Key Takeaways
- Speaking at Token2049 in Singapore, Immunefi’s chief executive, Mitchell Amador, revealed to Decrypt that Artificial Intelligence has democratized sophisticated hacking tools, making them accessible to groups like Lazarus, potentially leading to escalated cyber attacks.
- Despite disbursing over $100 million through bug bounty programs, Amador argues that these initiatives are reaching their limit, due to a shortage of skilled security researchers able to provide comprehensive coverage.
- The $1.4 billion breach targeting Bybit circumvented conventional smart contract safeguards by targeting underlying infrastructure, exposing critical vulnerabilities where existing defense mechanisms fall short, according to Amador.
Experts warn that AI is leveling the playing field, providing crypto attackers with capabilities similar to those used by security professionals, resulting in billions of dollars in losses for the cryptocurrency sector.
In an exclusive interview with Decrypt at Token2049 in Singapore, Immunefi CEO Mitchell Amador stated that AI is accelerating the process of identifying and exploiting vulnerabilities. Tools previously available only to cybersecurity firms are now in the hands of malicious actors.
Amador questioned whether groups like North Korea’s Lazarus or various Russian and Ukrainian hacking collectives could develop similar AI-powered tools, answering affirmatively, highlighting the growing accessibility of these technologies.
While Immunefi’s AI-driven auditing system surpasses the capabilities of many traditional firms, Amador cautioned that this same advanced technology is becoming attainable for well-resourced hacking organizations.
“Audits are crucial, but insufficient to keep pace with the accelerating innovation and sophistication of cyber attackers,” Amador emphasized.
With over 3% of the total value locked stolen from the crypto ecosystem in 2024, Amador highlighted that while security is now a priority, projects often struggle with resource allocation and effective security investment.
He further stated that the industry has transitioned from a “prioritization problem” to a “knowledge and educational problem.”
AI has drastically reduced the cost of sophisticated social engineering attacks, according to Amador.
He illustrated this by pointing to AI-generated phishing calls capable of convincingly mimicking colleagues. “The cost of executing such a call is negligible, and with a well-designed prompting system, they can be deployed at scale, which is extremely alarming,” he explained.
Amador estimates that groups like Lazarus employ “hundreds, if not thousands” of individuals dedicated to exploiting cryptocurrency vulnerabilities as a primary source of revenue for North Korea.
A recent SentinelLABS intelligence report highlighted that competitive pressures stemming from annual revenue targets drive operatives to focus on individual gains over coordinated security improvements.
“AI-driven attacks accelerate the timeline from vulnerability discovery to exploitation,” Amador told Decrypt. “The only effective defense is to develop even faster countermeasures.”
Immunefi is integrating AI directly into developers’ GitHub repositories and CI/CD pipelines to identify vulnerabilities before code is deployed. Amador anticipates this strategy will lead to a “significant decline” in DeFi hacks within the next one to two years, potentially reducing incidents by an order of magnitude.
Dmytro Matviiv, CEO of Web3 bug bounty platform HackenProof, told Decrypt that “manual audits will remain relevant, but their function will evolve.”
“AI tools are becoming increasingly adept at finding ‘low-hanging fruit’ vulnerabilities, which reduces the need for extensive manual reviews of common errors,” he said. “What remains are the complex, context-specific problems that demand in-depth human knowledge.”
To combat AI-driven attacks, Immunefi has implemented a whitelist-only policy for all company resources and infrastructure, which Amador claims has “effectively neutralized thousands of attempted spear phishing attacks.”
However, Amador acknowledged that such stringent security measures are impractical for most organizations, emphasizing, “Immunefi can implement these policies because security is our core business. For ordinary people, who have other priorities, it’s simply not feasible.”
Bug Bounty Programs Face Limitations
Immunefi has facilitated payments of over $100 million to ethical hackers, with monthly payouts ranging from $1 million to $5 million. Yet, Amador told Decrypt that the platform has “reached its limitations” due to a scarcity of security professionals to adequately cover the entire industry.
The bottleneck is not only researcher availability but also the inherent zero-sum nature of bug bounties, which can create conflicting incentives for both participants, according to Amador.
Researchers must reveal vulnerabilities to prove their existence, but doing so diminishes their bargaining power. Immunefi addresses this by negotiating comprehensive agreements before disclosure, Amador explained.
Matviiv, however, told Decrypt that he believes “we are far from exhausting the global pool of security talent,” highlighting that new researchers join these platforms every year, rapidly progressing from “simple findings to highly intricate vulnerabilities.”
“The key is creating an environment attractive enough in terms of incentives and community for newcomers to stay involved.”
Amador suggested that bug bounties have likely reached their “peak efficiency,” barring entirely novel approaches not yet seen in traditional programs.
The company is researching AI-based hybrid solutions to empower individual researchers to audit a larger number of protocols at scale, but these are currently in the research and development phase.
Matviiv emphasized that bug bounties remain vital because “a diverse, external community is best suited to identifying edge cases that automated systems or internal teams may overlook,” but increasingly, they will operate alongside AI-powered scanning, monitoring, and auditing in “hybrid models.”
Major Hacks Circumvent Code Security
While smart contract audits and bug bounties have significantly improved, the most damaging breaches are increasingly avoiding code vulnerabilities.
Amador cited the $1.4 billion Bybit hack as a prime example, where attackers compromised Safe’s front-end infrastructure to replace legitimate multi-signature transactions, bypassing any smart contract flaws.
“That attack could not have been prevented by an audit or bug bounty,” he stated. “It was a consequence of a compromised internal infrastructure system.”
Despite progress in areas like audits, CI/CD pipelines, and bug bounties, Amador expressed concern that the industry is “not performing well” regarding multi-sig security, spear phishing, anti-scam efforts, and community protection.
Immunefi has introduced a multi-sig security solution involving elite white-hat hackers manually reviewing critical transactions before execution, claiming it could have prevented the Bybit attack. However, he conceded that this is a reactive measure rather than preventative.
This disparity in progress explains why 2024 has been the worst year for hacks despite improvements in code security. Amador suggested that hack patterns follow a consistent statistical distribution, making a major incident inevitable each year rather than an anomaly.
“There will always be a large outlier,” he said. “It’s not an unexpected event, but rather part of a predictable pattern. There’s always one major hack per year.”
Matviiv agreed that smart contract security has matured significantly, but emphasized that “the next challenge is the broader attack surface, including multi-sig wallet configurations, key management, phishing, governance attacks, and ecosystem-level exploits.”
Amador told Decrypt that effective security requires identifying vulnerabilities as early as possible in the development lifecycle.
“The second most costly scenario is a bug bounty, and the most expensive is a hack,” he noted, outlining a cost hierarchy that increases dramatically at each stage.
“We’re identifying bugs before they reach production, even before they are included in audits,” Amador added. “These vulnerabilities would never even be detected by an audit, as they would not be focusing on those early stage issues.”
While the severity of individual hacks remains high, Amador reported that “the rate of incidence is declining, the severity of most bugs is decreasing, and we’re identifying these issues earlier in the cycle.”
When asked to recommend a single security measure for all projects at Token2049, Amador advocated for a “Unified Security Platform” to address multiple attack vectors.
He emphasized that fragmented security approaches force projects to “conduct their own research” on products, limitations, and processes.
“We are not yet prepared to manage trillions of dollars in assets. We’re not quite ready for prime time.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.