AI has handed crypto attackers the same tools defenders use, and the results are costing the industry billions, experts say.<\/p>\n
Mitchell Amador, CEO of Immunefi, told Decrypt during the start of Token2049 week in Singapore that AI has turned vulnerability discovery into near-instant exploitation, and that the advanced auditing tools his firm built are no longer exclusive to the good guys.<\/p>\n
“If we have that, can the North Korean Lazarus group build similar tooling? Can Russian Ukrainian hacker groups build similar such tooling?” Amador asked. “The answer is that they can.”<\/p>\n
Immunefi’s AI auditing agent outperforms the vast majority of traditional auditing firms, but that same capability is within reach of well-funded hacking operations, he said.<\/p>\n
\u201cAudits are great, but it’s nowhere near enough to keep up with the rate of innovation and the rate of the compounding improvement of the attackers,” he said.<\/p>\n
With over 3% of total value locked stolen across the ecosystem in 2024, Amador said that while security is no longer an afterthought, projects “struggle to know how to invest and how to allocate resources there effectively.”\u00a0<\/p>\n
The industry has moved from “a prioritization problem, which is a wonderful thing, into it being a knowledge and educational problem,” he added.<\/p>\n
There’s More to North Korea’s Hacking Ops Than Just Lazarus Group: Paradigm<\/a><\/p>\n AI has also made sophisticated social engineering attacks dirt cheap, according to Amador.\u00a0<\/p>\n “How much do you think that phone call costs?” he said, referring to AI-generated phishing calls that can impersonate colleagues with disturbing accuracy. “You can execute that for pennies with a well-thought-out system of prompts, and you can execute those in mass. That is the scary part of AI.”<\/p>\n The Immunefi CEO said groups such as Lazarus likely employ “at least a few hundred guys, if not probably low thousands working around the clock” on crypto exploits as a major revenue source for North Korea’s economy.\u00a0<\/p>\n \u201cThe competitive pressures stemming from North Korea’s annual revenue quotas,” drive operatives to protect individual assets and \u2018outperform colleagues\u2019 rather than coordinate security improvements, a recent SentinelLABS intelligence report found.<\/p>\n “The game with AI-driven attacks is that it speeds up the rate at which something can go from discovery to exploit,” Amador told Decrypt. “To defend against that, the only solution is even faster countermeasures.”<\/p>\n Immunefi’s response has been to embed AI directly into developers’ GitHub repositories and CI\/CD pipelines, catching vulnerabilities before code reaches production, he noted, while predicting this approach will trigger a “precipitous drop” in DeFi<\/a> hacks within one to two years, potentially reducing incidents by another order of magnitude.<\/p>\n BitMEX Blocks Lazarus Phishing Attempt, Calls Tactics \u2018Unsophisticated\u2019<\/a><\/p>\n Dmytro Matviiv, CEO of Web3 bug bounty platform HackenProof, told Decrypt that “manual audits will always have a place, but their role will shift.\u201d To defend against AI-powered attacks, Immunefi has implemented a whitelist-only policy for all company resources and infrastructure, which Amador said has “arrested thousands of these attempted spear phishing techniques very effectively.”\u00a0<\/p>\n But this level of vigilance isn’t practical for most organizations, he said, noting “we can do that at Immuneify because we are a company that lives and breathes security and vigilance. Normal people can’t do that. They have lives to live.”<\/p>\n Immunefi has facilitated over $100 million in payouts to white-hat hackers, with steady monthly distributions ranging from $1 million to $5 million. However, Amador told Decrypt that the platform has “hit the limits” as there aren’t “enough eyeballs” to provide the necessary coverage across the industry.<\/p>\n The constraint isn’t just about researcher availability, as bug bounties face an intrinsic zero-sum game problem that creates perverse incentives for both sides, according to Amador.\u00a0<\/p>\n Researchers must reveal vulnerabilities to prove they exist, but they lose all leverage once disclosed. Immunefi mitigates this by negotiating comprehensive contracts that specify everything before disclosure occurs, Amador said.<\/p>\n Meanwhile, Matviiv told Decrypt that he doesn’t think “we’re anywhere close to exhausting the global pool of security talent,” noting that new researchers join platforms annually and progress quickly from \u201csimple findings to highly complex vulnerabilities.\u201d<\/p>\n “The challenge is making the space attractive enough in terms of incentives and community for those new faces to stick around.”<\/p>\n Manta Co-Founder \u2018Targeted\u2019 by Lazarus Group in Zoom Phishing Attempt<\/a><\/p>\n Bug bounties have likely reached their “zenith in efficiency” outside of net-new innovations that don’t even exist in traditional bug bounty programs, Amador added.\u00a0<\/p>\n The company is exploring hybrid AI solutions to give individual researchers greater leverage to audit more protocols at scale, but these remain in R&D.<\/p>\n Bug bounties remain essential as “a diverse, external community will always be best positioned to discover edge cases that automated systems or in-house teams miss,” Matviiv noted, but they’ll increasingly work alongside AI-powered scanning, monitoring, and audits in “hybrid models.”<\/p>\n While smart contract<\/a> audits and bug bounties have matured considerably, the most devastating exploits are increasingly bypassing code entirely.\u00a0<\/p>\n The $1.4 billion Bybit hack<\/a> earlier this year highlighted this shift, Amador said, with attackers compromising Safe’s front-end infrastructure to replace legitimate multi-sig transactions rather than exploiting any smart contract vulnerability.<\/p>\n “That wasn’t something that would have been caught with an audit or bug bounty,\u201d he said. \u201cThat was a compromised internal infrastructure system.”<\/p>\n Despite security improvements in traditional areas like audits, CI\/CD pipelines, and bug bounties, Amador noted that the industry is “not doing so hot” on multi-sig security, spear phishing, anti-scam measures, and community protection.<\/p>\n Immunefi has launched a multi-sig security product that assigns elite white-hat hackers to manually review every significant transaction before execution, which it said would have caught the Bybit attack. But he acknowledged it’s a reactive measure rather than a preventative one.<\/p>\n Tennessee Couple Hit With $6.8 Million Penalty for ‘Blessings of God Thru Crypto’ Fraud<\/a><\/p>\n
\u201cAI tools are increasingly effective at catching ‘low-hanging fruit’ vulnerabilities, which reduces the need for large-scale manual reviews of common mistakes,\u201d he said. \u201cWhat remains are the subtle, context-dependent issues that require deep human expertise.\u201d<\/p>\n