In short
- Mitchell Amador, CEO of Immunefi, said Decrypt on Token2049 in Singapore that AI tools once limited to security companies are now accessible to groups such as Lazarus, making mass attacks possible.
- BUG Prosomies have paid out more than $ 100 million, but have “hit the boundaries” because there are not “enough eyeballs” to offer the necessary coverage, he said
- The Bybit -Hack of $ 1.4 billion has bypassed smart contract protection by jeopardizing the infrastructure, exposing gaps where defenders “don’t do so hot,” Amador said.
AI has handed Crypto attackers the same tools that defenders use, and the results cost the industry billions, experts say.
Mitchell Amador, CEO of Immunefi, said Decrypt During the start of Token2049 week in Singapore, AI has changed the discovery of vulnerability to near-instant exploitation, and that the advanced audit tools that his company has built are no longer exclusive to the good.
“If we have that, can the Noord -Korean Lazarus group build a similar tooling? Can Russian Ukrainian hacker groups build similar such tools?” Asked Amador. “The answer is that they can.”
The AI auditing agent from Immunefi performs better than the vast majority of traditional audit companies, but the same power is within the reach of well-financed hacking activities, he said.
“Audits are great, but it is not nearly enough to keep track of the speed of innovation and the speed of the composite improvement of the attackers,” he said.
With more than 3% of the total value locked stolen about the ecosystem In 2024, Amador said that although safety is no longer a side issue, projects “struggle to know how to invest and how they can effectively assign resources there.”
The industry has moved from “a priority problem, which is a great thing because it is a knowledge and educational problem,” he added.
According to Amador, AI has also made advanced social engineering attacks dirty cheap.
“How much do you think it will cost?” He said, referring to phishing calls generated by AI who can present colleagues with a disturbing accuracy. “You can perform that for money with a well -thought -out system of prompts, and you can perform that and mass. That is the scary part of AI.”
The Immunefi CEO said that groups such as Lazarus are probably “at least a few hundred boys, if not probably low thousands working around” on crypto exploits as an important source of income for the economy of North Korea.
“The competitive pressure resulting from the annual quota of Noord -Korea” drives agents “to protect individual assets and” perform better than colleagues “instead of coordinating security improvements, a recent Sentinellabs Intelligence Report found.
“The game with AI-driven attacks is that it accelerates the speed that can make something of discovery to exploit,” Amador said Decrypt. “To defend against this, the only solution is even faster countermeasures.”
Immunefi’s answer has been to put AI directly into the Github repositories of developers and CI/CD pipelines, catching vulnerabilities before the code reaches production, he noted, while predicting this approach will cause a “steep drop” Defi Hacks within one to two years, so that incidents may be reduced by a different order of size.
DMYTRO MATVIIV, CEO of Web3 Bug Bounty Platform Hackenproof, told Decrypt That “manual audits always have a place, but will shift their role.”
“AI tools are becoming increasingly effective in catching ‘Lowhanging Fruit’ vulnerabilities, which reduces the need for large-scale manual assessments of common errors,” he said. “What remains are the subtle, context -dependent issues that require deep human expertise.”
In order to defend against AI-driven attacks, Immunefi has implemented a policy for only Opitières for all assets and infrastructure, of which Amador said that it has “very effectively arrested thousands of this attempt at phishing techniques”.
But this level of vigilance is not practical for most organizations, he said, and noticed: “We can do that at immune because we are a company that lives and breathes lives and vigilance. Normal people cannot do that. They have lives to live.”
Bug -voucher tires touch a wall
Immunefi has facilitated it $ 100 million in payouts For white hackers, with steady monthly distributions ranging from $ 1 million to $ 5 million. However, Amador told Decrypt That the platform “reached the borders”, because there are not “enough eyeballs” to offer the necessary coverage in the industry.
The limitation is not only about the availability of researchers, because bolt bounties are confronted with an intrinsic zero game problem that, according to Amador, creates perverse incentives for both parties.
Researchers must reveal vulnerabilities to prove that they exist, but they lose all leverage as soon as it has been announced. Immunefi reduces this by negotiating extensive contracts that specify everything before disclosure takes place, Amador said.
Meanwhile, Matviiv told Decrypt That he does not think: “We are somewhere near the exhausting of the global pool of security talent” and note that new researchers become members of platforms every year and quickly continue from “simple findings to very complex vulnerabilities.”
“The challenge is to make the space attractive enough in terms of stimuli and community for those new faces to get stuck.”
BUG Promies have probably reached their “Zenith in efficiency” outside the net nart innovations that do not even exist in traditional Bug-Bounty programs, Amador added.
The company is investigating hybrid AI solutions to give individual researchers a greater leverage to control more protocols on a scale, but these remain in R&D.
BUG-Pronene remain essential because “a diverse, external community is best positioned best to discover edges that miss automated systems or internal teams,” noted Matviiv, but they will increasingly collaborate with AI-driven scanning, monitoring and audits in “Hybrid-Models”.
The biggest hacks do not come from code
While Smart contract Audits and BUG prospone are considerably aged, the most devastating exploits are increasingly circumventing code.
The $ 1.4 billion Bybit -hack Earlier this year, this shift emphasized, Amador said, with attackers who compromised the front-end infrastructure of Safe to replace legitimate multi-sig transactions instead of using smart contract vulnerability.
“That was not something that would have been caught with an audit or bug premium,” he said. “That was a compromised internal infrastructure system.”
Despite security improvements in traditional areas such as audits, CI/CD pipelines and bug-bounties, Amador noted that the industry is “not called” on multi-sig security, spear phishing, anti-scam measures and community protection.
Immunefi has launched a multi-sig security product that assigns Elite Hackers of Witte Hat to manually assess any significant transaction before the performance, which it would have caught the Bybit attack. But he acknowledged that it is a reactive measure instead of a preventive.
This uneven progress explains why 2024 the Worst year for hacks Despite improvements in code security, because hacking patterns follow a predictable mathematical distribution, making some major incidents inevitable instead of abnormal, Amador said.
“There will always be one big bucket,” he said. “And it is not a bit of a bit, it is the pattern. There is always one big hack a year.”
Smart Contract Security has been aged considerably, said Matviiv, but “The next border is certainly around the wider attack surface: configurations of multiple SIG wallet, key management, phishing, administrative attacks and exploits at ecosystem level.”
Effective security requires catching vulnerabilities in the development process as early as possible, Amador said Decrypt.
“Bug Bounty is the second most expensive, the most expensive is the hack,” he said, who describes a hierarchy of costs that increases dramatically in every phase.
“We catch bugs before they touch the production before they even hit an audit,” Amador added. “It would never even be included in an audit. They would not waste their time with it.”
Although the severity of the hack remains high, Amador said that “the incidence is falling and that the level of the severity of most bugs is falling, and we are catching more and more of these things in the earlier stages of the cycle.”
When asked which single security measure each project should use on Token2049, Amador called for a ‘unified security platform’, with multiple attack vectors.
That is essential, because fragmented safety in essence forces projects to “do the research itself” into products, limitations and workflows, he said.
“We are not yet ready to handle trillions and trillions of assets. We are just not completely on the prime time.”
Daily debrief Newsletter
Start every day with the top news stories at the moment, plus original functions, a podcast, videos and more.
