Crypto firms should never carelessly trust their engineers to upload code without an external review first, says JP Richardson, CEO of the self-custodial crypto platform Exodus.
He argued that this is essential to stop bad actors, who are becoming more sophisticated in tricking crypto firms into giving them jobs, from uploading malicious code to the firm’s software.
In an interview with Cointelegraph at Token2049 in Singapore, Richardson stressed the importance of having a second-layer team to review all engineers’ code before any updates or upgrades are made to a crypto firm’s software. This is in an effort to prevent malicious actors from uploading harmful code.
Richardson highlights that customers’ data must be the priority
“I think it really comes down to building a system so that if it does happen, your customers are still safe,” the Exodus CEO said.
“That requires operational resilience in the business, so again, customers are not at risk,” he added.
He explained that Exodus reviews code from everybody, including its internal staff.
“Our security team reviews all the code to make sure that it’s still safe as opposed to, oh, we just trust this engineer is a really good engineer; we don’t need to review this code,” Richardson said.
Richardson’s comments came after he highlighted the rise in North Korean hackers fraudulently securing jobs at crypto firms by faking their identities.
“They’re both applying to companies or trying to get engineers at crypto companies to download fake resumes, fake malware to infiltrate these systems,” Richardson said.
Richardson says all code must be reviewed before being finalized
On Aug. 16, blockchain investigator ZachXBT claimed he uncovered evidence of a sophisticated network of North Korean developers that earn as much as $500,000 a month working for “established” crypto projects.
“Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed,” ZachXBT said. He explained that “Unbeknownst” to the firm, they had hired multiple DPRK IT “workers as devs who were using fake identities.”
Related: Zero-day vulnerability in Chrome exploited by North Korean hackers
Meanwhile, on Sept. 3, Cointelegraph reported that the FBI said North Korean malicious cyber actors were targeting workers at decentralized finance and crypto firms to steal funds through “complex and elaborate” social engineering campaigns.
Specifically, the federal agency warned that the scammers had researched firms associated with crypto-tied exchange-traded funds, or ETFs.
Magazine: What Solana’s critics get right… and what they get wrong