Cryptocurrency threat intelligence falling short

• Google warns that cryptocurrency security lags behind Web3 innovation and cryptocurrency threat intelligence capabilities.
• North Korea exploits Web2 vulnerabilities – not blockchain flaws – to steal cryptocurrency for weapons programmes.
• Organisations focus on the wrong security layer.

Somewhere in the world, a cyber operator working for North Korea is stealing cryptocurrency at the exact moment you’re reading this article. They’re clicking buttons, pushing keys, moving funds in blockchain networks – and unlike traditional bank heists, you could actually watch it happen in real-time on a public ledger.

This isn’t a hypothetical scenario. It’s the reality that keeps Joe Dobson up at night. As a principal threat intelligence analyst at Mandiant, now part of Google Cloud, Dobson specialises in tracking and analysing illicit cryptocurrency and Web3 threats. But what concerns him most isn’t the theft itself, it’s that the industry lacks the experts to stop it.

Dobson argues governments and organisations continue treating financial and state-sponsored crime as separate domains, creating dangerous blind spots. The opportunity, however, lies in blockchain’s transparency. Unlike traditional financial investigations, where accessing bank account information requires navigating customer privacy regulations, cryptocurrency operates on public ledgers.

“It’s like being able to see the threat actor’s bank account,” Dobson noted. “You know how much money they have. You can see where they’re spending it.”

This visibility lets defenders measure their effectiveness in real-time. When Google’s cryptocurrency threat intelligence team discovers malware designed to steal cryptocurrency, they can see immediately how much was stolen and track where the funds move. That’s intelligence that would be impossible with traditional banking systems.

The important blind spot everyone misses

Despite Web3’s cryptographic sophistication, Dobson identifies a flaw in how organisations approach security: they’re so focused on blockchain technology that they ignore the Web2 infrastructure supporting it.

“Web3 technology is actually built on Web2 technology,” he explains. “All these blockchains run on servers. Those servers are managed through web interfaces and through SSH. The companies running them have email, they have social media,” – all traditional attack vectors that hackers have been exploiting for decades.

The blind spot has proven costly. According to Dobson, the largest cryptocurrency heists in history all occurred due to Web2 vulnerabilities, not blockchain exploits. Organisations audit smart contracts and ensure cryptographic security and leave traditional attack vectors wide open.

“You have all this really unique software that is cryptographically secure, audited smart contracts, but the actual implementation requires humans and Web2,” he said. “People get so focused on the fact that it’s Web3 and should be different that they’re not paying attention to the fact that the actual foundation is Web2.”

North Korea’s IT worker infiltration

Beyond theft operations, threat actors have developed more insidious tactics. North Korea has been embedding IT workers in global firms, and Dobson’s detection recommendations during hiring processes are surprisingly simple yet effective.

His favourite? The “soda test.”

“Ask them to go get a soda from the refrigerator,” Dobson suggested. “Because the IT workers usually are not where they claim to be. When you go to a foreign country and buy Coca-Cola or Pepsi, it’s going to be in whatever the local font is, in the local language.”

While it sounds almost comically simple, this approach – combined with asking candidates to wave their hands in front of their faces during video interviews to defeat AI face-swapping software – has proven effective at revealing location fraud.

AI: The coming multiplier

The intersection of artificial intelligence and cryptocurrency presents opportunities and threats. Dobson highlighted the X.402 protocol (designed for online payments) which lets AI agents transact using cryptocurrency wallets autonomously.

“AI agents aren’t going to have bank accounts, but they will have cryptocurrency wallets, and so they’re going to be able to move funds around,” he said. That means threat actors’ AI agents could purchase infrastructure and domain names independently, without human intervention.

The evolution in tactics extends beyond theft. Threat actors have begun using blockchain as command-and-control systems for malware, embedding C2 addresses in smart contracts that, once on-chain, remain permanently accessible.

“Once it’s on a chain, it never goes away. It’s on there forever, and that means you can’t take it down,” Dobson explained. “When you’re blocking it, it’s not a traditional domain, so you have to block it differently.”

Where expertise falls short

On-chain analysis provides advantages for cryptocurrency threat intelligence attribution. When adversaries reuse wallets, investigators can assess connections to known threat actors quickly. However, sophisticated actors can exploit the same transparency for misdirection, deliberately sending funds to wallets associated with other threat actors.

The expertise shortage extends beyond corporate security teams to include law enforcement. Dobson recounted an incident where a victim whose NFT was stolen by North Korean actors called local police, only to be asked: “What’s an NFT?”

While federal agencies like the FBI have developed countermeasure capabilities, they cannot respond to every cryptocurrency theft. The gap between the scale of the problem and available expertise is widening.

Public-private partnership challenges

When Google’s cryptocurrency threat intelligence team identifies state-backed operations, collaboration with the public sector is hampered by a central issue: cryptocurrency is too new for information-sharing networks that exist in more established industries.

“When you look at the medical industry, the finance industry, there’s been a lot more time for folks to go from working at a cybersecurity company to a medical company, back to a cyber company,” he said. “Because cryptocurrency is so new, you don’t have as much of that.”

Dobson stressed that public organisations must be “friendly towards crypto” to encourage information sharing. “If someone thinks that the information they share is going to be weaponised against their industry, they’re not going to share.”

A believer despite the threats

Despite cataloguing an alarming array of threats, Dobson remains a cryptocurrency advocate who believes in its transformative potential. He points to legitimate uses like international remittances and peer-to-peer payments that cryptocurrency facilitates more efficiently than traditional systems.

“Are cryptocurrency ATMs commonly used by scammers? Absolutely,” he acknowledged. “But they’re also used for legitimate purposes. If you want to send a remittance to a family member overseas, going to a cryptocurrency ATM? That is probably the fastest way you can do it.”

The challenge, he argues, isn’t eliminating cryptocurrency but building the security expertise and user experience improvements needed to protect it. “Security in cryptocurrency is not easy. That doesn’t mean we should get rid of cryptocurrency, but it means we need to be aware of that issue so that we can collectively work on it.”

The expertise pipeline crisis

Dobson’s greatest concern remains the mismatch between cryptocurrency adoption and defensive capacity.

“Look at how quickly cryptocurrency has grown in market share, market cap, and then look at how many security jobs there have been in cryptocurrency,” he said. “Defenders aren’t prepared because they don’t fully comprehend the level of innovation in Web3.”

As cryptocurrency moves toward mainstream adoption by governments, businesses, and individuals, the industry faces a important question: can it build the expertise pipeline fast enough to prevent Dobson’s nightmare scenario?

The answer will determine whether cryptocurrency fulfils its promise as a transformative technology or becomes exactly what Dobson fears – a hunting ground where adversaries operate with impunity because there simply aren’t enough defenders to stop them.

Want to experience the full spectrum of enterprise technology innovation? Join TechEx in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click here for more information.