda against a country that spends more on defence than next 11 biggest spenders combined.
Anyway, I digress.
So the trend is that cyber-crime is becoming:
- More asymmetric – criminal ransomware groups have succeeded in shutting down huge energy pipelines as a result of simple cybersecurity failures (in this case reportedly a single compromised password). We live in a world where one disgruntled guy can take down an entire country’s internet!
- More terrifying – the US is concerned enough about this sort of real world infrastructure attack that they have created a new category of critical infrastructure that they will try super duper hard to protect.
- Harder to attribute – was the attack by a lone wolf? A criminal syndicate? A nation state? This is already hard enough to work out.
In summary, the Venn diagram of cybercrime and cyberterror is already starting to intersect strongly.
In what ways could crypto enable terror?
Transferring money and raising capital is one of crypto’s super powers. Terror relies on financing. Crypto makes this easier in some ways, but does also add risks due to the open nature of ledgers. Lots of detail available on this here. It’s also probably the most obvious influence of crypto so I’m not going to bang on about it.
Assassination by prediction market
Decentralised prediction markets like Augur theoretically allow any anonymous actor to create a prediction market for anything to happen. Including assassinations. I’m sure unhinged pscyhos with access to weaponry also want to get crypto rich. Placing heavy bets on people dying and then making sure they do is surely one way to achieve this. When you can incentivise anonymous actors to kill other people, you have a direct means to create terror. More thinking on this here.
Decentralised Autonomous Organisations allow any group of people (could be criminals) to self-organise under programmatically-defined, immutable rules (like a mafioso’s 10 commandments) for any purpose at all (like making money). As the US starts releasing the hounds against ransomware gangs it’s not difficult to imagine a chaotic-evil DAO that allows anonymous, decentralised criminals to trustlessly collaborate on managing a treasury (spoils of crime) to further the groups overall goals (paying 0day bounties, hiring assassins or even just hiring money mules for example). Terror relies as much on logistics as any other organisation so this is not just about recruiting the next suicide bomber.
With traditional law enforcement and counter-terrorism both often relying on being able to navigate the human relationships within organisations, it’ll be interesting to see what challenges a crime DAO might introduce. Trust is of notorious centrality in criminal networks and crypto both.
Everyone can be a terrorist or a target
Typically terror scenarios are seen through the lens of organisations vs organisations – Al Qaeda vs the US for example. Cyber + crypto combine to mean that any actor can become a terrorist, but it also means anyone can become a target. Everyone alive has an enemy somewhere. One particularly troubling thought is that as web3/crypto infrastructure starts to become ever more valuable and important, it puts increasing risk on the project teams.
We already see crypto project teams that have wallets in control of billions of dollars. That’s a lot of incentive for bad actors, which presumably means that they’ll resort to terror-type tactics if needed.
This opportunity for anonymity also potentially de-risks terrorist actors. It gives nation states or criminals the ability to mask their activities behind yet another layer of abstraction and generally makes attribution harder. It’s conceivable that the idea of reduced risk of Death-by-Hellfire will embolden potential terror actors to commit to action.
On the flipside, we can imagine that non-criminal organisations increasingly adopt crypto. For example, there’s a movement towards individual cities having their own coins, and even social tokens for individual influencers. These currencies themselves could become a means of terror through 51% attacks, DDoS or other attacks that affect a coin relied upon by a particular set of users. I think it’s probably likely that by the time people become reliant enough on cryptocurrency for such an attack to have a real terror element, a lot of risk will have been taken out of the system. However cybercriminals are incredibly inventive.
Further, the nature of cryptocurrencies and open ledgers means that terrorists could use blockchain analysis to help develop targets (for example, finding all people who donated to a particular cause that they take issue with).
IRL infrastructure attacks
Today, everything is connected. Terrorism doesn’t have to be bombs and guns and plane hijacking. It can be anything. Disrupting natural gas pipelines, releasing toxic chemicals into the air, poisoning water supplies. All sorts of exotic combinations could easily comprise a terror incident and whilst crypto doesn’t make this sort of attack any easier, it does provide more opportunities to anonymously recruit and incentivise the sort of insider threat which is almost impossible to defend against.
Risks of permanent execution code on smart contracts
One thought that I don’t really have full formed is around the permanence of storage of either assets or programs on blockchains. The book Daemon is about a distributed, persistent computer application, the Daemon, that begins to change the real world after the original programmer’s death (Wikipedia).
Logically, for most blockchains, this might seem like a non-issue – after all if the ledger’s contents are open, surely we can just see what’s programmed to happen and mitigate it? But what about privacy preserving blockchains? Platforms like Secret Network promise privacy-preserving smart contract-capable blockchains. Games like Dark Forest introduce zk technologies to keep the state of a smart contract private.
I think this one’s probably a bit of a fantasy for now but it’s definitely a new characteristic of crypto that could change dynamics.
Storage of assets might be a more tangible problem – e.g. the permanent storage of designs for 3D-printed weapons.
Can’t the devs do something?
If crypto can exacerbate the risk of terror, can it also reduce or mitigate the risks? If so, how?
To my (albeit unqualified) mind, a lot of combatting terror is about removing motivation. My hope is that crypto can create more entangled economies and communities with less importance placed on nation state borders or single-axis issues like religion. I hope too that crypto helps distribute wealth and thereby reduces the incentives of some potential terrorism actors to leave a more comfortable life.
But tbh this post is long enough now and my brain hurts. Might revisit the mitigations side of things in the future.